bug has got me!

[edcal]

here is what i have for u my friend


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:18 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\edcal.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pavilion.buttonredirect.hp.com/2.0/chat/EN_US/index.html?VER=0&CYCLE=43&URL=http://www.hp.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User '?')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189297494984
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://209.60.51.51/activex/AxisCamControl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - http://www.kclcutsheets.com/KCLSearch/whip.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

--
End of file - 4900 bytes



ComboFix 07-12-21.4 - Administrator 2007-12-29 14:00:16.24 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\jmllm.ini2
C:\WINDOWS\system32\mllmj.dll
.
---- Previous Run -------
.
C:\hp\KBD\KBD .EXE
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05 .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\eHome\ehtray .exe
C:\WINDOWS\KHALMNPR .EXE
C:\WINDOWS\Logi_MwX .Exe
C:\WINDOWS\pchealth\helpctr\Binaries\MSConfig .exe
C:\WINDOWS\pchealth\helpctr\Binaries\MSConfig .exe
C:\WINDOWS\pchealth\helpctr\Binaries\MSConfig .exe
C:\WINDOWS\SMINST\RECGUARD .EXE
C:\WINDOWS\system\hpsysdrv .exe
C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\jmllm.ini2
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\mllmj.exe
C:\WINDOWS\system32\NeroCheck .exe
C:\WINDOWS\system32\ps2 .exe

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-29 13:31 . 2007-12-29 13:31 464 --a------ C:\WINDOWS\Shortcut (2) to pchealth.lnk
2007-12-29 13:21 . 2007-12-29 13:21 464 --a------ C:\WINDOWS\Shortcut to pchealth.lnk
2007-12-29 12:47 . 2007-12-29 14:02 341,504 --a------ C:\WINDOWS\system32\mllmj.exe
2007-12-29 12:47 . 2007-12-29 13:13 94,208 --a------ C:\WINDOWS\KHALMNPR .EXE
2007-12-29 09:11 . 2007-12-29 09:11 341,504 --a------ C:\WINDOWS\system32\RCXC.tmp
2007-12-28 13:29 . 2007-12-28 13:29 341,504 --a------ C:\WINDOWS\system32\RCX25.tmp
2007-12-28 08:03 . 2007-12-28 08:03 341,504 --a------ C:\WINDOWS\system32\RCX26.tmp
2007-12-28 07:35 . 2007-12-28 07:35 341,504 --a------ C:\WINDOWS\system32\RCX5B.tmp
2007-12-27 15:05 . 2007-12-27 15:05 341,504 --a------ C:\WINDOWS\system32\RCX5A.tmp
2007-12-26 16:59 . 2007-12-26 16:59 341,504 --a------ C:\WINDOWS\system32\RCX4D.tmp
2007-12-26 16:53 . 2007-12-26 16:53 341,504 --a------ C:\WINDOWS\system32\RCX4C.tmp
2007-12-26 16:49 . 2007-12-26 16:49 341,504 --a------ C:\WINDOWS\system32\RCX4B.tmp
2007-12-26 16:07 . 2007-12-26 16:07 341,504 --a------ C:\WINDOWS\system32\RCX49.tmp
2007-12-26 14:44 . 2007-12-26 14:44 341,504 --a------ C:\WINDOWS\system32\RCX42.tmp
2007-12-25 14:30 . 2007-12-25 14:30 827,392 --a------ C:\WINDOWS\system32\FLASH.OCX
2007-12-23 11:01 . 2007-12-23 11:00 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-23 11:00 . 2007-12-23 11:02 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-23 10:30 . 2007-12-23 18:24 181 --a------ C:\WINDOWS\system\hpsysdrv .DAT
2007-12-09 11:17 . 2007-12-09 12:22 <DIR> d-------- C:\DVD code
2007-12-08 13:02 . 2007-12-08 13:02 6,656 --ahs---- C:\WINDOWS\Thumbs.db
2007-12-03 16:14 . 2007-12-03 16:14 17,408 --a------ C:\conseco1203.xls

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 17:08 --------- d-----w C:\Program Files\QuickTime
2007-12-26 18:52 --------- d-----w C:\Program Files\Trend Micro
2007-12-23 22:05 437,248 ----a-w C:\WINDOWS\KHALMNPR.EXE
2007-12-23 22:05 363,008 ----a-w C:\WINDOWS\Logi_MwX.Exe
2007-12-23 22:05 358,912 ----a-w C:\WINDOWS\CTHELPER.EXE
2007-12-21 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-21 12:14 --------- d-----w C:\Program Files\Microsoft Money
2007-12-19 19:01 --------- d-----w C:\Program Files\DVDFab HD Decrypter 4
2007-11-18 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-18 22:17 --------- d-----w C:\Program Files\Activision
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 22:06 --------- d-----w C:\Program Files\Electronic Arts
2007-09-12 12:22 22,328 ----a-w C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
2007-08-06 19:58 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-25_11.25.30.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-07-09 16:50:42 155,648 ----a-w C:\WINDOWS\system32\NeroCheck.exe
+ 2007-12-28 18:33:37 498,176 ----a-w C:\WINDOWS\system32\NeroCheck.exe
- 2007-12-24 19:25:22 424,448 ----a-w C:\WINDOWS\system32\ps2.exe
+ 2007-12-29 17:08:27 424,448 ----a-w C:\WINDOWS\system32\ps2.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-12-08 10:51 C:\WINDOWS\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^IMStart.lnk]
backup=C:\WINDOWS\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-04 01:56 50176 --a------ C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2007-12-28 13:33 585728 --a------ C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-12-28 13:33 392704 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2007-12-28 13:33 391680 --a------ c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
2007-12-29 14:02 341504 --a------ C:\WINDOWS\system32\mllmj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE REBOOT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-09-16 17:41 1961984 --------- C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-12-28 13:33 498176 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-12-28 13:33 379392 --a------ C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"Wmi"=3 (0x3)
"WMDM PMSP Service"=2 (0x2)
"WMConnectCDS"=3 (0x3)
"winmgmt"=2 (0x2)
"WinDefend"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"SimpTcp"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"Schedule"=2 (0x2)
"SamSs"=2 (0x2)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PnkBstrB"=3 (0x3)
"PnkBstrA"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"PlugPlay"=2 (0x2)
"NVSvc"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Netman"=3 (0x3)
"MSIServer"=3 (0x3)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"helpsvc"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"ehSched"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"DcomLaunch"=2 (0x2)
"CryptSvc"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"BITS"=3 (0x3)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"ALG"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"RecordNow!"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" -atboottime
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE


.
Contents of the 'Scheduled Tasks' folder
"2007-12-29 18:12:59 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-12-21 15:29:48 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 14:05:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-29 14:06:50 - machine was rebooted [Administrator]
C:\ComboFix2.txt ... 2007-12-28 14:19
C:\ComboFix3.txt ... 2007-12-25 14:22

Ran on Sat 12/29/2007 - 14:13:21.26

----a-w           145,408 2007-12-29 19:09:15  C:\Documents and Settings\Administrator\Desktop\msconfig_xpsp1\msconfig .exe
----a-w            94,208 2007-12-29 18:13:03  C:\WINDOWS\KHALMNPR .EXE

 Entries:                2  (2)
 Directories:            0  Files:             2
 Bytes:            239,616  Blocks:          468

 

[Shaba]

Hi

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\mllmj.exe
C:\WINDOWS\KHALMNPR .EXE
C:\WINDOWS\system32\RCXC.tmp
C:\WINDOWS\system32\RCX25.tmp
C:\WINDOWS\system32\RCX26.tmp
C:\WINDOWS\system32\RCX5B.tmp
C:\WINDOWS\system32\RCX5A.tmp
C:\WINDOWS\system32\RCX4D.tmp
C:\WINDOWS\system32\RCX4C.tmp
C:\WINDOWS\system32\RCX4B.tmp
C:\WINDOWS\system32\RCX49.tmp
C:\WINDOWS\system32\RCX42.tmp
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\ps2.exe
C:\Documents and Settings\Administrator\Desktop\msconfig_xpsp1\msconfig .exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\CTHELPER.EXE

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Re-run RenV

Post:

- a fresh HijackThis log
- RenV log
- combofix report

 

[edcal]

I am working on it but now I have to reboot to diagnostic mode and reboot again because it defaults to selective and I have to change it to diagnostic again and reboot then run combofix then reboot to diagnostic to retain desktop.....I appreciate your patience

eddie

 

[Shaba]

Hi

That's ok, take your time.

Problem is that also msconfig gets infected.

If this doesn't work, we need other methods.

 

[edcal]

FYI..... I have found that if you open msconfig on reboot to see where it is set,,, it hangs combofix I have to remember to check don't open msconfig on the reboot......this is a trip......I have a new a new and the utmost respect for U "guys" now........my goodness what you have to go thru for us.........

 

[edcal]

hope this helps


ComboFix 07-12-21.4 - Administrator 2007-12-29 15:01:59.26 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE
C:\Documents and Settings\Administrator\Desktop\msconfig_xpsp1\msconfig .exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\KHALMNPR .EXE
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\mllmj.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\RCX25.tmp
C:\WINDOWS\system32\RCX26.tmp
C:\WINDOWS\system32\RCX42.tmp
C:\WINDOWS\system32\RCX49.tmp
C:\WINDOWS\system32\RCX4B.tmp
C:\WINDOWS\system32\RCX4C.tmp
C:\WINDOWS\system32\RCX4D.tmp
C:\WINDOWS\system32\RCX5A.tmp
C:\WINDOWS\system32\RCX5B.tmp
C:\WINDOWS\system32\RCXC.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\msconfig_xpsp1\msconfig .exe
C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\jmllm.ini2
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\mllmj.exe
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\Desktop\msconfig_xpsp1\msconfig .exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\KHALMNPR .EXE
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\jmllm.ini2
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\mllmj.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\RCX25.tmp
C:\WINDOWS\system32\RCX26.tmp
C:\WINDOWS\system32\RCX42.tmp
C:\WINDOWS\system32\RCX49.tmp
C:\WINDOWS\system32\RCX4B.tmp
C:\WINDOWS\system32\RCX4C.tmp
C:\WINDOWS\system32\RCX4D.tmp
C:\WINDOWS\system32\RCX5A.tmp
C:\WINDOWS\system32\RCX5B.tmp
C:\WINDOWS\system32\RCXC.tmp

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-29 14:58 . 2007-12-29 14:58 341,504 --a------ C:\WINDOWS\system32\RCX1.tmp
2007-12-29 13:31 . 2007-12-29 13:31 464 --a------ C:\WINDOWS\Shortcut (2) to pchealth.lnk
2007-12-29 13:21 . 2007-12-29 13:21 464 --a------ C:\WINDOWS\Shortcut to pchealth.lnk
2007-12-25 14:30 . 2007-12-25 14:30 827,392 --a------ C:\WINDOWS\system32\FLASH.OCX
2007-12-23 11:01 . 2007-12-23 11:00 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-23 11:00 . 2007-12-23 11:02 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-23 10:30 . 2007-12-23 18:24 181 --a------ C:\WINDOWS\system\hpsysdrv .DAT
2007-12-09 11:17 . 2007-12-09 12:22 <DIR> d-------- C:\DVD code
2007-12-08 13:02 . 2007-12-08 13:02 6,656 --ahs---- C:\WINDOWS\Thumbs.db
2007-12-03 16:14 . 2007-12-03 16:14 17,408 --a------ C:\conseco1203.xls

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 17:08 --------- d-----w C:\Program Files\QuickTime
2007-12-26 18:52 --------- d-----w C:\Program Files\Trend Micro
2007-12-23 22:05 437,248 ----a-w C:\WINDOWS\KHALMNPR.EXE
2007-12-21 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-21 12:14 --------- d-----w C:\Program Files\Microsoft Money
2007-12-19 19:01 --------- d-----w C:\Program Files\DVDFab HD Decrypter 4
2007-11-18 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-18 22:17 --------- d-----w C:\Program Files\Activision
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 22:06 --------- d-----w C:\Program Files\Electronic Arts
2007-09-12 12:22 22,328 ----a-w C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
2007-08-06 19:58 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-12-08 10:51 C:\WINDOWS\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^IMStart.lnk]
backup=C:\WINDOWS\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-04 01:56 50176 --a------ C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2007-12-29 14:31 585728 --a------ C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-12-29 14:31 392704 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2007-12-29 14:31 391680 --a------ c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\mllmj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
C:\Documents and Settings\Administrator\Desktop\msconfig_xpsp1\msconfig .exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE REBOOT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-09-16 17:41 1961984 --------- C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-12-29 14:31 379392 --a------ C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"Wmi"=3 (0x3)
"WMDM PMSP Service"=2 (0x2)
"WMConnectCDS"=3 (0x3)
"winmgmt"=2 (0x2)
"WinDefend"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"SimpTcp"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"Schedule"=2 (0x2)
"SamSs"=2 (0x2)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PnkBstrB"=3 (0x3)
"PnkBstrA"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"PlugPlay"=2 (0x2)
"NVSvc"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Netman"=3 (0x3)
"MSIServer"=3 (0x3)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"helpsvc"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"ehSched"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"DcomLaunch"=2 (0x2)
"CryptSvc"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"BITS"=3 (0x3)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"ALG"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"RecordNow!"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" -atboottime
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE


.
Contents of the 'Scheduled Tasks' folder
"2007-12-29 19:11:22 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-12-21 15:29:48 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 15:08:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-29 15:09:40 - machine was rebooted [Administrator]
C:\ComboFix2.txt ... 2007-12-29 14:06
C:\ComboFix3.txt ... 2007-12-28 14:19



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:15 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\edcal.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pavilion.buttonredirect.hp.com/2.0/chat/EN_US/index.html?VER=0&CYCLE=43&URL=http://www.hp.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User '?')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189297494984
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://209.60.51.51/activex/AxisCamControl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - http://www.kclcutsheets.com/KCLSearch/whip.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

--
End of file - 4900 bytes

Ran on Sat 12/29/2007 - 15:11:49.60

 Entries:                0  (0)
 Directories:            0  Files:             0
 Bytes:                  0  Blocks:            0

 

[Shaba]

Hi

Yes it helps

We are now pretty close, I think. But after kaspersky scan we are much wiser.

Delete this:

C:\WINDOWS\system32\RCX1.tmp

Empty Recycle Bin.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  
  o Scan using the following Anti-Virus database:
  
  + Extended (If available otherwise Standard)
  
  o Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
  
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button
• Save the file to your desktop.
• Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

 

[edcal]

this may be a dumb question at this point....but is there a way to enable usb support for my flash drive in diagnostic mode....up to this point I have been rebooting the infected pc to diagnostic mode, running combo, rebooting again after it's own reboot so I have a desktop again and I have a report and then rebooting again to normal so I can get the info to you using a flash drive to another pc......

eddie

 

[Shaba]

Hi

Sorry, but I don't know that thing.

 

[edcal]

hi

pc has frozen....... report completed but stalled trying to save the kas report after 2 hrs of compiling....if I reboot do you think the report will be there..after 15 min the hourglass is still on screen

 

[edcal]

got it

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:53 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\edcal.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pavilion.buttonredirect.hp.com/2.0/chat/EN_US/index.html?VER=0&CYCLE=43&URL=http://www.hp.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: load=C:\WINDOWS\system32\mllmj.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19070691-76C3-4A1E-8669-3800636D008A} - C:\WINDOWS\system32\mllmj.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189297494984
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://209.60.51.51/activex/AxisCamControl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - http://www.kclcutsheets.com/KCLSearch/whip.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)

--
End of file - 7690 bytes



too long next post..........kas

 

[edcal]

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 29, 2007 6:35:04 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/12/2007
Kaspersky Anti-Virus database records: 500065
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 90657
Number of viruses found: 10
Number of infected objects: 66
Number of suspicious objects: 0
Duration of the scan process: 02:03:36

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\msconfig_xpsp1\msconfig.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX11.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX14.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX8.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXB.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXE.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip/winable.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl3.zip/wininstall.exe Infected: Trojan.Win32.Agent.crf skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip/Yazzle1552OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\hp\KBD\KBD.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Common Files\Real\Update_OB\realsched.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Messenger\msmsgs.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Desktop\msconfig_xpsp1\msconfig .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\ISM\ism.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\qoobox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\qoobox\Quarantine\C\Program Files\QdrModule\QdrModule11.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QdrPack\QdrPack11.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\SMANTE~1\fast .exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fe skipped
C:\qoobox\Quarantine\C\Program Files\SMANTE~1\fast.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\b122.exe.vir Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\qoobox\Quarantine\C\WINDOWS\CTHELPER.EXE.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\Logi_MwX.Exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\mrofinu72.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\pchealth\helpctr\Binaries\MSConfig .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\jkpche.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\mllmj.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\NeroCheck.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ps2.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\RCX25.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\RCX26.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\RCX42.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\RCX49.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\RCX4B.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\RCX4C.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\RCX4D.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\RCX5A.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\RCX5B.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\RCXC.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\SSEMBL~1\msconfig.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\qoobox\Quarantine\catchme2007-12-23_141950.03.zip/opnkihi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clz skipped
C:\qoobox\Quarantine\catchme2007-12-23_141950.03.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP1\A0000003.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP1\A0000007.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP1\A0000008.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP1\A0000010.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP1\A0000012.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP1\A0000015.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP1\A0000018.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\eHome\ehtray.exe.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\KHALMNPR.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SMINST\RECGUARD.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mllmj.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\RCX16.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\RCX18.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

[Shaba]

Hi

You have been re-infected. Problem is with msconfig usage. If you have to use it every time, I'm afraid that we won't get you clean as msconfig is infected and will get re-infected as long as there is one infected startup left.

One option might be to use trial version of KAV antivirus (it deletes what it finds); we try that next if no success with this.

Delete your copy of ComboFix

After that:

Download combofix from any of these links and save it to Desktop:

Link 1
Link 2
Link 3

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\Administrator\Desktop\msconfig_xpsp1\msconfig.exe
C:\hp\KBD\KBD.EXE 
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe 
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe 
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe 
C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe 
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe 
C:\Program Files\Messenger\msmsgs.exe 
C:\Program Files\QuickTime\qttask.exe 
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX11.tmp 
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX14.tmp 
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX8.tmp 
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXB.tmp 
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXE.tmp 
C:\WINDOWS\eHome\ehtray.exe.tmp 
C:\WINDOWS\KHALMNPR.EXE 
C:\WINDOWS\SMINST\RECGUARD.EXE 
C:\WINDOWS\system32\mllmj.exe 
C:\WINDOWS\system32\RCX16.tmp 
C:\WINDOWS\system32\RCX18.tmp 
C:\WINDOWS\system32\mllmj.dll

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Re-run RenV.

Post:

- a fresh HijackThis log
- RenV log
- combofix report

 

[edcal]

good news I think PC finally finished in normal mode. Results:

ComboFix 07-12-30.1 - Administrator 2007-12-30 8:01:11.28 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1686 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Administrator\Desktop\msconfig_xpsp1\msconfig.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX11.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX14.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXB.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXE.tmp
C:\hp\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\eHome\ehtray.exe.tmp
C:\WINDOWS\KHALMNPR.EXE
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\mllmj.exe
C:\WINDOWS\system32\RCX16.tmp
C:\WINDOWS\system32\RCX18.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\msconfig_xpsp1\msconfig.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX11.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX14.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXB.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXE.tmp
C:\hp\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\eHome\ehtray.exe.tmp
C:\WINDOWS\KHALMNPR.EXE
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\jmllm.ini2
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\mllmj.exe
C:\WINDOWS\system32\RCX16.tmp
C:\WINDOWS\system32\RCX18.tmp

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))
.

2007-12-30 07:55 . 2007-12-30 07:55 341,504 --a------ C:\WINDOWS\system32\RCX1F.tmp
2007-12-29 19:04 . 2007-12-29 19:04 341,504 --a------ C:\WINDOWS\system32\RCX1C.tmp
2007-12-29 18:56 . 2007-12-29 18:56 341,504 --a------ C:\WINDOWS\system32\RCX1B.tmp
2007-12-29 18:52 . 2007-12-29 18:52 341,504 --a------ C:\WINDOWS\system32\RCX17.tmp
2007-12-29 16:01 . 2007-12-29 16:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 16:01 . 2007-12-29 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-29 15:14 . 2007-12-30 07:55 94,208 --a------ C:\WINDOWS\KHALMNPR .EXE
2007-12-29 13:31 . 2007-12-29 13:31 464 --a------ C:\WINDOWS\Shortcut (2) to pchealth.lnk
2007-12-29 13:21 . 2007-12-29 13:21 464 --a------ C:\WINDOWS\Shortcut to pchealth.lnk
2007-12-25 14:30 . 2007-12-25 14:30 827,392 --a------ C:\WINDOWS\system32\FLASH.OCX
2007-12-23 11:01 . 2007-12-23 11:00 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-23 11:00 . 2007-12-23 11:02 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-23 10:30 . 2007-12-23 18:24 181 --a------ C:\WINDOWS\system\hpsysdrv .DAT
2007-12-09 11:17 . 2007-12-09 12:22 <DIR> d-------- C:\DVD code
2007-12-08 13:02 . 2007-12-08 13:02 6,656 --ahs---- C:\WINDOWS\Thumbs.db
2007-12-03 16:14 . 2007-12-03 16:14 17,408 --a------ C:\conseco1203.xls
2007-11-21 21:37 . 2007-12-05 15:09 <DIR> d-------- C:\MainMovie
2007-11-21 21:33 . 2007-12-19 14:01 <DIR> d-------- C:\Program Files\DVDFab HD Decrypter 4
2007-11-12 17:06 . 2007-11-12 17:06 <DIR> d-------- C:\Program Files\Electronic Arts
2007-11-12 17:06 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-11-12 17:04 . 2007-11-12 17:04 <DIR> d-------- C:\nfs pro street
2007-11-02 16:50 . 2007-07-09 08:16 582,656 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 13:03 --------- d-----w C:\Program Files\QuickTime
2007-12-26 18:52 --------- d-----w C:\Program Files\Trend Micro
2007-12-21 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-21 12:14 --------- d-----w C:\Program Files\Microsoft Money
2007-11-18 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-18 22:17 --------- d-----w C:\Program Files\Activision
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-12 12:22 22,328 ----a-w C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
2007-08-06 19:58 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-25_11.25.30.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-30 12:55:26 50,176 ----a-w C:\WINDOWS\eHome\ehtray .exe
- 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-12-14 02:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 13:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-05-03 13:21 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2007-06-28 23:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"NAV CfgWiz"="c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-04 01:56]
"CTHelper"="CTHELPER.EXE" [2007-04-09 11:32 C:\WINDOWS\system32\CtHelper.exe]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"AlcWzrd"="ALCWZRD.EXE" [2004-05-03 15:23 C:\WINDOWS\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-12-08 10:51 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^IMStart.lnk]
backup=C:\WINDOWS\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-09-16 17:41 1961984 --------- C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"RecordNow!"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" -atboottime
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE

R2 CX23880;Conexant 23880 Video Capture;C:\WINDOWS\system32\drivers\cx88vid.sys [2004-04-07 02:44]
R2 CX88ENC;Conexant 2388x MPEG Encoder;C:\WINDOWS\system32\drivers\cx88enc.sys [2004-04-07 02:44]
R2 CXTUNE;Conexant 2388x Tuner;C:\WINDOWS\system32\drivers\CX88TUNE.sys [2004-04-07 02:44]
R2 ViCAM;ViCAM;C:\WINDOWS\system32\drivers\ViCAM.sys [1999-10-12 05:04]
R3 CXAVXBAR;Conexant Cx2388x Crossbar Dual Input ;C:\WINDOWS\system32\drivers\cxavxbar.sys [2004-04-07 02:43]
S3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2003-10-09 12:15]
S3 VICAMUSB;3Com HomeConnect USB Camera;C:\WINDOWS\system32\drivers\vicamusb.sys [1999-10-12 12:23]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-30 13:06:52 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-12-21 15:29:48 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 08:07:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-30 8:08:11 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-30 13:08:03
C:\qoobox\ComboFix2.txt 2007-12-29 20:44:08
C:\qoobox\ComboFix3.txt 2007-12-29 19:06:51
C:\qoobox\ComboFix4.txt 2007-12-28 19:19:56



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:41 AM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\edcal.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pavilion.buttonredirect.hp.com/2.0/chat/EN_US/index.html?VER=0&CYCLE=43&URL=http://www.hp.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189297494984
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://209.60.51.51/activex/AxisCamControl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - http://www.kclcutsheets.com/KCLSearch/whip.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)

--
End of file - 6887 bytes

continued in next post..............

 

[edcal]

Ran on Sun 12/30/2007 -  8:10:18.00

----a-w           145,408 2007-12-29 20:52:28  C:\Documents and Settings\Administrator\Desktop\msconfig_xpsp1\msconfig .exe
----a-w           151,597 2007-12-30 12:55:20  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            49,152 2007-12-30 12:55:24  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w           241,664 2007-12-30 12:55:25  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w            49,152 2007-12-30 00:04:36  C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05 .exe
----a-w            36,975 2007-12-30 12:55:19  C:\Program Files\Java\jre1.5.0_02\bin\jusched .exe
----a-w         1,694,208 2007-12-30 12:55:31  C:\Program Files\Messenger\msmsgs .exe
----a-w            94,208 2007-12-30 12:55:21  C:\WINDOWS\KHALMNPR .EXE
----a-w            50,176 2007-12-30 12:55:26  C:\WINDOWS\eHome\ehtray .exe

 Entries:                9  (9)
 Directories:            0  Files:             9
 Bytes:          2,512,540  Blocks:        4,909

 

[Shaba]

Hi

Yes that is good news

Try also not to use msconfig if possible.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\Administrator\Desktop\msconfig_xpsp1\msconfig .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe  
C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05 .exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\WINDOWS\KHALMNPR .EXE
C:\WINDOWS\eHome\ehtray .exe
C:\WINDOWS\system32\RCX1F.tmp
C:\WINDOWS\system32\RCX1C.tmp
C:\WINDOWS\system32\RCX1B.tmp
C:\WINDOWS\system32\RCX17.tmp

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Re-run RenV.

Post:

- a fresh HijackThis log
- RenV log
- combofix report

 

[edcal]

I am not needing to use msconfig since combo fix is completing in normal mode.....
results:

ComboFix 07-12-30.1 - Administrator 2007-12-30 8:38:42.29 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1689 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Administrator\Desktop\msconfig_xpsp1\msconfig .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05 .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\WINDOWS\eHome\ehtray .exe
C:\WINDOWS\KHALMNPR .EXE
C:\WINDOWS\system32\RCX17.tmp
C:\WINDOWS\system32\RCX1B.tmp
C:\WINDOWS\system32\RCX1C.tmp
C:\WINDOWS\system32\RCX1F.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\msconfig_xpsp1\msconfig .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05 .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\WINDOWS\eHome\ehtray .exe
C:\WINDOWS\KHALMNPR .EXE
C:\WINDOWS\system32\RCX17.tmp
C:\WINDOWS\system32\RCX1B.tmp
C:\WINDOWS\system32\RCX1C.tmp
C:\WINDOWS\system32\RCX1F.tmp

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))
.

2007-12-29 16:01 . 2007-12-29 16:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 16:01 . 2007-12-29 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-29 13:31 . 2007-12-29 13:31 464 --a------ C:\WINDOWS\Shortcut (2) to pchealth.lnk
2007-12-29 13:21 . 2007-12-29 13:21 464 --a------ C:\WINDOWS\Shortcut to pchealth.lnk
2007-12-25 14:30 . 2007-12-25 14:30 827,392 --a------ C:\WINDOWS\system32\FLASH.OCX
2007-12-23 11:01 . 2007-12-23 11:00 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-23 11:00 . 2007-12-23 11:02 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-23 10:30 . 2007-12-23 18:24 181 --a------ C:\WINDOWS\system\hpsysdrv .DAT
2007-12-09 11:17 . 2007-12-09 12:22 <DIR> d-------- C:\DVD code
2007-12-08 13:02 . 2007-12-08 13:02 6,656 --ahs---- C:\WINDOWS\Thumbs.db
2007-12-03 16:14 . 2007-12-03 16:14 17,408 --a------ C:\conseco1203.xls
2007-11-21 21:37 . 2007-12-05 15:09 <DIR> d-------- C:\MainMovie
2007-11-21 21:33 . 2007-12-19 14:01 <DIR> d-------- C:\Program Files\DVDFab HD Decrypter 4
2007-11-12 17:06 . 2007-11-12 17:06 <DIR> d-------- C:\Program Files\Electronic Arts
2007-11-12 17:06 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-11-12 17:04 . 2007-11-12 17:04 <DIR> d-------- C:\nfs pro street
2007-11-02 16:50 . 2007-07-09 08:16 582,656 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 13:03 --------- d-----w C:\Program Files\QuickTime
2007-12-26 18:52 --------- d-----w C:\Program Files\Trend Micro
2007-12-21 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-21 12:14 --------- d-----w C:\Program Files\Microsoft Money
2007-11-18 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-18 22:17 --------- d-----w C:\Program Files\Activision
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-09-12 12:22 22,328 ----a-w C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
2007-09-12 12:21 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-09-12 12:21 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-08-06 19:58 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-25_11.25.30.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-12-14 02:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 13:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-05-03 13:21 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2007-06-28 23:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"NAV CfgWiz"="c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-04 01:56]
"CTHelper"="CTHELPER.EXE" [2007-04-09 11:32 C:\WINDOWS\system32\CtHelper.exe]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"AlcWzrd"="ALCWZRD.EXE" [2004-05-03 15:23 C:\WINDOWS\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-12-08 10:51 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^IMStart.lnk]
backup=C:\WINDOWS\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-09-16 17:41 1961984 --------- C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"RecordNow!"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" -atboottime
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE

R2 CX23880;Conexant 23880 Video Capture;C:\WINDOWS\system32\drivers\cx88vid.sys [2004-04-07 02:44]
R2 CX88ENC;Conexant 2388x MPEG Encoder;C:\WINDOWS\system32\drivers\cx88enc.sys [2004-04-07 02:44]
R2 CXTUNE;Conexant 2388x Tuner;C:\WINDOWS\system32\drivers\CX88TUNE.sys [2004-04-07 02:44]
R2 ViCAM;ViCAM;C:\WINDOWS\system32\drivers\ViCAM.sys [1999-10-12 05:04]
R3 CXAVXBAR;Conexant Cx2388x Crossbar Dual Input ;C:\WINDOWS\system32\drivers\cxavxbar.sys [2004-04-07 02:43]
S3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2003-10-09 12:15]
S3 VICAMUSB;3Com HomeConnect USB Camera;C:\WINDOWS\system32\drivers\vicamusb.sys [1999-10-12 12:23]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-30 13:06:52 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-12-21 15:29:48 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 08:39:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-30 8:40:11
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-30 13:40:00
C:\qoobox\ComboFix2.txt 2007-12-30 13:08:11
C:\qoobox\ComboFix3.txt 2007-12-29 20:44:08
C:\qoobox\ComboFix4.txt 2007-12-29 19:06:51
C:\qoobox\ComboFix5.txt 2007-12-28 19:19:56

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:51 AM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\edcal.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pavilion.buttonredirect.hp.com/2.0/chat/EN_US/index.html?VER=0&CYCLE=43&URL=http://www.hp.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189297494984
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://209.60.51.51/activex/AxisCamControl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - http://www.kclcutsheets.com/KCLSearch/whip.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)

--
End of file - 6887 bytes

Ran on Sun 12/30/2007 -  8:41:20.12

 Entries:                0  (0)
 Directories:            0  Files:             0
 Bytes:                  0  Blocks:            0

 

[Shaba]

Hi

Looks very good

First install one antivirus from below (or if you have some purchased antivirus in CD/DVD you can use it, too):

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

After that:

Re-scan with kaspersky.

Re-run RenV.

Post:

- a fresh HijackThis log
- kaspersky report
- RenV log

 

[edcal]

with regards to msconfig, I use this to stop some programs from loading because I dont use the that often. Is this still ok to use? I will, more than likely, only have to be there once to do this...

 

[Shaba]

Hi

You can use it after you're clean (and you have a clean copy of msconfig), if you like to, yes.