Cannnot remove Smitfraud-C. and ldcore.dll

Status
Not open for further replies.
A

AcornWW

New member
Hi,

Like many others lately, I have been hit with Smitfraud-C. I have read "before you post" and am submitting the requested files. Thanks for your help!!!!

A) HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:46 PM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\windows\system32\dwdsrngt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Cool\X_cool.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wildboards.wildtangent.com/R...okup/Decoder.aspx?g=bounce&dp=hpdesktop&l=HSP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [vf9] C:\WINDOWS\System32\vf9485.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [{DF-FB-B9-92-ZN}] C:\windows\system32\dwdsrngt.exe CHD001
O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\rxbdhejo.dll",b
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"
O4 - HKLM\..\RunOnce: [0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 11143 bytes
 
Here is the Kaspersky log

B) Kaspersky log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 05, 2007 1:19:46 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/12/2007
Kaspersky Anti-Virus database records: 473200
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
K:\
L:\
M:\
N:\
Y:\
Z:\

Scan Statistics:
Total number of scanned objects: 115384
Number of viruses found: 10
Number of infected objects: 30
Number of suspicious objects: 0
Duration of the scan process: 02:29:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{200808D8-B47D-44A9-9E1A-E1B76C992502}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{ECB4C6D2-577B-4B93-8260-27FBFC96701E}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR14.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\hppusg.exe.fd0c032d.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9825.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9826.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9827.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9828.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9829.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9830.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9831.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9832.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9833.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9834.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9835.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9836.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9837.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9839.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9840.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache9841.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\newtb1handler.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\proxystop-tblauncher.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Setup195.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\Documents and Settings\Owner\Local Settings\Temp\sqlite_B5gHkGRJxGULpYn Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\sqlite_Gk8hydWOYNzIpre Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\stany.exe Infected: Trojan-Dropper.Win32.Agent.chq skipped
C:\Documents and Settings\Owner\Local Settings\Temp\T0CHD001_c.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\Documents and Settings\Owner\Local Settings\Temp\tblauncher.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\toolbox_healer9838.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\wr-1-77.exe Infected: Trojan-Downloader.Win32.Small.gwf skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF2CE3.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFDC75.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CBV7IWT9\ActsOfHorrorforMovies_440X330[1].flv Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IR7WRVQR\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\K3TAKH2N\dq[1].exe Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Planit\Cabware\Cpframe\Jobs\J07096A.JOB Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\RECYCLER\S-1-5-21-1991115530-3100966346-1740230189-1003\Dc1287.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0083111.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0083137.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1358\A0083218.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0083297.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0083356.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1361\A0083529.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1363\A0083603.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1363\A0083618.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1364\A0083703.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1364\A0083716.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1364\A0083738.exe Object is locked skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1364\A0083742.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1364\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\df87173.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\WINDOWS\hg173.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\WINDOWS\io43mvuiw4kj.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{15BCC3FE-C9D2-480F-B447-630661BB3284}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\byxwwwv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cmd.ftp Infected: Trojan-Downloader.BAT.Ftp.r skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dwdsrngt.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\WINDOWS\system32\dwdsrngt.exe-up.txt Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\krdsrngk.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\WINDOWS\system32\ldcore.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\WINDOWS\system32\ldcore.dll_tobedeleted_old Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\WINDOWS\system32\ocbjpwjf.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped
C:\WINDOWS\system32\opnljii.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\WINDOWS\system32\rxbdhejo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\umtrfgps.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_fo8l33uivfttJMG Object is locked skipped
C:\WINDOWS\Temp\mcmsc_3Oli85Fs4iHMMLW Object is locked skipped
C:\WINDOWS\Temp\mcmsc_42vcPA6rtE7CzDE Object is locked skipped
C:\WINDOWS\Temp\mcmsc_5fLYySVMyUl4Yuf Object is locked skipped
C:\WINDOWS\Temp\mcmsc_AuSYYEIZD03CZiC Object is locked skipped
C:\WINDOWS\Temp\sqlite_2rUKvKfO8jRIecR Object is locked skipped
C:\WINDOWS\Temp\sqlite_esIeeBWlSxUy9E4 Object is locked skipped
C:\WINDOWS\Temp\sqlite_yq7eDN7gttqChoJ Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I will try to help you but I want you to know you have a very infected computer and it looks like this includes a Vundo infection.
You have a Vundo infection which can be hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, read and follow the directions carefully.

1) Stay offline when you are not troubleshooting, the junk will download more.

2) See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2\ <<< likely why you are infected!

3) You have this trojan also: ldcore.dll
http://www.sophos.com/security/analyses/trojdloadraqg.html

4) Do you know what these are?
C:\Program Files\Cool\X_cool.exe
C:\Program Files\Spruce\X_Spruce.exe

5) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)

6) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix.txt, combofix log and a new HJT log.

Thanks
 
Cannot download the vundofix files....

Hi,

First of all, thank you so very much for your help/guidance.

1) I will stay off the PC for all on-essentials. I can follow directions.

2) I removed my old Java and reinstalled the new Java per your link

3)

4) I do not know what these are either......

5) I cannot access the vundofix link you gave me. I continue to get an error page with suggested search links to try. Do you have another link so I can download and run vundofix.exe?

6) Combofix is downloaded to my desktop, but I will wait to run until after I run vundofix.

Thanks, John
 
Requested logs attached -1

1) Ran Vudofix V6.5.10 by Atribune. No problems found. No log created

2) New ComboFix Log

ComboFix 07-12-02.6 - Owner 2007-12-11 9:48:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.67 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\g2mdlhlpx.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ta_start.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini2
C:\WINDOWS\system32\fkirhowx.ini
C:\WINDOWS\system32\hywgxpqs.dll
C:\WINDOWS\system32\jmjpkjiw.dll
C:\WINDOWS\system32\kgwvnanw.dll
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\rgepgqxp.dll
C:\WINDOWS\system32\umtrfgps.dll
C:\WINDOWS\system32\wtdaoank.dll
C:\WINDOWS\system32\xwohrikf.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.

2007-12-11 10:01 . 2007-12-11 10:02 <DIR> d-------- C:\Program Files\Spruce
2007-12-11 09:28 . 2007-12-11 09:28 <DIR> d-------- C:\VundoFix Backups
2007-12-11 08:48 . 2007-12-11 08:48 <DIR> d-------- C:\Program Files\Sun
2007-12-11 08:48 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-11 08:20 . 2007-12-11 08:20 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-10 10:37 . 2007-12-10 10:37 74,304 --a------ C:\WINDOWS\system32\pgqpjguu.exe
2007-12-10 07:34 . 2007-12-10 07:35 1,315,863 --ahs---- C:\WINDOWS\system32\amjhdcar.ini
2007-12-10 07:31 . 2007-12-10 07:31 74,304 --a------ C:\WINDOWS\system32\sjeubnpb.exe
2007-12-07 07:43 . 2007-12-09 07:44 1,315,803 --ahs---- C:\WINDOWS\system32\kosqjuqh.ini
2007-12-07 07:37 . 2007-12-07 07:37 74,304 --a------ C:\WINDOWS\system32\ctafwrgr.exe
2007-12-06 07:42 . 2007-12-06 16:14 1,315,743 --ahs---- C:\WINDOWS\system32\augyqqmw.ini
2007-12-05 10:15 . 2007-12-05 10:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-05 10:15 . 2007-12-05 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-05 07:36 . 2007-12-06 07:33 1,318,705 --ahs---- C:\WINDOWS\system32\ojehdbxr.ini
2007-12-04 15:24 . 2003-10-10 23:19 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-04 15:24 . 2003-10-13 23:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-04 15:24 . 2003-10-10 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-04 15:24 . 2003-10-10 23:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-04 15:24 . 2003-10-13 23:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2007-12-04 15:20 . 2007-12-04 15:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 13:49 . 2007-12-04 13:49 63 --a------ C:\WINDOWS\mdm.ini
2007-12-04 13:17 . 2007-12-05 07:33 816,724 --ahs---- C:\WINDOWS\system32\antslmid.ini
2007-12-03 16:06 . 2007-12-03 16:07 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-12-03 16:02 . 2007-12-03 16:02 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-12-03 07:41 . 2007-12-04 13:11 827,724 --ahs---- C:\WINDOWS\system32\uapnffpt.ini
2007-12-03 07:41 . 2007-12-03 07:41 73,280 --a------ C:\WINDOWS\system32\ocbjpwjf.dll
2007-12-03 07:33 . 2007-12-03 07:33 793,820 --ahs---- C:\WINDOWS\system32\ptolrjme.tmp
2007-11-30 14:14 . 2007-11-30 14:14 106,527 --a------ C:\WINDOWS\system32\krdsrngk.exe
2007-11-30 12:48 . 2007-11-30 14:46 793,820 --ahs---- C:\WINDOWS\system32\ptolrjme.ini
2007-11-30 10:01 . 2007-11-30 10:01 <DIR> d-------- C:\WINDOWS\system32\daSgo06
2007-11-29 14:41 . 2007-08-20 04:04 6,058,496 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-29 14:41 . 2007-04-17 03:32 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-29 14:41 . 2007-03-07 23:10 991,232 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-29 14:41 . 2007-08-20 04:04 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-29 14:41 . 2007-08-20 04:04 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-29 14:41 . 2007-08-20 04:04 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-29 14:41 . 2007-08-20 04:04 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-29 14:41 . 2007-08-20 04:04 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-29 14:41 . 2007-08-17 04:20 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-29 14:33 . 2007-11-29 14:34 <DIR> d-------- C:\57f6375070a0c43864d847d3025c7ccd
2007-11-29 11:45 . 2007-12-10 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-29 11:38 . 2007-11-29 11:41 <DIR> d-------- C:\Program Files\Cool
2007-11-29 11:38 . 2007-11-29 11:38 37,376 --a------ C:\WINDOWS\system32\opnljii.dll
2007-11-29 11:37 . 2007-12-11 10:00 7,713 --a------ C:\WINDOWS\system32\ldcore.dll
2007-11-29 11:36 . 2007-11-29 11:36 <DIR> d-------- C:\WINDOWS\system32\daSgo02
2007-11-29 11:36 . 2007-11-29 11:36 <DIR> d-------- C:\Temp\bkR11
2007-11-29 11:36 . 2007-11-29 11:36 37,376 --a------ C:\WINDOWS\system32\byxwwwv.dll
2007-11-21 14:06 . 2006-10-04 08:06 764,868 --a--c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2007-11-21 14:06 . 2006-10-04 08:06 217,118 --a--c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2007-11-21 14:05 . 2007-11-21 14:05 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-21 14:03 . 2007-11-21 14:03 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-21 14:03 . 2007-11-21 14:04 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-21 14:03 . 2007-11-21 14:04 <DIR> d-------- C:\70c677fd719e930ec8
2007-11-21 14:02 . 2007-11-21 14:03 <DIR> d-------- C:\fc66d72d2b72b8ddbd81ebcfe9
2007-11-16 11:20 . 2007-11-16 11:20 208,896 --a------ C:\WINDOWS\io43mvuiw4kj.exe
2007-11-13 14:52 . 2004-08-20 07:02 102,400 --a------ C:\WINDOWS\system32\PMLJNI.dll
2007-11-13 14:52 . 2003-06-16 15:52 74,752 --a------ C:\WINDOWS\system32\jst.dll
2007-11-13 14:52 . 2004-05-10 14:11 40,960 --a------ C:\WINDOWS\system32\d4channel.dll
2007-11-13 14:52 . 2003-06-20 11:21 36,864 --a------ C:\WINDOWS\system32\hpbmmjno.dll
2007-11-13 14:52 . 2005-02-03 11:31 32,768 --a------ C:\WINDOWS\system32\compJNI.dll
2007-11-13 14:46 . 2001-08-17 13:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2007-11-13 14:46 . 2001-08-17 13:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2007-11-13 14:41 . 2007-11-13 14:40 53,628 --------- C:\WINDOWS\hppins01.dat.temp
2007-11-13 14:41 . 2005-04-08 10:52 2,392 --------- C:\WINDOWS\hppmdl01.dat.temp
2007-11-13 14:40 . 2007-11-13 15:06 53,975 --a------ C:\WINDOWS\hppins01.dat
2007-11-13 14:40 . 2005-04-08 10:52 2,392 --------- C:\WINDOWS\hppmdl01.dat
2007-11-13 09:00 . 2005-04-08 11:58 212,992 -ra------ C:\WINDOWS\system32\hptcpmui.dll
2007-11-13 09:00 . 2005-04-08 11:58 110,592 -ra------ C:\WINDOWS\system32\hptcpmon.dll
2007-11-13 09:00 . 2005-04-08 11:58 73,728 -ra------ C:\WINDOWS\system32\hptcpmib.dll
2007-11-13 09:00 . 2005-04-08 11:58 28,672 -ra------ C:\WINDOWS\system32\hpzjfw01.dll
2007-11-13 09:00 . 2005-04-08 11:58 9,864 -ra------ C:\WINDOWS\system32\hptcpmui.hlp
2007-11-13 09:00 . 2005-04-08 11:58 9,820 -ra------ C:\WINDOWS\system32\hpipxmui.hlp
2007-11-13 09:00 . 2005-04-08 11:58 3,399 -ra------ C:\WINDOWS\system32\hptcpmon.ini
2007-11-13 09:00 . 2007-11-13 14:46 291 --a------ C:\WINDOWS\system32\AddPort.ini
2007-11-13 08:59 . 2007-11-13 14:46 707 --a------ C:\WINDOWS\hpntwksetup.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 15:39 --------- d-----w C:\Program Files\McAfee
2007-12-11 14:48 --------- d-----w C:\Program Files\Java
2007-12-06 18:21 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-11-24 09:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2007-11-14 06:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-13 20:53 --------- d--h--w C:\Program Files\Zero G Registry
2007-11-13 20:53 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-13 20:50 --------- d-----w C:\Program Files\HP
2007-10-17 21:32 --------- d-----w C:\Program Files\Interbank FX Trader 4
2007-09-12 18:52 53,248 ----a-w C:\WINDOWS\hg173.exe
2007-09-12 18:50 53,248 ----a-w C:\WINDOWS\df87173.exe
2006-02-24 17:57 3,167,744 ----a-w C:\Documents and Settings\Owner\gosetup.exe
2006-01-12 16:33 563,712 ----a-w C:\Documents and Settings\Owner\370_gotomypc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
2007-11-29 10:28 401408 --a------ C:\Program Files\Spruce\Spruce.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
2007-11-12 11:50 397312 --a------ C:\Program Files\Cool\Cool.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]
2007-11-29 11:36 37376 --a------ C:\WINDOWS\system32\byxwwwv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll" [2003-08-19 03:56 C:\WINDOWS\system32\nview.dll]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" []
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" []
"vf9"="C:\WINDOWS\System32\vf9485.exe" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 09:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-24 07:22]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 20:11]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 22:42]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 17:37]
"LTMSG"="LTMSG.exe" [2003-07-14 18:52 C:\WINDOWS\ltmsg.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 03:55]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 08:23]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 20:19]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 13:54]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 15:44]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-07-24 14:28]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24]
"HPUsageTracking"="C:\Program Files\HP\HP UT\bin\hppusg.exe" [2005-02-07 11:10]
"io43mvuiw4kj"="C:\WINDOWS\io43mvuiw4kj.exe" [2007-11-16 11:20]
"{DF-FB-B9-92-ZN}"="C:\windows\system32\dwdsrngt.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 10:57]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3" []
"0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center" []
"0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center" []
"0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3" []

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Cool - Auto Update.lnk - C:\Program Files\Cool\cool.exe [2007-11-29 11:38:20]
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2003-10-13 23:24:52]
Spruce - Auto Update.lnk - C:\Program Files\Spruce\Spruce.exe [2007-12-11 10:00:22]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2002-06-20 12:21:32]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-06-10 02:09:14]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-10 23:26:40]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}"= C:\WINDOWS\system32\byxwwwv.dll [2007-11-29 11:36 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwwwv]
byxwwwv.dll 2007-11-29 11:36 37376 C:\WINDOWS\system32\byxwwwv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\ldcore.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AloPar.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator]
@="Driver Group"

S2 0243271197387638mcinstcleanup;McAfee Application Installer Cleanup (0243271197387638);C:\WINDOWS\TEMP\024327~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
S3 HPPLSBULK;HPPLSBULK;C:\WINDOWS\system32\drivers\hpplsbulk.sys
S4 AloPar;AloPar;\??\C:\WINDOWS\System32\Drivers\AloPar.sys

*Newly Created Service* - 0243271197387638MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2007-12-11 15:47:17 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-15 07:07:50 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-11-01 06:00:38 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 10:01:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-11 10:05:11 - machine was rebooted
.
--- E O F ---
 
Requested logs attached - 2

3) New HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:03 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Cool\X_cool.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wildboards.wildtangent.com/R...okup/Decoder.aspx?g=bounce&dp=hpdesktop&l=HSP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [vf9] C:\WINDOWS\System32\vf9485.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [{DF-FB-B9-92-ZN}] C:\windows\system32\dwdsrngt.exe CHD001
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"
O4 - HKLM\..\RunOnce: [0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: McAfee Application Installer Cleanup (0243271197387638) (0243271197387638mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\024327~1.EXE (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 11182 bytes


Thanks again, Phil.

John
 
Should I run the logs again?

Phil,

I downloaded Vundofix.exe from another webiste because I was not able to access the Atribune links you provided. I now realize that this was not the most recent version of Vundofix. It is V6.5.10. I now have access, for one reason or another, to the Atribune.org link. Should I run the scans again and resubmit the logs using Vundofix V6.7.0.0 ?

John
 
I apologize, I don't know how you got that version? The version I just downloaded to my Desktop to check it, is version 6.7.0.
This version is updated for the new Vundo which you appear to have. Please delete the version you have and download it again from here.

http://www.atribune.org/public-beta/VundoFix.exe

I must see the log even if it does not find anything, it will be on the C:\ as Vundofix.txt.

Thanks
 
Here are the new scan logs...page 1

I ran the new Vundofix, re-ran Combofix, amd re-ran HJT. Scan logs are attached.


1) VundoFix:


VundoFix V6.5.10

Checking Java version...

Scan started at 9:28:43 AM 12/11/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.10

Checking Java version...

Scan started at 9:39:35 AM 12/11/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.7.0

Checking Java version...

Scan started at 11:18:51 AM 12/11/2007

Listing files found while scanning....

C:\WINDOWS\PrimoPDF\uninstall.exe
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2

Beginning removal...

VundoFix V6.7.0

Checking Java version...

Scan started at 11:59:56 AM 12/11/2007

Listing files found while scanning....

C:\WINDOWS\PrimoPDF\uninstall.exe
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2

Beginning removal...

Attempting to delete C:\WINDOWS\PrimoPDF\uninstall.exe
C:\WINDOWS\PrimoPDF\uninstall.exe Has been deleted!

Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Could not be deleted.

Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.0

Checking Java version...

Scan started at 12:50:31 PM 12/11/2007

Listing files found while scanning....

C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2

Beginning removal...

Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!



2) Combo Fix Scan Log

ComboFix 07-12-02.6 - Owner 2007-12-11 13:34:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.103 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Desktop\searchus.exe
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\uninst2.htm
C:\WINDOWS\unist1.htm

.
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.

2007-12-11 12:49 . 2007-12-11 12:51 <DIR> d-------- C:\Program Files\Spruce
2007-12-11 09:28 . 2007-12-11 12:50 <DIR> d-------- C:\VundoFix Backups
2007-12-11 08:48 . 2007-12-11 08:48 <DIR> d-------- C:\Program Files\Sun
2007-12-11 08:48 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-11 08:20 . 2007-12-11 08:20 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-10 10:37 . 2007-12-10 10:37 74,304 --a------ C:\WINDOWS\system32\pgqpjguu.exe
2007-12-10 07:34 . 2007-12-10 07:35 1,315,863 --ahs---- C:\WINDOWS\system32\amjhdcar.ini
2007-12-10 07:31 . 2007-12-10 07:31 74,304 --a------ C:\WINDOWS\system32\sjeubnpb.exe
2007-12-07 07:43 . 2007-12-09 07:44 1,315,803 --ahs---- C:\WINDOWS\system32\kosqjuqh.ini
2007-12-07 07:37 . 2007-12-07 07:37 74,304 --a------ C:\WINDOWS\system32\ctafwrgr.exe
2007-12-06 07:42 . 2007-12-06 16:14 1,315,743 --ahs---- C:\WINDOWS\system32\augyqqmw.ini
2007-12-05 10:15 . 2007-12-05 10:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-05 10:15 . 2007-12-05 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-05 07:36 . 2007-12-06 07:33 1,318,705 --ahs---- C:\WINDOWS\system32\ojehdbxr.ini
2007-12-04 15:24 . 2003-10-10 23:19 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-04 15:24 . 2003-10-13 23:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-04 15:24 . 2003-10-10 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-04 15:24 . 2003-10-10 23:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-04 15:24 . 2003-10-13 23:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2007-12-04 15:20 . 2007-12-04 15:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 13:49 . 2007-12-04 13:49 63 --a------ C:\WINDOWS\mdm.ini
2007-12-04 13:17 . 2007-12-05 07:33 816,724 --ahs---- C:\WINDOWS\system32\antslmid.ini
2007-12-03 16:06 . 2007-12-03 16:07 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-12-03 16:02 . 2007-12-03 16:02 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-12-03 07:41 . 2007-12-04 13:11 827,724 --ahs---- C:\WINDOWS\system32\uapnffpt.ini
2007-12-03 07:41 . 2007-12-03 07:41 73,280 --a------ C:\WINDOWS\system32\ocbjpwjf.dll
2007-12-03 07:33 . 2007-12-03 07:33 793,820 --ahs---- C:\WINDOWS\system32\ptolrjme.tmp
2007-11-30 14:14 . 2007-11-30 14:14 106,527 --a------ C:\WINDOWS\system32\krdsrngk.exe
2007-11-30 12:48 . 2007-11-30 14:46 793,820 --ahs---- C:\WINDOWS\system32\ptolrjme.ini
2007-11-30 10:01 . 2007-11-30 10:01 <DIR> d-------- C:\WINDOWS\system32\daSgo06
2007-11-29 14:41 . 2007-08-20 04:04 6,058,496 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-29 14:41 . 2007-04-17 03:32 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-29 14:41 . 2007-03-07 23:10 991,232 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-29 14:41 . 2007-08-20 04:04 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-29 14:41 . 2007-08-20 04:04 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-29 14:41 . 2007-08-20 04:04 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-29 14:41 . 2007-08-20 04:04 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-29 14:41 . 2007-08-20 04:04 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-29 14:41 . 2007-08-17 04:20 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-29 14:33 . 2007-11-29 14:34 <DIR> d-------- C:\57f6375070a0c43864d847d3025c7ccd
2007-11-29 11:45 . 2007-12-10 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-29 11:38 . 2007-11-29 11:41 <DIR> d-------- C:\Program Files\Cool
2007-11-29 11:38 . 2007-11-29 11:38 37,376 --a------ C:\WINDOWS\system32\opnljii.dll
2007-11-29 11:37 . 2007-12-11 13:44 7,713 --a------ C:\WINDOWS\system32\ldcore.dll
2007-11-29 11:36 . 2007-11-29 11:36 <DIR> d-------- C:\WINDOWS\system32\daSgo02
2007-11-29 11:36 . 2007-11-29 11:36 <DIR> d-------- C:\Temp\bkR11
2007-11-29 11:36 . 2007-11-29 11:36 37,376 --a------ C:\WINDOWS\system32\byxwwwv.dll
2007-11-21 14:06 . 2006-10-04 08:06 764,868 --a--c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2007-11-21 14:06 . 2006-10-04 08:06 217,118 --a--c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2007-11-21 14:05 . 2007-11-21 14:05 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-21 14:03 . 2007-11-21 14:03 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-21 14:03 . 2007-11-21 14:04 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-21 14:03 . 2007-11-21 14:04 <DIR> d-------- C:\70c677fd719e930ec8
2007-11-21 14:02 . 2007-11-21 14:03 <DIR> d-------- C:\fc66d72d2b72b8ddbd81ebcfe9
2007-11-16 11:20 . 2007-11-16 11:20 208,896 --a------ C:\WINDOWS\io43mvuiw4kj.exe
2007-11-13 14:52 . 2004-08-20 07:02 102,400 --a------ C:\WINDOWS\system32\PMLJNI.dll
2007-11-13 14:52 . 2003-06-16 15:52 74,752 --a------ C:\WINDOWS\system32\jst.dll
2007-11-13 14:52 . 2004-05-10 14:11 40,960 --a------ C:\WINDOWS\system32\d4channel.dll
2007-11-13 14:52 . 2003-06-20 11:21 36,864 --a------ C:\WINDOWS\system32\hpbmmjno.dll
2007-11-13 14:52 . 2005-02-03 11:31 32,768 --a------ C:\WINDOWS\system32\compJNI.dll
2007-11-13 14:46 . 2001-08-17 13:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2007-11-13 14:46 . 2001-08-17 13:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2007-11-13 14:41 . 2007-11-13 14:40 53,628 --------- C:\WINDOWS\hppins01.dat.temp
2007-11-13 14:41 . 2005-04-08 10:52 2,392 --------- C:\WINDOWS\hppmdl01.dat.temp
2007-11-13 14:40 . 2007-11-13 15:06 53,975 --a------ C:\WINDOWS\hppins01.dat
2007-11-13 14:40 . 2005-04-08 10:52 2,392 --------- C:\WINDOWS\hppmdl01.dat
2007-11-13 09:00 . 2005-04-08 11:58 212,992 -ra------ C:\WINDOWS\system32\hptcpmui.dll
2007-11-13 09:00 . 2005-04-08 11:58 110,592 -ra------ C:\WINDOWS\system32\hptcpmon.dll
2007-11-13 09:00 . 2005-04-08 11:58 73,728 -ra------ C:\WINDOWS\system32\hptcpmib.dll
2007-11-13 09:00 . 2005-04-08 11:58 28,672 -ra------ C:\WINDOWS\system32\hpzjfw01.dll
2007-11-13 09:00 . 2005-04-08 11:58 9,864 -ra------ C:\WINDOWS\system32\hptcpmui.hlp
2007-11-13 09:00 . 2005-04-08 11:58 9,820 -ra------ C:\WINDOWS\system32\hpipxmui.hlp
2007-11-13 09:00 . 2005-04-08 11:58 3,399 -ra------ C:\WINDOWS\system32\hptcpmon.ini
2007-11-13 09:00 . 2007-11-13 14:46 291 --a------ C:\WINDOWS\system32\AddPort.ini
2007-11-13 08:59 . 2007-11-13 14:46 707 --a------ C:\WINDOWS\hpntwksetup.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 15:39 --------- d-----w C:\Program Files\McAfee
2007-12-11 14:48 --------- d-----w C:\Program Files\Java
2007-12-06 18:21 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-11-24 09:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2007-11-14 06:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-13 20:53 --------- d--h--w C:\Program Files\Zero G Registry
2007-11-13 20:53 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-13 20:50 --------- d-----w C:\Program Files\HP
2007-10-17 21:32 --------- d-----w C:\Program Files\Interbank FX Trader 4
2007-09-12 18:52 53,248 ----a-w C:\WINDOWS\hg173.exe
2007-09-12 18:50 53,248 ----a-w C:\WINDOWS\df87173.exe
2006-02-24 17:57 3,167,744 ----a-w C:\Documents and Settings\Owner\gosetup.exe
2006-01-12 16:33 563,712 ----a-w C:\Documents and Settings\Owner\370_gotomypc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{405EA3D6-E011-4130-A568-DB56A0364B8D}]
C:\WINDOWS\system32\awtsp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
2007-11-29 10:28 401408 --a------ C:\Program Files\Spruce\Spruce.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
2007-11-12 11:50 397312 --a------ C:\Program Files\Cool\Cool.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]
2007-11-29 11:36 37376 --a------ C:\WINDOWS\system32\byxwwwv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll" [2003-08-19 03:56 C:\WINDOWS\system32\nview.dll]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" []
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" []
"vf9"="C:\WINDOWS\System32\vf9485.exe" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 09:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-24 07:22]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 20:11]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 22:42]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 17:37]
"LTMSG"="LTMSG.exe" [2003-07-14 18:52 C:\WINDOWS\ltmsg.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 03:55]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 08:23]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 20:19]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 13:54]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 15:44]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-07-24 14:28]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24]
"HPUsageTracking"="C:\Program Files\HP\HP UT\bin\hppusg.exe" [2005-02-07 11:10]
"io43mvuiw4kj"="C:\WINDOWS\io43mvuiw4kj.exe" [2007-11-16 11:20]
"{DF-FB-B9-92-ZN}"="C:\windows\system32\dwdsrngt.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 10:57]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3" []
"0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center" []
"0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center" []
"0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"="C:\WINDOWS\command.com /c rmdir C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3" []

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Cool - Auto Update.lnk - C:\Program Files\Cool\cool.exe [2007-11-29 11:38:20]
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2003-10-13 23:24:52]
Spruce - Auto Update.lnk - C:\Program Files\Spruce\Spruce.exe [2007-12-11 12:49:29]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2002-06-20 12:21:32]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-06-10 02:09:14]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-10 23:26:40]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}"= C:\WINDOWS\system32\byxwwwv.dll [2007-11-29 11:36 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwwwv]
byxwwwv.dll 2007-11-29 11:36 37376 C:\WINDOWS\system32\byxwwwv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\ldcore.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AloPar.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator]
@="Driver Group"

S2 0243271197387638mcinstcleanup;McAfee Application Installer Cleanup (0243271197387638);C:\WINDOWS\TEMP\024327~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
S3 HPPLSBULK;HPPLSBULK;C:\WINDOWS\system32\drivers\hpplsbulk.sys
S4 AloPar;AloPar;\??\C:\WINDOWS\System32\Drivers\AloPar.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-11 19:47:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-15 07:07:50 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-11-01 06:00:38 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 13:44:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-11 13:48:50 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-11 10:05
.
--- E O F ---
 
Here are the new scan logs...page 2

3) HJT Scan Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:55 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Cool\X_cool.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wildboards.wildtangent.com/R...okup/Decoder.aspx?g=bounce&dp=hpdesktop&l=HSP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: (no name) - {405EA3D6-E011-4130-A568-DB56A0364B8D} - C:\WINDOWS\system32\awtsp.dll (file missing)
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - C:\Program Files\Cool\Cool.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\byxwwwv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [vf9] C:\WINDOWS\System32\vf9485.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [{DF-FB-B9-92-ZN}] C:\windows\system32\dwdsrngt.exe CHD001
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"
O4 - HKLM\..\RunOnce: [0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: byxwwwv - C:\WINDOWS\SYSTEM32\byxwwwv.dll
O23 - Service: McAfee Application Installer Cleanup (0243271197387638) (0243271197387638mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\024327~1.EXE (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 12256 bytes
 
Thanks for returning your information, read and follow the directions carefully.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Start > Control Panel > Add Remove programs and uninstall Cool and Spruce if there.

4) Open a new notepad window
Paste the list of files from the quote box below into the notepad window.

C:\WINDOWS\system32\byxwwwv.dll
C:\WINDOWS\system32\pgqpjguu.exe
C:\WINDOWS\system32\amjhdcar.ini
C:\WINDOWS\system32\sjeubnpb.exe
C:\WINDOWS\system32\kosqjuqh.ini
C:\WINDOWS\system32\ctafwrgr.exe
C:\WINDOWS\system32\augyqqmw.ini
C:\WINDOWS\system32\ojehdbxr.ini
C:\WINDOWS\system32\uapnffpt.ini
C:\WINDOWS\system32\ocbjpwjf.dll
C:\WINDOWS\system32\ptolrjme.ini
C:\WINDOWS\system32\opnljii.dll
Click to expand...

Save this as vundofix.vft and Save as type "all files".
Double-click VundoFix.exe to run it.
Drag vundofix.vft onto the listbox (white box) of VundoFix.
Click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
O2 - BHO: (no name) - {405EA3D6-E011-4130-A568-DB56A0364B8D} - C:\WINDOWS\system32\awtsp.dll (file missing)
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - C:\Program Files\Cool\Cool.dll
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\byxwwwv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file
O4 - HKLM\..\Run: [vf9] C:\WINDOWS\System32\vf9485.exe
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [{DF-FB-B9-92-ZN}] C:\windows\system32\dwdsrngt.exe CHD001
O4 - Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: byxwwwv - C:\WINDOWS\SYSTEM32\byxwwwv.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) RIGHT Click on Start then click on Explore. Locate and delete these items:

(some files may be gone, just do not miss any)

C:\Program Files\Cool\ <<< delete that folder

C:\Program Files\Spruce\ <<< delete that folder

C:\WINDOWS\io43mvuiw4kj.exe <<< delete that file

C:\windows\system32\dwdsrngt.exe <<< delete that file

c:\windows\system32\ldcore.dll <<< delete that file

C:\WINDOWS\system32\krdsrngk.exe <<< delete that file

C:\WINDOWS\System32\vf9485.exe <<< delete that file

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the Vundofix report and a new HJT log.

Thanks
 
Cannot delete C:\WINDOWS\io43mvuiw4kj.exe <<< delete that file

Hi Phil,

I cannot delet the file:

C:\WINDOWS\io43mvuiw4kj.exe <<< delete that file

per your instructions.

Access is denied. Make sure disk is not write protected or full.

Thanks, John
 
Hi Joh, I sent you a Private Message, my Post Reply key was unavailable at the time. Finish the directions and post the reports. Once I have a look I will have a better idea of how to proceed.

Thanks...Phil
 
new Vundofix and HJT Logs attached

1) Vundofix Log


VundoFix V6.5.10

Checking Java version...

Scan started at 9:28:43 AM 12/11/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.10

Checking Java version...

Scan started at 9:39:35 AM 12/11/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.7.0

Checking Java version...

Scan started at 11:18:51 AM 12/11/2007

Listing files found while scanning....

C:\WINDOWS\PrimoPDF\uninstall.exe
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2

Beginning removal...

VundoFix V6.7.0

Checking Java version...

Scan started at 11:59:56 AM 12/11/2007

Listing files found while scanning....

C:\WINDOWS\PrimoPDF\uninstall.exe
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2

Beginning removal...

Attempting to delete C:\WINDOWS\PrimoPDF\uninstall.exe
C:\WINDOWS\PrimoPDF\uninstall.exe Has been deleted!

Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Could not be deleted.

Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.0

Checking Java version...

Scan started at 12:50:31 PM 12/11/2007

Listing files found while scanning....

C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2

Beginning removal...

Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\amjhdcar.ini
C:\WINDOWS\system32\amjhdcar.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\augyqqmw.ini
C:\WINDOWS\system32\augyqqmw.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxwwwv.dll
C:\WINDOWS\system32\byxwwwv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ctafwrgr.exe
C:\WINDOWS\system32\ctafwrgr.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\kosqjuqh.ini
C:\WINDOWS\system32\kosqjuqh.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ocbjpwjf.dll
C:\WINDOWS\system32\ocbjpwjf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ojehdbxr.ini
C:\WINDOWS\system32\ojehdbxr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnljii.dll
C:\WINDOWS\system32\opnljii.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pgqpjguu.exe
C:\WINDOWS\system32\pgqpjguu.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ptolrjme.ini
C:\WINDOWS\system32\ptolrjme.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\sjeubnpb.exe
C:\WINDOWS\system32\sjeubnpb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\uapnffpt.ini
C:\WINDOWS\system32\uapnffpt.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.0

Checking Java version...

Scan started at 8:25:44 AM 12/12/2007

Listing files found while scanning....

No infected files were found.



2) HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:50 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wildboards.wildtangent.com/R...okup/Decoder.aspx?g=bounce&dp=hpdesktop&l=HSP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"
O4 - HKLM\..\RunOnce: [0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 10196 bytes
 
Thanks for returning your information and the feedback. First, let me assure you this is a bad trojan:
C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
Here is information about it:
http://www.prevx.com/filenames/3045286910697188418-0/IO43MVUIW4KJ.EXE.html and the Google:
http://www.google.com/search?hl=en&q=io43mvuiw4kj.exe&btnG=Google+Search

This item must be removed, this is your computer and the computer can not deny you access...right!
First, to be sure the item is not running, right click the Taskbar and choose Task Manager. Look for:
C:\WINDOWS\io43mvuiw4kj.exe under the Processes Tab and if you see it, highlite it and End Process.

Now do this:
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\io43mvuiw4kj.exe <<< delete that file, if you have to, boot to safe mode and delete it there:
http://spyware-free.us/tutorials/safemode/ <<< tutorial if needed

You may also try this:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\io43mvuiw4kj.exe and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.

Once it is gone, post a new HJT log.

Thanks
 
New HJT log

It appears to be gone??????

New HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:13 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\gbbrnkns.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wildboards.wildtangent.com/R...okup/Decoder.aspx?g=bounce&dp=hpdesktop&l=HSP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\imarxswn.dll",b
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"
O4 - HKLM\..\RunOnce: [0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: DomainService - - C:\WINDOWS\system32\gbbrnkns.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 10349 bytes
 
Still getting misc pop-up ads

As I was sending the last reply, I received some more misc pop-up ads. I am following the log on a second pc here at home, I only connect to the network on the infected pc to send and receive info form you on this pc.

John
 
Thanks for the feedback, remember I told you this would not be easy. Until we get it all, it will morph and return. Be sure to keep this computerr offline except when you are troubleshoting with it. I may duplicate some instructions.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Disable the Service
Click Start > Run and type services.msc
Scroll down to DomainService and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

4) Open Vundofix by Doubleclicking on it, then point your mouse to the white box
above the buttons and right click, then click on Add More Files. When the next window opens, copy and paste the files into the boxes and click on Add File(s), then click on Close Window. Then click Remove Vundo.

(files to add)
C:\WINDOWS\system32\imarxswn.dll
C:\WINDOWS\system32\gbbrnkns.exe

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\imarxswn.dll",b
O23 - Service: DomainService - - C:\WINDOWS\system32\gbbrnkns.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) RIGHT Click on Start then click on Explore. Locate and delete these items:

(check to be sure these files are gone)

C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\system32\imarxswn.dll
C:\WINDOWS\system32\gbbrnkns.exe

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the Vundofix report and a new HJT log.

Thanks
 
New scan reports

1) VundoFix


VundoFix V6.5.10

Checking Java version...

Scan started at 9:28:43 AM 12/11/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.10

Checking Java version...

Scan started at 9:39:35 AM 12/11/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.7.0

Checking Java version...

Scan started at 11:18:51 AM 12/11/2007

Listing files found while scanning....

C:\WINDOWS\PrimoPDF\uninstall.exe
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2

Beginning removal...

VundoFix V6.7.0

Checking Java version...

Scan started at 11:59:56 AM 12/11/2007

Listing files found while scanning....

C:\WINDOWS\PrimoPDF\uninstall.exe
C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2

Beginning removal...

Attempting to delete C:\WINDOWS\PrimoPDF\uninstall.exe
C:\WINDOWS\PrimoPDF\uninstall.exe Has been deleted!

Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Could not be deleted.

Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.0

Checking Java version...

Scan started at 12:50:31 PM 12/11/2007

Listing files found while scanning....

C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2

Beginning removal...

Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\amjhdcar.ini
C:\WINDOWS\system32\amjhdcar.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\augyqqmw.ini
C:\WINDOWS\system32\augyqqmw.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxwwwv.dll
C:\WINDOWS\system32\byxwwwv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ctafwrgr.exe
C:\WINDOWS\system32\ctafwrgr.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\kosqjuqh.ini
C:\WINDOWS\system32\kosqjuqh.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ocbjpwjf.dll
C:\WINDOWS\system32\ocbjpwjf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ojehdbxr.ini
C:\WINDOWS\system32\ojehdbxr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnljii.dll
C:\WINDOWS\system32\opnljii.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pgqpjguu.exe
C:\WINDOWS\system32\pgqpjguu.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ptolrjme.ini
C:\WINDOWS\system32\ptolrjme.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\sjeubnpb.exe
C:\WINDOWS\system32\sjeubnpb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\uapnffpt.ini
C:\WINDOWS\system32\uapnffpt.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.0

Checking Java version...

Scan started at 8:25:44 AM 12/12/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gbbrnkns.exe
C:\WINDOWS\system32\gbbrnkns.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\imarxswn.dll
C:\WINDOWS\system32\imarxswn.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\imarxswn.dll
C:\WINDOWS\system32\imarxswn.dll Has been deleted!

Performing Repairs to the registry.
Done!


2) New HJT Scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:45 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wildboards.wildtangent.com/R...okup/Decoder.aspx?g=bounce&dp=hpdesktop&l=HSP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 840C Series v2.3"
O4 - HKLM\..\RunOnce: [0003 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0004 - C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP Internet Connection Center"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3] C:\WINDOWS\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 930C Series v2.3"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 10168 bytes


As Always, Thank you Phil for the diligent help!!!!!
 
Status
Not open for further replies.
Back
Top