trojans and worm detected by kapersky

Status
Not open for further replies.
Thanks for returning your log and the feedback, have a look at information about this item:
C:\WINDOWS\SYSTEM32\WLCtrl32.dll
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DIEHARD.D&VSect=T
Make sure you read all of the information so you know what we are up against. Understand I have not removed this before, so basically it is all trial and error.

Start with this information:
Installation
This Trojan drops the following file(s)/component(s):

%System%\drivers\Upy10.sys
%System%\WLCtrl32.dll

Looking at the combofix report I see these:
Files Created from 2008-02-06 to 2008-03-06
2008-03-06 10:59 . 2008-03-06 10:59 26,496 --a------ C:\WINDOWS\system32\drivers\Ipw31.sys
2008-03-06 10:59 . 2008-03-06 10:59 11,776 --a------ C:\WINDOWS\system32\WLCtrl32.dl_

Note the file: WLCtrl32.dl_ and even though the driver is different from the one Trend says the trojan creates, please notice that they were both created at exactly the same time and date.

Before we try to remove both the file and the driver, I would like you to navigate to that driver:
C:\WINDOWS\system32\drivers\Ipw31.sys
and scan it with this tool: http://virusscan.jotti.org/
Post that information for me. You understand I must be 100% certain I am removing the correct driver. You might also look at properties for both the driver and the file to see if you can assure yourself that is the driver the trojan created.

Thanks
 
Ok, I tried scanning the .sys file and got this response:

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

I turned off my firewall (through McAfee) with the same results.
 
I went ahead and scanned the WLCtrl32.dl_ and WLCtrl32.dll and got these results if they help at all:


--- WLCtrl32.dl_ -----
Scan taken on 09 Mar 2008 18:34:39 (GMT)
A-Squared Found nothing
AntiVir Found TR/Drop.Agent.NBG
ArcaVir Found Trojan.Downloader.Agent.Kif
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.Downloader.W32.Agent.kif
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Agent.kif
Fortinet Found W32/Agent.KIF!tr.dldr
Ikarus Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.kif
NOD32 Found nothing
Norman Virus Control Found W32/Agent.ELOA
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Generic-A
VirusBuster Found nothing
VBA32 Found nothing


---- WLCtrl32.dll ------
Scan taken on 09 Mar 2008 18:38:28 (GMT)
A-Squared Found nothing
AntiVir Found TR/Drop.Agent.NBG
ArcaVir Found Trojan.Downloader.Agent.Kif
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.Downloader.W32.Agent.kif
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Agent.kif
Fortinet Found W32/Agent.KIF!tr.dldr
Ikarus Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.kif
NOD32 Found nothing
Norman Virus Control Found W32/Agent.ELOA
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Generic-A
VirusBuster Found nothing
VBA32 Found nothing
 
Below is the log from Combofix. As it was running, I noticed it deleted that .sys file we had worked with earlier.
Several of these error boxes popped up during the log reporting: "Generic Host Process for Win32 Services encountered a problem and needed to close." Those seem to pop-up quite often during "idle" time, along with the svchost.exe errors.

Thanks!!!

ComboFix 08-03-09.1 - HP_Administrator 2008-03-09 15:44:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.438 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\Ipw31.sys
C:\WINDOWS\system32\drivers\symavc32.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_IPW31
-------\Ipw31


((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-09 15:55 . 2008-03-09 15:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-09 15:55 . 2008-03-09 15:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-09 15:54 . 2008-03-09 15:54 26,496 --a------ C:\WINDOWS\system32\drivers\Tcj86.sys
2008-03-09 15:54 . 2008-03-09 15:54 11,776 --a------ C:\WINDOWS\system32\WLCtrl32.dl_
2008-03-08 21:17 . 2008-03-08 21:17 <DIR> d-------- C:\Program Files\Yahoo! Companion
2008-03-07 15:23 . 2008-03-07 15:23 <DIR> d-------- C:\Program Files\Sun
2008-03-07 15:23 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-04 08:44 . 2008-03-04 08:44 91,904 --a------ C:\WINDOWS\system32\cliconfgg.1
2008-03-03 15:26 . 2008-03-03 15:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-03 15:15 . 2008-03-03 15:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 15:15 . 2008-03-03 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 09:41 . 2008-03-03 09:41 51,968 --a------ C:\WINDOWS\system32\drivers\nkv2.sys
2008-03-02 13:59 . 2008-03-02 13:59 <DIR> d-------- C:\SiteAdvisor
2008-03-02 13:59 . 2008-03-02 13:59 <DIR> d-------- C:\McAfee
2008-03-02 11:51 . 2008-03-02 11:51 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-03-02 11:50 . 2008-03-02 11:57 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-02-29 11:17 . 2008-02-29 11:17 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-02-29 11:14 . 2008-03-09 15:53 8,729 --a------ C:\WINDOWS\system32\Config.MPF
2008-02-29 10:35 . 2008-03-03 13:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-29 10:33 . 2007-07-21 10:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-29 10:33 . 2007-07-13 10:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-02-29 10:33 . 2007-07-24 08:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-02-29 10:33 . 2007-07-21 10:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-02-29 10:33 . 2007-07-21 10:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-02-29 10:33 . 2007-07-24 13:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-02-29 10:32 . 2008-02-29 10:33 <DIR> d-------- C:\Program Files\McAfee.com
2008-02-29 10:32 . 2008-02-29 11:52 <DIR> d-------- C:\Program Files\McAfee
2008-02-29 10:32 . 2008-02-29 10:33 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-02-29 10:23 . 2008-02-29 11:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-29 10:11 . 2008-02-29 10:11 108 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-02-28 10:08 . 2008-03-09 08:51 11,776 --a------ C:\WINDOWS\system32\WLCtrl32.dll
2008-02-27 10:47 . 2008-02-27 14:50 <DIR> d-------- C:\Documents and Settings\HP_Administrator\.housecall6.6
2008-02-23 18:08 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-23 18:08 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-21 09:07 . 2008-02-21 09:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-18 14:45 . 2004-08-10 13:00 27,648 --a------ C:\WINDOWS\system32\qprocessu.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 21:23 --------- d-----w C:\Program Files\Java
2008-03-07 19:23 --------- d-----w C:\Program Files\QuickTime
2008-03-07 19:23 --------- d-----w C:\Program Files\iTunes
2008-03-06 04:38 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\OpenOffice.org2
2008-03-03 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 20:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-03 19:13 --------- d--h--r C:\Documents and Settings\HP_Administrator\Application Data\yahoo!
2008-03-03 19:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-03-01 00:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 17:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-27 21:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-27 10:05 --------- d-----w C:\Program Files\Windows Live
2008-02-23 23:53 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-02-23 23:03 --------- d-----w C:\Program Files\iPod
2008-02-21 15:22 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2008-02-20 18:21 --------- d-----w C:\Program Files\Easy Internet signup
2008-02-06 19:05 --------- d-----w C:\Program Files\Common Files\Remote Control USB Driver
2008-02-06 19:05 --------- d-----w C:\Program Files\Common Files\Remote Control Software Shared
2008-02-06 18:44 --------- d-----w C:\Program Files\Logitech
2008-02-04 00:01 --------- d-----w C:\Program Files\Ipswitch
2008-02-04 00:01 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Ipswitch
2008-02-04 00:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ipswitch
2008-02-01 18:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-01-31 14:41 33,184 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-01-21 16:30 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Move Networks
2008-01-16 15:58 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-01-16 15:57 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2006-01-23 01:54 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-05-12 13:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-06_11.05.45.88 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-08-05 20:56:34 64,512 ----a-w C:\WINDOWS\ehome\ehtray.exe
+ 2004-08-11 02:04:42 59,392 ----a-w C:\WINDOWS\ehome\ehtray.exe
- 2000-08-31 15:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2000-08-31 15:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2000-08-31 15:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 14:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-03-06 18:00:46 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-09 21:56:39 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-06 18:00:46 229,376 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-09 21:56:39 360,448 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-06 18:01:16 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008030620080307\index.dat
+ 2008-03-07 05:31:20 147,456 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008030620080307\index.dat
+ 2008-03-08 01:47:57 114,688 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008030720080308\index.dat
+ 2008-03-09 03:04:31 98,304 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008030820080309\index.dat
+ 2008-03-09 21:43:26 49,152 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008030920080310\index.dat
- 2008-03-06 18:00:46 49,152 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-09 21:56:39 884,736 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-08-05 20:56:34 64,512 ----a-w C:\WINDOWS\system32\dllcache\ehtray.exe
+ 2004-08-11 02:04:42 59,392 ----a-w C:\WINDOWS\system32\dllcache\ehtray.exe
- 2007-09-25 05:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 08:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 05:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 08:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 06:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 09:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2007-11-12 23:03:14 53,640 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-09 21:51:53 53,640 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-12 23:03:14 382,022 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-09 21:51:53 382,022 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2000-08-31 15:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-30 10:51 68856]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 20:04 59392]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [ ]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2006-12-12 15:45 21464]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-09 18:15 198800]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 15:15:48 462848]
Expedia Fare Alert.lnk - C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe [2007-02-12 10:15:00 696320]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-31 16:32:07 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 07:23:26 282624]
NuvaTime(tm).lnk - C:\Program Files\NuvaTime\NuvaTime(tm).exe [2004-05-17 17:34:30 1051655]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2005-10-10 18:15:27 36903]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 12:04:38 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 2008-03-09 08:51 11776 C:\WINDOWS\system32\WLCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\Program Files\\Macromedia\\Flash MX\\Flash.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\HP_Administrator\\My Documents\\My Music\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader

R0 Tcj86;Tcj86;C:\WINDOWS\system32\Drivers\Tcj86.sys [2008-03-09 15:54]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe [2004-03-29 17:08]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-07-16 12:14]
S3 Sharump;Sharump;C:\WINDOWS\system32\drivers\dmload.sys [2004-08-10 13:00]
S3 USB2_04;USB2_04 driver;C:\WINDOWS\system32\drivers\nkv2.sys [2008-03-03 09:41]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

*Newly Created Service* - TCJ86
.
Contents of the 'Scheduled Tasks' folder
"2008-03-04 05:24:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-09 21:25:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-29 16:33:18 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-01 08:00:48 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-03-09 07:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 15:56:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WLCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
.
**************************************************************************
.
Completion time: 2008-03-09 16:04:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-09 22:04:43
ComboFix2.txt 2008-03-06 18:09:21
.
2008-02-27 10:06:22 --- E O F ---
 
Thanks for the combofix log. The creator of the fix is constantly adding new malware to the fix and I was hoping he added that driver. Please post a new HJT log and tell me about any malware issues.

Thanks
 
Here's the new HJT...

Thanks!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:30 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NuvaTime\NuvaTime(tm).exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WorkingTimeTracker\WorkingTimeTracker.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fptb-
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: Expedia Fare Alert.lnk = C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NuvaTime(tm).lnk = C:\Program Files\NuvaTime\NuvaTime(tm).exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171143627703
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - https://reports.goedustar.com/Repor...127&UICulture=9&ReportStack=1&OpType=PrintCab
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 12017 bytes
 
Please post a new HJT log and tell me about any malware issues.
Click to expand...
I can not see what the computer is doing and depend on you for feedback.


Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\SYSTEM32\WLCtrl32.dll
C:\WINDOWS\system32\ikhcore.cfg

Save this as
CFScript

CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Please describe any malware issues.

Thanks
 
Last edited:
Hi Phil,

Below are the HJT and combofix reports.

On reboot after running the new scan, I noticed there weren't the normal "Generic Host Process for Win32 Services" errors popping up - good sign???
I did notice however in task manager that there was still an extra iexplore.exe opened by user name: SYSTEM even though I only had one open iexplore window. I ended the process, but it reappeared. I ended it again, and it hasn't started again. Maybe it's nothing?
I'm also still seeing quite a few svchost.exe (12 total right now) running, as well as 3 WLLoginProxy.exe. Again, I don't know if this is fine at this point or not.

Other than that, things are running smooth I think!

Thanks! HJT below, will post combofix separately as it's too much text.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:57 AM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CF27170.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NuvaTime\NuvaTime(tm).exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fptb-
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: Expedia Fare Alert.lnk = C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NuvaTime(tm).lnk = C:\Program Files\NuvaTime\NuvaTime(tm).exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171143627703
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - https://reports.goedustar.com/Repor...127&UICulture=9&ReportStack=1&OpType=PrintCab
O20 - Winlogon Notify: WLCtrl32 - WLCtrl32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 11643 bytes
 
ComboFix 08-03-09.1 - HP_Administrator 2008-03-10 10:06:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.571 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\ikhcore.cfg
C:\WINDOWS\SYSTEM32\WLCtrl32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\Tcj86.sys
C:\WINDOWS\system32\ikhcore.cfg
C:\WINDOWS\SYSTEM32\WLCtrl32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_TCJ86
-------\Tcj86


((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-10 10:14 . 2008-03-10 10:14 26,496 --a------ C:\WINDOWS\system32\drivers\Nub41.sys
2008-03-10 10:14 . 2008-03-10 10:14 11,776 --a------ C:\WINDOWS\system32\WLCtrl32.dl_
2008-03-09 15:55 . 2008-03-10 10:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-09 15:55 . 2008-03-09 15:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-08 21:17 . 2008-03-08 21:17 <DIR> d-------- C:\Program Files\Yahoo! Companion
2008-03-07 15:23 . 2008-03-07 15:23 <DIR> d-------- C:\Program Files\Sun
2008-03-07 15:23 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-04 08:44 . 2008-03-04 08:44 91,904 --a------ C:\WINDOWS\system32\cliconfgg.1
2008-03-03 15:26 . 2008-03-03 15:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-03 15:15 . 2008-03-03 15:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 15:15 . 2008-03-03 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 09:41 . 2008-03-03 09:41 51,968 --a------ C:\WINDOWS\system32\drivers\nkv2.sys
2008-03-02 13:59 . 2008-03-02 13:59 <DIR> d-------- C:\SiteAdvisor
2008-03-02 13:59 . 2008-03-02 13:59 <DIR> d-------- C:\McAfee
2008-03-02 11:51 . 2008-03-02 11:51 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-03-02 11:50 . 2008-03-02 11:57 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-02-29 11:17 . 2008-02-29 11:17 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-02-29 11:14 . 2008-03-10 10:13 8,879 --a------ C:\WINDOWS\system32\Config.MPF
2008-02-29 10:35 . 2008-03-03 13:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-29 10:33 . 2007-07-21 10:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-29 10:33 . 2007-07-13 10:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-02-29 10:33 . 2007-07-24 08:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-02-29 10:33 . 2007-07-21 10:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-02-29 10:33 . 2007-07-21 10:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-02-29 10:33 . 2007-07-24 13:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-02-29 10:32 . 2008-02-29 10:33 <DIR> d-------- C:\Program Files\McAfee.com
2008-02-29 10:32 . 2008-02-29 11:52 <DIR> d-------- C:\Program Files\McAfee
2008-02-29 10:32 . 2008-02-29 10:33 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-02-29 10:23 . 2008-02-29 11:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-27 10:47 . 2008-02-27 14:50 <DIR> d-------- C:\Documents and Settings\HP_Administrator\.housecall6.6
2008-02-23 18:08 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-23 18:08 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-21 09:07 . 2008-02-21 09:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-18 14:45 . 2004-08-10 13:00 27,648 --a------ C:\WINDOWS\system32\qprocessu.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 21:23 --------- d-----w C:\Program Files\Java
2008-03-07 19:23 --------- d-----w C:\Program Files\QuickTime
2008-03-07 19:23 --------- d-----w C:\Program Files\iTunes
2008-03-06 04:38 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\OpenOffice.org2
2008-03-03 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 20:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-03 19:13 --------- d--h--r C:\Documents and Settings\HP_Administrator\Application Data\yahoo!
2008-03-03 19:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-03-01 00:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 17:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-27 21:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-27 10:05 --------- d-----w C:\Program Files\Windows Live
2008-02-23 23:53 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-02-23 23:03 --------- d-----w C:\Program Files\iPod
2008-02-21 15:22 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2008-02-20 18:21 --------- d-----w C:\Program Files\Easy Internet signup
2008-02-06 19:05 --------- d-----w C:\Program Files\Common Files\Remote Control USB Driver
2008-02-06 19:05 --------- d-----w C:\Program Files\Common Files\Remote Control Software Shared
2008-02-06 18:44 --------- d-----w C:\Program Files\Logitech
2008-02-04 00:01 --------- d-----w C:\Program Files\Ipswitch
2008-02-04 00:01 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Ipswitch
2008-02-04 00:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ipswitch
2008-02-01 18:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-01-31 14:41 33,184 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-01-21 16:30 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Move Networks
2008-01-16 15:58 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-01-16 15:57 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2006-01-23 01:54 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((( snapshot_2008-03-09_16.04.27.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-09 21:56:39 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-10 16:16:13 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-09 21:56:39 360,448 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-10 16:16:13 393,216 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-10 15:55:17 376,832 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008030320080310\index.dat
+ 2008-03-10 16:16:16 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008031020080311\index.dat
- 2008-03-09 21:56:39 884,736 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-10 16:16:13 933,888 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-09 21:51:53 53,640 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-09 21:59:55 53,640 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-09 21:51:53 382,022 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-09 21:59:55 382,022 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-30 10:51 68856]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 20:04 59392]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [ ]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2006-12-12 15:45 21464]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-09 18:15 198800]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 15:15:48 462848]
Expedia Fare Alert.lnk - C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe [2007-02-12 10:15:00 696320]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-31 16:32:07 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 07:23:26 282624]
NuvaTime(tm).lnk - C:\Program Files\NuvaTime\NuvaTime(tm).exe [2004-05-17 17:34:30 1051655]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2005-10-10 18:15:27 36903]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 12:04:38 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\Program Files\\Macromedia\\Flash MX\\Flash.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\HP_Administrator\\My Documents\\My Music\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader

R0 Nub41;Nub41;C:\WINDOWS\system32\Drivers\Nub41.sys [2008-03-10 10:14]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe [2004-03-29 17:08]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-07-16 12:14]
S3 Sharump;Sharump;C:\WINDOWS\system32\drivers\dmload.sys [2004-08-10 13:00]
S3 USB2_04;USB2_04 driver;C:\WINDOWS\system32\drivers\nkv2.sys [2008-03-03 09:41]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]
S4 Innasoc;Innasoc;C:\WINDOWS\system32\drivers\atmlane.sys [2004-08-10 13:00]

*Newly Created Service* - NUB41
.
Contents of the 'Scheduled Tasks' folder
"2008-03-04 05:24:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-10 15:25:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-29 16:33:18 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-01 08:00:48 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-03-10 06:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 10:14:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WLCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2008-03-10 10:21:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-10 16:21:33
ComboFix2.txt 2008-03-09 22:04:48
ComboFix3.txt 2008-03-06 18:09:21
.
2008-02-27 10:06:22 --- E O F ---
 
Thanks for returning your information and the feedback. Do you know what this is? C:\WINDOWS\system32\CF27170.exe
First time I remember seeing it in a log and Google knows nothing about it. Scan it here if you do not know.
http://virusscan.jotti.org/ and we will remove it unless you find out it is not malware.

iexplore.exe: it may be the item I just pointed to, when you look in Task Manager and see this, click on the Applications Tab and see if you can see any strange application that is running.

svchost.exe: http://support.microsoft.com/kb/314056
Multiple svchost.exe's wiull run as they are needed to hosts services you are using.
To view the list of services that are running in Svchost: 1. Click Start on the Windows taskbar, and then click Run.
2. In the Open box, type CMD, and then press ENTER.
3. Type Tasklist /SVC, and then press ENTER.
Looks for anything you know should not be running.

http://www.processlibrary.com/directory/files/wlloginproxy

What I would like to do now is remove the item above (if you find it bad) and the entry for the 020 item that gave us trouble.
Then I would like to look at a new Kaspersky Online Scsan result...use the setting I provide.

1) Make files and folders are visible.

2) Follow these instructions: http://www.bleepingcomputer.com/tutorials/tutorial42.html#HTProcessManager
Locate and Kill Process on this item: C:\WINDOWS\system32\CF27170.exe

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O20 - Winlogon Notify: WLCtrl32 - WLCtrl32.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\system32\CF27170.exe <<< delete that file (let me know if it deletes OK)

Run CleanManager: http://spyware-free.us/tutorials/cleanmgr/

Restart the computer and run the Kaspersky online scan:
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here with a new HJT log and your comments.

Thanks...Phil
 
Hi Phil,

I couldn't find CF27170.EXE in the windows directory, or through HijackThis's process manager. I had a couple of reboots since our last posts, so maybe something caught it?
What I did find was this by searching: C:\WINDOWS\Prefetch\CF27170.EXE-0341BB9B.pf . I went ahead and ran the scan on it, but it was clean.

I started to follow your HijackThis "fix" instructions, but only saw this line:
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll

Not this:
O20 - Winlogon Notify: WLCtrl32 - WLCtrl32.dll (file missing)

I wasn't sure if I should still choose to "fix" it.

Please let me know how I should proceed. I did notice in task manager, that I know only have iexplore.exe processes running for the actual windows I have open, although that was not the case before my last reboot last night.

Maybe we got it?
 
Oh, here is the HJT log - without any fixes done:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:07 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Zune\ZuneNss.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NuvaTime\NuvaTime(tm).exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Qwest\QuickCare\agentui\quickcare.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fptb-
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {EB4BC08D-8B72-485C-89B2-02355B8DF6A2} - C:\WINDOWS\system32\cliconfgg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: Expedia Fare Alert.lnk = C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NuvaTime(tm).lnk = C:\Program Files\NuvaTime\NuvaTime(tm).exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.blizzard.com
O15 - Trusted Zone: *.blizzard.net
O15 - Trusted Zone: http://www.fertilityfriend.com
O15 - Trusted Zone: *.worldofwarcraft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171143627703
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)

--
End of file - 12665 bytes
 
This infection has returned, I do not know if we will be able to clean this one. Once again, I suggest reformatting the computer, you will not be able to consider this computer secure again.

1) can you assure me this is a valid program, I have been assuming it was:
C:\Program Files\NuvaTime\NuvaTime(tm).exe
O4 - Global Startup: NuvaTime(tm).lnk = C:\Program Files\NuvaTime\NuvaTime(tm).exe

2) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\system32\cliconfgg.dll
C:\WINDOWS\SYSTEM32\WLCtrl32.dll

Save this as
CFScript

CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {EB4BC08D-8B72-485C-89B2-02355B8DF6A2} - C:\WINDOWS\system32\cliconfgg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Restart and post the combofix report and a new HJT log.

Thanks
 
Hi there,

These did not appear in HijackThis after combofix rebooted:
O2 - BHO: (no name) - {EB4BC08D-8B72-485C-89B2-02355B8DF6A2} - C:\WINDOWS\system32\cliconfgg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll

But this was, so I "fixed" it:
O20 - Winlogon Notify: WLCtrl32 - WLCtrl32.dll (file missing)

Below is the HJT log, and I'll post the combofix log separately

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:44 AM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NuvaTime\NuvaTime(tm).exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fptb-
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: Expedia Fare Alert.lnk = C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NuvaTime(tm).lnk = C:\Program Files\NuvaTime\NuvaTime(tm).exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171143627703
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - https://reports.goedustar.com/Repor...127&UICulture=9&ReportStack=1&OpType=PrintCab
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 11549 bytes
 
ComboFix 08-03-09.1 - HP_Administrator 2008-03-11 11:19:32.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.533 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\cliconfgg.dll
C:\WINDOWS\SYSTEM32\WLCtrl32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\Nub41.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\SYSTEM32\WLCtrl32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_NUB41
-------\Nub41


((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.

2008-03-11 11:27 . 2008-03-11 11:27 26,496 --a------ C:\WINDOWS\system32\drivers\Pyf31.sys
2008-03-11 11:27 . 2008-03-11 11:27 11,776 --a------ C:\WINDOWS\system32\WLCtrl32.dl_
2008-03-09 15:55 . 2008-03-11 11:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-09 15:55 . 2008-03-09 15:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-08 21:17 . 2008-03-08 21:17 <DIR> d-------- C:\Program Files\Yahoo! Companion
2008-03-07 15:23 . 2008-03-07 15:23 <DIR> d-------- C:\Program Files\Sun
2008-03-07 15:23 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-04 08:44 . 2008-03-04 08:44 91,904 --a------ C:\WINDOWS\system32\cliconfgg.1
2008-03-03 15:26 . 2008-03-03 15:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-03 15:15 . 2008-03-03 15:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 15:15 . 2008-03-03 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 09:41 . 2008-03-10 18:21 56,576 --a------ C:\WINDOWS\system32\drivers\nkv2.sys
2008-03-02 13:59 . 2008-03-02 13:59 <DIR> d-------- C:\SiteAdvisor
2008-03-02 13:59 . 2008-03-02 13:59 <DIR> d-------- C:\McAfee
2008-03-02 11:51 . 2008-03-02 11:51 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-03-02 11:50 . 2008-03-02 11:57 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-02-29 11:17 . 2008-02-29 11:17 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-02-29 11:14 . 2008-03-11 11:27 9,135 --a------ C:\WINDOWS\system32\Config.MPF
2008-02-29 10:35 . 2008-03-03 13:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-29 10:33 . 2007-07-21 10:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-29 10:33 . 2007-07-13 10:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-02-29 10:33 . 2007-07-24 08:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-02-29 10:33 . 2007-07-21 10:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-02-29 10:33 . 2007-07-21 10:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-02-29 10:33 . 2007-07-24 13:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-02-29 10:32 . 2008-02-29 10:33 <DIR> d-------- C:\Program Files\McAfee.com
2008-02-29 10:32 . 2008-02-29 11:52 <DIR> d-------- C:\Program Files\McAfee
2008-02-29 10:32 . 2008-02-29 10:33 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-02-29 10:23 . 2008-02-29 11:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-27 10:47 . 2008-02-27 14:50 <DIR> d-------- C:\Documents and Settings\HP_Administrator\.housecall6.6
2008-02-23 18:08 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-23 18:08 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-21 09:07 . 2008-02-21 09:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-18 14:45 . 2004-08-10 13:00 27,648 --a------ C:\WINDOWS\system32\qprocessu.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 01:54 33,384 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-03-11 00:56 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-03-10 21:35 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\OpenOffice.org2
2008-03-07 21:23 --------- d-----w C:\Program Files\Java
2008-03-07 19:23 --------- d-----w C:\Program Files\QuickTime
2008-03-07 19:23 --------- d-----w C:\Program Files\iTunes
2008-03-03 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 20:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-03 19:13 --------- d--h--r C:\Documents and Settings\HP_Administrator\Application Data\yahoo!
2008-03-03 19:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-03-01 00:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 17:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-27 21:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-27 10:05 --------- d-----w C:\Program Files\Windows Live
2008-02-23 23:03 --------- d-----w C:\Program Files\iPod
2008-02-21 15:22 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2008-02-20 18:21 --------- d-----w C:\Program Files\Easy Internet signup
2008-02-06 19:05 --------- d-----w C:\Program Files\Common Files\Remote Control USB Driver
2008-02-06 19:05 --------- d-----w C:\Program Files\Common Files\Remote Control Software Shared
2008-02-06 18:44 --------- d-----w C:\Program Files\Logitech
2008-02-04 00:01 --------- d-----w C:\Program Files\Ipswitch
2008-02-04 00:01 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Ipswitch
2008-02-04 00:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ipswitch
2008-02-01 18:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-01-21 16:30 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Move Networks
2008-01-16 15:58 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-01-16 15:57 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2006-01-23 01:54 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((( snapshot_2008-03-09_16.04.27.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-09 21:56:39 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-11 17:29:41 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-09 21:56:39 360,448 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-11 17:29:41 557,056 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-10 15:55:17 376,832 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008030320080310\index.dat
+ 2008-03-11 05:56:36 131,072 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008031020080311\index.dat
+ 2008-03-11 17:29:42 65,536 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008031120080312\index.dat
- 2008-03-09 21:56:39 884,736 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-11 17:29:41 1,605,632 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-09 21:51:53 53,640 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-09 21:59:55 53,640 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-09 21:51:53 382,022 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-09 21:59:55 382,022 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-30 10:51 68856]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 20:04 59392]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [ ]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2006-12-12 15:45 21464]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-09 18:15 198800]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 15:15:48 462848]
Expedia Fare Alert.lnk - C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe [2007-02-12 10:15:00 696320]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-31 16:32:07 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 07:23:26 282624]
NuvaTime(tm).lnk - C:\Program Files\NuvaTime\NuvaTime(tm).exe [2004-05-17 17:34:30 1051655]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2005-10-10 18:15:27 36903]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 12:04:38 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\Program Files\\Macromedia\\Flash MX\\Flash.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\HP_Administrator\\My Documents\\My Music\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader

R0 Pyf31;Pyf31;C:\WINDOWS\system32\Drivers\Pyf31.sys [2008-03-11 11:27]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe [2004-03-29 17:08]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-07-16 12:14]
S3 Sharump;Sharump;C:\WINDOWS\system32\drivers\dmload.sys [2004-08-10 13:00]
S3 USB2_04;USB2_04 driver;C:\WINDOWS\system32\drivers\nkv2.sys [2008-03-10 18:21]

*Newly Created Service* - GTNDIS5
*Newly Created Service* - PYF31
.
Contents of the 'Scheduled Tasks' folder
"2008-03-11 04:24:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-11 17:25:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-29 16:33:18 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-01 08:00:48 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-03-11 06:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 11:28:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WLCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
.
**************************************************************************
.
Completion time: 2008-03-11 11:33:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-11 17:33:52
ComboFix2.txt 2008-03-10 16:21:38
ComboFix3.txt 2008-03-09 22:04:48
ComboFix4.txt 2008-03-06 18:09:21
.
2008-02-27 10:06:22 --- E O F ---
 
Oh! NuvaTime is a legitimate program, although I no longer require it, but have been unable to remove it through it's uninstall - it doesn't appear in my control panel, so I can't remove it there either.

Thanks!
 
This log looks to have been run after combofix:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:44 AM, on 3/11/2008

ComboFix 08-03-09.1 - HP_Administrator 2008-03-11 11:19:32.4

and even though it shows combofix deleted the file, this is in the HJT log:
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll

could you try to remove it with HJT again, then restart and let me know what happens.

Thanks
 
I ran under "scan only" and clicked "fix" next to that line 20. This is the HJT log from after rebooting.
 
Last edited by a moderator:
Please post the complete HJT log. I don't need to see the part you posted again?
 
Status
Not open for further replies.
Back
Top