Help! Drivecleaner Pop-up & more?

S

sparks911

New member
The 1st problem i noticed, while booting my computer it hangs on the windows XP screen (the one with the blue bar moving from left to right) it loads to that point then the hard drive stops. It will do this for a bunch of reboots then it will be ok and work right for awhile???? Like a dummy, I tried a system restore, didn't fix anything so i set it back to current.
My computer still has the above problem and now every once in awhile Firefox will close and Drivecleaner will pop-up????
I have run Spybot and it found nothing! I will post my Hijack this log!
Thanks for any and all help!

Logfile of HijackThis v1.99.1
Scan saved at 2:37:40 AM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.com/ws/eBayISAPI.dll?MyeBay&MyEbay=&guest=1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CamMonitor] "C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CA Personal Firewall ASEM - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
 
I also tried Vundofix and it found nothing, also scanned with CA Anti-Virus & CA Anti-Spyware with no luck! CA Anti-Spyware also now crashes when i try to get into the settings tab!
Back in February I had Vundo trojan and you all helped me clean it off with great success! I did all that you said including deleting restore points and my computer has been great up until now! When i just did the system restore I only went back a couple of weeks.
Thanks again for any and all help!
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Did you see the link shelf life provided when you were here last?
http://security-central.us/SafeHex/prevention.htm

I am not seeing drive cleaner which is a rouge product by the way, but you do have this junk plugged in:
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
TrojanDownloader.OTXloader.A X 084F552D-19EB-4668-9788-984CBC781A8F detected by Kaspersky

I'd like a look at your uninstall list and we will see if combofix can remove drive cleaner.

1) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

2) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

3) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

4) Run Clean Manager
http://spyware-free.us/tutorials/cleanmgr/

restart and post the combofix log, the uninstall list, a new HJT log and any comments you think will help.

Thanks
 
Ok! here's the logs!

"Scott1" - 2007-07-24 14:04:16 [GMT -5:00] - ComboFix 07-07-24 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))


2007-07-24 14:01 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-23 08:39 879,832 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-07-23 08:39 108,360 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-07-21 03:11 <DIR> d-------- C:\VundoFix Backups
2007-07-18 15:58 <DIR> d-------- C:\DOCUME~1\Scott1\.housecall6.6
2007-07-18 15:47 <DIR> d-------- C:\DOCUME~1\Scott1\APPLIC~1\HouseCall 6.6
2007-07-11 13:27 <DIR> d-------- C:\WINDOWS\LastGood(2)
2007-07-10 05:06 4,718,592 --a------ C:\DOCUME~1\Scott1\ntuser.dat
2007-07-10 05:06 229,376 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-24 07:50:02 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-07-24 07:50:02 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-07-24 07:50:02 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-07-24 07:50:02 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-07-24 07:50:02 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-07-24 07:50:02 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-07-24 07:50:02 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-07-24 07:50:02 105,250 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-07-11 19:05:40 -------- d-----w C:\Program Files\Motorola Phone Tools
2007-07-11 19:05:07 -------- d-----w C:\Program Files\QuickTime
2007-07-11 19:04:26 -------- d-----w C:\Program Files\Apple Software Update
2007-06-15 10:21:31 -------- d-----w C:\DOCUME~1\Scott1\APPLIC~1\Image Zone Express
2007-06-04 06:33:58 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-06-04 06:31:45 -------- d-----w C:\Program Files\Common Files\Motorola Shared
2007-05-28 19:12:12 -------- d-----w C:\Program Files\Common Files\Scanner
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-03 01:25:42 75,280 ----a-w C:\WINDOWS\system32\isafprod.dll
2007-05-03 01:25:41 99,904 ----a-w C:\WINDOWS\system32\isafeif.dll
2007-05-03 01:25:41 79,424 ----a-w C:\WINDOWS\system32\vetredir.dll
2007-05-02 07:54:38 2,933 ----a-w C:\WINDOWS\mozver.dat
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel(2)(2).dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"Share-to-Web Namespace Daemon"="C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 12:42]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 11:21]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 13:05]
"CamMonitor"="C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 02:23]
"ATIModeChange"="Ati2mdxx.exe" [2004-04-02 02:16 C:\WINDOWS\system32\Ati2mdxx.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 22:40]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 15:01 C:\WINDOWS\AGRSMMSG.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 16:44 C:\WINDOWS\KHALMNPR.Exe]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-06-14 16:09]
"@"="" []
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-02 20:25]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-06-14 16:09]
"ATIPTA"="C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2004-11-30 22:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2006-03-09 14:46 73728 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WdfLoadGroup]

R0 caboagp;ATI Cabo AGP Filter;C:\WINDOWS\system32\DRIVERS\atisgkaf.sys
R0 DevUpper;TI UltraMedia CardBus Controller Filter Driver;C:\WINDOWS\system32\DRIVERS\tiumflt.sys
R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R1 eabfiltr;EABFiltr;\??\C:\WINDOWS\System32\drivers\EABFiltr.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R2 CA Personal Firewall ASEM;CA Personal Firewall ASEM;C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
R3 HidUsb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver;C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 tiumfwl;tiumfwl;C:\WINDOWS\system32\drivers\tiumfwl.sys
R3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;USB2 Enabled Hub;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbohci.sys
R3 Wdf01000;Wdf01000;C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\system32\DRIVERS\ce3n5.sys
S3 eabusb;eabusb;\??\C:\WINDOWS\system32\drivers\eabusb.sys
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12;C:\WINDOWS\system32\DRIVERS\HPZius12.sys
S3 LHidKe;Logitech SetPoint HID Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
S3 LMouKE;Logitech SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 usbscan;USB Scanner Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 usbser;Motorola A1000 USB Modem Driver;C:\WINDOWS\system32\DRIVERS\usbser.sys
S3 usbsermpt;Motorola USB Modem Driver for MPT;C:\WINDOWS\system32\DRIVERS\usbsermpt.sys
S3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
S3 WpdUsb;WpdUsb;C:\WINDOWS\system32\DRIVERS\wpdusb.sys


Contents of the 'Scheduled Tasks' folder
2007-06-20 02:40:05 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-10 10:46:04 C:\WINDOWS\tasks\CAAntiSpywareScan_Daily as Scott1 at 12 00 PM.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-24 14:09:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000004e5

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-24 14:12:33

--- E O F ---

Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.9
Adobe Shockwave Player
Agere Systems AC'97 Modem
AnalogX SuperShredder
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Avanquest update
Broadcom 802.11 Driver
CA Internet Security Suite
CA Pest Patrol Realtime Protection
CDDRV_Installer
CoffeeCup Free FTP
Google Earth
HijackThis 1.99.1
HouseCall 6.6
HP Deskjet Preloaded Printer Drivers
HP Imaging Device Functions 7.0
HP Photo & Imaging 3.1
HP Photo and Imaging 2.0 - Photosmart Cameras
HP Photosmart and Deskjet 7.0.A
HP Photosmart Essential
HP PSC & OfficeJet 3.0
HP Software Update
HP Solution Center 7.0
InterVideo WinDVD
J2SE Runtime Environment 5.0 Update 11
Java(TM) SE Runtime Environment 6 Update 1
KhalSetup
Logitech SetPoint
Memories Disc Creator 2.0
Motorola Driver Installation
Motorola Phone Tools
Mozilla Firefox (2.0.0.5)
MSN Gaming Zone
MSXML 4.0 SP2 (KB927978)
NoAds
OCR Software by I.R.I.S 7.0
PCI 1620 Cardbus Controller and Software
Photosmart 140,240,7200,7600,7700,7900 Series
Quick Launch Buttons 4.20 E1
Quicken 2004
QuickTime
RealPlayer
RecordNow!
Sonic Update Manager
SoundMAX
Spybot - Search & Destroy 1.4
Symantec KB-DocID:2003093015493306
Trellian Dictionary v1.0
Trellian LiveUpgrade v2.0
Trellian WebPage
Turbo Lister 2
Web Design Group CSS Reference
Web Design Group HTML Reference
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 2
WinZip

Logfile of HijackThis v1.99.1
Scan saved at 2:43:41 PM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.com/ws/eBayISAPI.dll?MyeBay&MyEbay=&guest=1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CamMonitor] "C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CA Personal Firewall ASEM - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
 
Thanks for returning your information and it's not telling us much:

Uninstall list:

See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
J2SE Runtime Environment 5.0 Update 11
Java(TM) SE Runtime Environment 6 Update 1
Download the newest version of Java and then uninstall these old versions in Add Remove Programs.

C:\VundoFix Backups << delete those and any Vundofix you have on your computer. I may want to look at a scan later but will want a new download.

I am just not seeing a lot in any of this information, this one may be tough to find?
You may have problems other than malware, can you provide me with more information.
1) what exactly do the popups say?
2) Are you receiving any error messages? If so post them word for word.
3) Do these popups occur when you are offline?
4) Could you enter drivecleaner into search for files and folder to see what it returns. Post that information.


Let's have a look at a BlackLight scan in case a rootkit infection is involved.

Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml

Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created

The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).

Please provide the log created by BlackLight in your next reply.

Please do not fix anything, most if not all files will be valid.

Since you mention the harddrive stopping, let's look at a free diagnostic to see if it provides any insite.
http://www.pcpitstop.com/
Help with results: http://pcpitstop.invisionzone.com/index.php?showforum=6
Tutorial: http://www.pcpitstop.com/techexpress/howto1.asp
Stay with FREE, when the scan is complete, post a link to the report for me to look at.

Post the BlackLight scan report, and information I requested, any comments you think will help and a link to the PCPitStop scan results when you have it.

Thanks
 
I updated Java, uninstalled older versions.
C:\VundoFix Backups << delete those and any Vundofix you have on your computer. Did this!

1) what exactly do the popups say?
A small box appears on lower right hand side of screen that says you may be infected..........download drivecleaner, sometimes it says winantivirus, and when i click exit, it brings up a webpage for the software.
2) Are you receiving any error messages? If so post them word for word.
No error messages!
3) Do these popups occur when you are offline?
Don't know, I'm always online....Wireless hi speed
4) Could you enter drivecleaner into search for files and folder to see what it returns.
Nothing found!
F-Secure BlackLight Beta: Didn't find anything.....heres the log....
07/25/07 00:32:33 [Info]: BlackLight Engine 1.0.64 initialized
07/25/07 00:32:33 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/25/07 00:32:33 [Note]: 7019 4
07/25/07 00:32:33 [Note]: 7005 0
07/25/07 00:32:45 [Note]: 7006 0
07/25/07 00:32:45 [Note]: 7011 2996
07/25/07 00:32:45 [Note]: 7026 0
07/25/07 00:32:45 [Note]: 7026 0
07/25/07 00:32:49 [Note]: FSRAW library version 1.7.1022
07/25/07 00:42:55 [Note]: 7007 0
PCPitStop
http://www.pcpitstop.com/techexpress.asp?id=L0F6HW4MKYVSX8WW
 
Thanks for returning your information, this junk may be tricky to locate, could be a leftover registry entry?

It is possible something is running from your Prefetch folder.
http://www.pcmag.com/article2/0,1759,1683520,00.asp
C:\WINDOWS\Prefetch <<< located here
Delete everything in the folder (NOT THE FOLDER), you might be slow for a few reboots until Windows repopulates with valid files.

Once you clean Prefetch, if you continue to get that popup, please download and run Vundofix. Be sure to use this new download and post the report even if it finds nothing.
Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

BlackLight is clean.

PCPitStop diagnostic:
I suggest you follow the advice:
http://www.pcpitstop.com/pcpitstop/TipRestore.asp

This one you would have to discuss with your ISP
http://www.pcpitstop.com/pcpitstop/IntSpeed.asp

I would do this also:
http://www.pcpitstop.com/pcpitstop/IntCache.asp

Let me know if cleaning Prefetch helped, if not post the Vundofix report and any information you think will help.

Thanks
 
I haven't seen the pop-up now in the last day or so......1 other thing i did notice is i'm getting alot of spam porn e-mails..... I don't go to porn sites, I don't do or look for crackz, etc..... all i really do on the computer is e-mail, sweepstakes, e-bay, basic stuff.....
I cleared the prefetch, I also fixed what pcpitstop said to fix........My ISP connection is fine.....I think i put the wrong info in when it asked......
Can we keep this open for a couple of days so i can make sure nothing pops up anymore? I will update in a couple of days or sooner if something happens!
Thank You for your help!
I hope it's gone and taken care of!
 
Please be aware you can be getting spam porn email and it would have nothing to do with you or your computer. I get a lot of junk and I am sure porn is there also but I have my email filters set to filter the junk so I do not have to see it. There are so many possible ways to get infected anymore, look at these links:
http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html

These just came in from associates today:
http://isc.sans.org/diary.html?storyid=3186
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201200849

It's a real battle to stay safe. here are a few more good links that might help:
. Security At Home site
http://www.microsoft.com/athome/security/default.mspx
. Security Tips & Talk blog
http://blogs.msdn.com/securitytipstalk/default.aspx
. RSS feed: Get security information delivered to you
http://www.microsoft.com/athome/security/rss/default.mspx
. Security video tutorials
http://www.microsoft.com/athome/security/videos/default.mspx
. Security community for home users
http://www.microsoft.com/athome/security/newsgroup/default.mspx
. Support for your computer security issues
http://www.microsoft.com/athome/security/support/default.mspx

Let me know when I can close the topic.

Thanks...Phil
 
It popped up again! A small box on lower right side of screen....closed FireFox 1st!
http://amaena.com says:
Says a bunch of stuff........
Download WinAntiVirus PRO Now!
I ran VundoFix again and again it found nothing!
I have done everything so far that you have asked.....
Here's my HJT log again!
Logfile of HijackThis v1.99.1
Scan saved at 3:25:00 AM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.com/ws/eBayISAPI.dll?MyeBay&MyEbay=&guest=1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CamMonitor] "C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CA Personal Firewall ASEM - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
 
VundoFix V6.5.6

Checking Java version...

Scan started at 3:16:53 AM 7/26/2007

Listing files found while scanning....

No infected files were found.
 
Thanks for the feedback, off the Winfixer subjust, but I am seeing two firewalls:
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
CA Personal Firewall <<< unless they are somehow the same firewall, I would get rid of one of them.

You HJT log looks clean besides that. I wonder is that item is being generated by a cookie? Have a look at this information to see how to block the item when it pops up.
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx

Before I try a scanner or two, please delete any instance of combofix you have on your computer, I want a completely new download.
This program removed the Winfixer program so if it does not find anything chances are it's a cookie. Let's look at that scan first.

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks
 
Off Winfixer subjust? I don't understand?
The Firewall's are 1 and the same. Part of Ca Internet Security Suite!


"Scott1" - 2007-07-26 14:51:11 [GMT -5:00] - ComboFix 07-07-24 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 )))))))))))))))))))))))))))))))


2007-07-26 03:16 <DIR> d-------- C:\VundoFix Backups
2007-07-24 14:01 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-23 08:39 879,832 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-07-23 08:39 108,360 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-07-18 12:11 4,096 --a------ C:\WINDOWS\system32\sysres.dll
2007-07-18 12:11 38,567 --a------ C:\WINDOWS\system32\pcpbios.exe
2007-07-11 13:27 <DIR> d-------- C:\WINDOWS\LastGood(2)
2007-07-10 05:06 4,718,592 --a------ C:\DOCUME~1\Scott1\ntuser.dat
2007-07-10 05:06 229,376 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-26 08:52:19 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-07-26 08:52:19 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-07-26 08:52:19 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-07-26 08:52:19 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-07-26 08:52:19 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-07-26 08:52:19 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-07-26 08:52:19 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-07-26 08:52:19 108,290 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-07-11 19:05:40 -------- d-----w C:\Program Files\Motorola Phone Tools
2007-07-11 19:05:07 -------- d-----w C:\Program Files\QuickTime
2007-07-11 19:04:26 -------- d-----w C:\Program Files\Apple Software Update
2007-06-15 10:21:31 -------- d-----w C:\DOCUME~1\Scott1\APPLIC~1\Image Zone Express
2007-06-04 06:33:58 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-06-04 06:31:45 -------- d-----w C:\Program Files\Common Files\Motorola Shared
2007-05-28 19:12:12 -------- d-----w C:\Program Files\Common Files\Scanner
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-03 01:25:42 75,280 ----a-w C:\WINDOWS\system32\isafprod.dll
2007-05-03 01:25:41 99,904 ----a-w C:\WINDOWS\system32\isafeif.dll
2007-05-03 01:25:41 79,424 ----a-w C:\WINDOWS\system32\vetredir.dll
2007-05-02 07:54:38 2,933 ----a-w C:\WINDOWS\mozver.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"Share-to-Web Namespace Daemon"="C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 12:42]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 11:21]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 13:05]
"CamMonitor"="C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 02:23]
"ATIModeChange"="Ati2mdxx.exe" [2004-04-02 02:16 C:\WINDOWS\system32\Ati2mdxx.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 22:40]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 15:01 C:\WINDOWS\AGRSMMSG.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 16:44 C:\WINDOWS\KHALMNPR.Exe]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-06-14 16:09]
"@"="" []
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-02 20:25]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-06-14 16:09]
"ATIPTA"="C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2004-11-30 22:10]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2006-03-09 14:46 73728 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WdfLoadGroup]

R0 caboagp;ATI Cabo AGP Filter;C:\WINDOWS\system32\DRIVERS\atisgkaf.sys
R0 DevUpper;TI UltraMedia CardBus Controller Filter Driver;C:\WINDOWS\system32\DRIVERS\tiumflt.sys
R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R1 eabfiltr;EABFiltr;\??\C:\WINDOWS\System32\drivers\EABFiltr.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R2 CA Personal Firewall ASEM;CA Personal Firewall ASEM;C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
R3 HidUsb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver;C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 tiumfwl;tiumfwl;C:\WINDOWS\system32\drivers\tiumfwl.sys
R3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;USB2 Enabled Hub;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbohci.sys
R3 Wdf01000;Wdf01000;C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\system32\DRIVERS\ce3n5.sys
S3 eabusb;eabusb;\??\C:\WINDOWS\system32\drivers\eabusb.sys
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12;C:\WINDOWS\system32\DRIVERS\HPZius12.sys
S3 LHidKe;Logitech SetPoint HID Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
S3 LMouKE;Logitech SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 usbscan;USB Scanner Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 usbser;Motorola A1000 USB Modem Driver;C:\WINDOWS\system32\DRIVERS\usbser.sys
S3 usbsermpt;Motorola USB Modem Driver for MPT;C:\WINDOWS\system32\DRIVERS\usbsermpt.sys
S3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
S3 WpdUsb;WpdUsb;C:\WINDOWS\system32\DRIVERS\wpdusb.sys


Contents of the 'Scheduled Tasks' folder
2007-06-20 02:40:05 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-10 10:46:04 C:\WINDOWS\tasks\CAAntiSpywareScan_Daily as Scott1 at 12 00 PM.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-26 14:55:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-26 14:58:57

--- E O F ---
 
I have no idea where that popup is coming from, with Vundofix and combofix both clean, I can only guess it's a cookie or a leftover registry entry.

C:\VundoFix Backups <<< delete that folder, let give this scan a try:

Please remove all Vundofix and combox fix including any backups from your computer.

The is a free trial scan, please read and follow the directions.

1. Download AVG Anti-Spyware Free Edition: http://free.grisoft.com/doc/20/us/frt/0
2. http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=asf
3. Save the Installation files to your Desktop
4. Double click the installer on the Desktop
5. Choose the Language using the drop down menu then click OK
6. Recommended that you close all other applications before clicking NEXT
7. Install in the default location: C:\Program Files\Grisoft\Anti-Spyware 7.5
8. Make sure Run AVG Anti-Spyware 7.5 is checked then click Finish.
9. Update first then choose "Scan Now"
10. Choose Complete System Scan
11. Chose Recommended actions and choose Delete or quarantine. You can also choose Ingore if there is something you think may be valid.
12. Click Reports then Save Report as. Save it to your Desktop.
13. Open the Report on the Desktop and click on Edit then Select All.
14. Copy and Paste that information to this topic.

Thanks
 
Removed all Vundofix and combox fix including any backups from my computer.
Ran AVG Anti-Spyware Free Edition, it found 29 objects, 148 traces all are tracking cookies!
I followed the directions you gave me and by doing #11 in your directions 1st it wouldn't let me save a log report! You hafto do reports 1st then apply actions 2nd! But like i said all things found were tracking cookies.
Adrevolver
Adbrite
Zedo
Advertising
Doubleclick
Yieldmanager
Atdmt
Cnn
2o7
Tacoda
Revsci
Tribalfusion
Questionmarket
Pointroll
Bluestreak
Paypal
Burstnet
Realmedia
Hitbox
Imrworldwide
Specificclick
Liveperson
Dealtime
Esomniture
Overture
.Com
Bridgetrack
Onestat
Burstbeacon

I have found these files under C:/ windows which i have no idea what they are:
Folder: EHome File: medctrro.exe Windows NT Command Script

Folder: peernet Files: sqldb20.dll sqlqp20.dll sqlse20.dll Application Extensions

Folder: ime Empty Subfolders: chsime, CHTIME, imejp, imejp98, imjp8_1, imkr6_1, shared Files: mscandui.dll, softkbd.dll, spgrmr.dll, sptip.dll
 
I apologize but I ran that program and saved the report at the end of the scan. I also chose to delete the three cookies it found on the computer at the end of the scan.

I wish I had the time to scan every file you find, but alas I do not. Use Google: http://www.google.com/
If Google indentifes the file and says it is bad, then delete it. If Google does not identify the file or does not know what it is, then use one or more of these free online scanners to find out:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

Remember, when you delete a file it is moved to your recycle bin and can be restored if need be. When I have a questionable file, I move it to the bin for a few days, if there is no negative effects then I dump the bin. Be sure no one has bypassed your Recycle Bin.

Let's check you recycle bin to make sure it has not been bypassed. RIGHT click on it and choose properties. It should, by default, be set to "Use one setting for all drives"
Make sure the box "Do not move files to the Recycle Bin. Remove files immediately when deleted IS NOT CHECKED. Make sure you have space for deleted items, I keep my bin set at 5%. I hope this helps.

Thanks
 
11. Chose Recommended actions and choose Delete or quarantine. You can also choose Ingore if there is something you think may be valid.
12. Click Reports then Save Report as. Save it to your Desktop.

I chose recommended actions and deleted everything it found, per your instructions above.....but it wouldn't let me save a log report after I did #11, I guess you must have meant to do the report 1st then choose recommended actions and delete etc......?

Anyways, I will check those files and let you know if i find anything!
Again I haven't seen the pop-up since yesterday, but unfortunately I said that before and it popped up again!
I will also check out the links to the other scanners and keep you posted!
Thanks!
 
Thanks for that feedback, I will keep the topic open for a few days in case you need it, but I suggest once you have deleted all bad files, you do this:

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks...pskelley
 
You must log in or register to reply here.
Back
Top