[Resolved] XP Security Center message "to pervent data loss&

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

2 Pages

1 2 >

[Resolved] XP Security Center message "to pervent data loss&, Can't run HijackThis or SuperAntiSpyware

Options

Sophie Miller View Member Profile	Jul 24 2008, 06:46 AM Post #1
New Member Group: New Member Posts: 9 Joined: 24-July 08 Member No.: 80,473 Operating System: XP Professional	Received an e-mail last night disguised as from UPS saying a package couldn't be delivered and review invoice for details. I open the .zip, then thought it was a .pdf, but it was an .exe (realized this after running it). Am now getting the bogus message "Your computer is infected! ... It is recomended to use special antispyware tools to pervent data loss". I actually ran the diagnostic tool prior to realizing it was itself a virus. I looked thru a couple WhatTheTech logs and thought I'd try and run SuperAntiSpyware (would not run) and then tried to install and run HijackThis to get a log, but it did install, but would not run. I do have McAfee Security Center 8.1.173, but it appears to have disabled it and it can't be auto-fixed - says the McAfee Real-time Scanner Service can't be started. I also tried uninstalling and re-installing McAfee, but same result - this service can't be started. I did run the McAfee scan utility and it removed/quarantined several items, but I am still getting the constant message "Your computer is infected!" virus message. I don't quite know where to go from here... Please help...

Scotty View Member Profile	Jul 24 2008, 01:50 PM Post #2
Always Happy Group: Malware Team Posts: 3,782 Joined: 9-December 06 From: Haggistown, Kiltland Member No.: 65,226 Operating System: XP Pro Ubuntu 8.04	Did you fully install HijackThis from trend Micro/ If so, these instruction should work for you.. Rename HijackThis There is a possibility an infection which is hiding part of the HijackThis log because it's called hijackthis.exe. Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe Right-click on HijackThis.exe & select Rename to iseeu.com and post back a new Hijackthis log.

Sophie Miller View Member Profile	Jul 24 2008, 02:13 PM Post #3
New Member Group: New Member Posts: 9 Joined: 24-July 08 Member No.: 80,473 Operating System: XP Professional	Great - I renamed the "hijackthis.exe" to "iseeu.com" and ran it w/ no problems - thanks for the suggestion - log is attached. In the mean time, I had done some additional research and decided to give "Spyware Doctor" a try - it seems to have gotten rid of many other issues (like the perpetual "Reported Insecure Browsing: Navigation Blocked" in IE, but the red circle wiht the white "x" in the system tray is still trying to get me to install the "XP SecurityCenter" software. My McAfee service called "McAfee Real-time Scanner Service" still will not start with error "1053 Service did not respond to the start or control request in a timely fashion". I had also tried running a couple other scanning tools and the results are also attached, but I don't know if they give any additional information. Thanks for your time - Sophie Miller Attached File(s) hijackthis.txt ( 12.54K ) Number of downloads: 10 rapport.txt ( 2.17K ) Number of downloads: 2 smitfiles.txt ( 6.16K ) Number of downloads: 2

Sophie Miller View Member Profile	Jul 24 2008, 06:45 PM Post #4
New Member Group: New Member Posts: 9 Joined: 24-July 08 Member No.: 80,473 Operating System: XP Professional	Just read that we are not to attach the log file, to paste in the log, Here is the HiJackThis log. Thanks in advance for your help. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:03:54, on 7/24/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe C:\Program Files\Norton Ghost\Agent\GhostTray.exe C:\Program Files\Philips\Auto Run Software for Photo Frame\PhotoManager.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Logitech\QuickCam10\QuickCam10.exe C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\SiteAdvisor\6172\SiteAdv.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\Program Files\Messenger\MSMSGS.EXE C:\PROGRA~1\MICROS~3\wcescomm.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SightSpeed\SightSpeed.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\CreataCard\Plus\FMRemind.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\PROGRA~1\MICROS~3\rapimgr.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\System32\GEARSec.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\Norton Ghost\Agent\VProSvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\oracle\ora92\bin\omtsreco.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\oracle\ora92\bin\agntsrvc.exe C:\oracle\ora92\Apache\Apache\apache.exe C:\WINDOWS\system32\cmd.exe C:\oracle\ora92\bin\dbsnmp.exe C:\oracle\ora92\BIN\TNSLSNR.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\oracle\ora92\Apache\Apache\apache.exe C:\oracle\ora92\jdk\bin\java.exe C:\oracle\ora92\jdk\bin\java.exe c:\oracle\ora92\bin\isqlplus C:\Program Files\SiteAdvisor\6172\SAService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\System32\alg.exe c:\PROGRA~1\mcafee\msc\mcuimgr.exe C:\Program Files\Spyware Doctor\pctsGui.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Administrator\Desktop\iseeu.com C:\WINDOWS\System32\wbem\wmiprvse.exe F2 - REG:system.ini: UserInit=userinit.exe O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Auto Run Software for Photo Frame] "C:\Program Files\Philips\Auto Run Software for Photo Frame\PhotoManager.exe" /autorun O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [buritos] buritos.exe O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SightSpeed] C:\Program Files\SightSpeed\SightSpeed.exe -minimized O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Plus\FMRemind.exe O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://.mcafee.com O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O20 - AppInit_DLLs: cru629.dat O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe O23 - Service: OracleServiceALTANA - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceDEMO - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceGPC - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceHHEALTH - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceIVAX - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceORADMIN - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServicePRON401A - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServicePROTDES - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceQUATRX - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceSRS1 - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceSRSTST4A - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceSRSTST4B - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceSRSTST4T - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceVOYAGER - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 12835 bytes Here is the rapport.txt output: SmitFraudFix v2.331 Scan done at 12:40:37.23, Thu 07/24/2008 Run from C:\blaise\VirusProblem\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» VACFix VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» 404Fix 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{064D0C29-D4C5-439F-B7B3-C8B6EE6D84B9}: DhcpNameServer=205.152.37.23 205.152.144.23 HKLM\SYSTEM\CS1\Services\Tcpip\..\{064D0C29-D4C5-439F-B7B3-C8B6EE6D84B9}: DhcpNameServer=205.152.37.23 205.152.144.23 HKLM\SYSTEM\CS3\Services\Tcpip\..\{064D0C29-D4C5-439F-B7B3-C8B6EE6D84B9}: DhcpNameServer=205.152.37.23 205.152.144.23 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=205.152.37.23 205.152.144.23 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=205.152.37.23 205.152.144.23 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=205.152.37.23 205.152.144.23 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Here is the smitfiles.txt output: smitRem © log file version 3.2 by noahdfear Microsoft Windows XP [Version 5.1.2600] "IE"="7.0000" The current date is: Thu 07/24/2008 The current time is: 10:47:55.75 Running from C:\Documents and Settings\Administrator\Desktop\smitRem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run SharedTask Export (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright© 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Appinitdll check ........ Thank you Grinler! dumphive.exe ©2000-2004 Markus Stephany REGEDIT4 [Windows] "AppInit_DLLs"="cru629.dat" "DeviceNotSelectedTimeout"="15" "GDIProcessHandleQuota"=dword:00002710 "Spooler"="yes" "swapdisk"="" "TransmissionRetryTimeout"="90" "USERProcessHandleQuota"=dword:00002710 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ XP Firewall allowed access Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Hewlett-Packard\\hp business inkjet 1200 series\\Toolbox\\HPWNTBX.exe"="C:\\Program Files\\Hewlett-Packard\\hp business inkjet 1200 series\\Toolbox\\HPWNTBX.exe::Disabled:Toolbox for HP Printing System for Windows" "C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"="C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe::Enabled:Secure Application Manager Proxy" "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager" "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager" "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Intuit\\QuickBooks Basic\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks Basic\\QBDBMgrN.exe::Enabled:QuickBooks 2007 Data Manager" "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe::Enabled:Logitech Desktop Messenger" "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe::Enabled:Skype" "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe::Enabled:McAfee Network Agent" "C:\\Program Files\\SightSpeed\\SightSpeed.exe"="C:\\Program Files\\SightSpeed\\SightSpeed.exe::Enabled:SightSpeed" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! checking for WinHound.com key WinHound.com key not present! checking for drsmartload2 key drsmartload2 key not present! spyaxe uninstaller NOT present Winhound uninstaller NOT present SpywareStrike uninstaller NOT present AlfaCleaner uninstaller NOT present SpyFalcon uninstaller NOT present SpywareQuake uninstaller NOT present SpywareSheriff uninstaller NOT present Trust Cleaner uninstaller NOT present SpyHeal uninstaller NOT present VirusBurst uninstaller NOT present BraveSentry uninstaller NOT present AntiVermins uninstaller NOT present VirusBursters uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ amcompat.tlb nscompat.tlb logfiles ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 880 'explorer.exe' Starting registry repairs Registry repairs complete ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SharedTask Export after registry fix (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright© 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deleting files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN!

Scotty View Member Profile	Jul 25 2008, 04:18 AM Post #5
Always Happy Group: Malware Team Posts: 3,782 Joined: 9-December 06 From: Haggistown, Kiltland Member No.: 65,226 Operating System: XP Pro Ubuntu 8.04	Hi Ok, running tools and scans without my knowledge just makes my job more difficult. We arent finished yet, though. If you already have Combofix, please delete this copy and download it again as it's being updated regularly. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once Recovery Console is installed, you should see a blue screen prompt like the one below: Click Yes to allow Combofix to continue scanning for malware. When done, a log will be produced. Please post that log and a new HijackThis log in your next reply. 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser. 3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper. 4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. In your next reply post: ComboFix.txt New HijackThis log taken after the above scan has run

Sophie Miller View Member Profile	Jul 29 2008, 01:22 PM Post #6
New Member Group: New Member Posts: 9 Joined: 24-July 08 Member No.: 80,473 Operating System: XP Professional	Scotty - The ComboFix seems to have helped tremendously - the red circle with the white "X" is gone from my system tray and the pop-ups saying that I am infected seem also to be gone. Norton Ghost and McAfee seem to be running correctly again. I have attached the ComboFix log and a new HiJackThis log below. The virus would not allow me to run the ComboFix.exe - I had to rename it (called it 12345.exe) and that let it run. Am now running a full SpyDoctor scan and will then run a full McAfee scan. Please let me know if there is anything further that needs done based on the below logs. I really appreciate your help and things seem to be looking up :notworthy. Sophie Miller >>>>>>>>>>>>>>>>>>>>> Start of ComboFix Log: ComboFix 08-07-28.1 - Administrator 2008-07-29 14:28:36.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.482 [GMT -4:00] Running from: C:\Documents and Settings\Administrator\Desktop\12345.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\dllcache\beep.sys C:\WINDOWS\system32\drivers\beep.sys C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\edot.db C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\gytanob.dll C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\idaga.inf C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\vatydokyzy._dl C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\vupohejax.exe C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\WINDOWS\buritos.exe C:\WINDOWS\karina.dat C:\WINDOWS\system32\DelSelf.bat C:\WINDOWS\system32\drivers\Nsw72.sys C:\WINDOWS\system32\karina.dat C:\WINDOWS\system32\winivstr.exe ----- BITS: Possible infected sites ----- http://www.spiralfrog.com . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NSW72 -------\Service_Nsw72 ((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 ))))))))))))))))))))))))))))))) . 2008-07-24 15:50 . 2008-07-24 15:50 9,216 --a------ C:\WINDOWS\old buritos.exexxxxx 2008-07-24 14:59 . 2008-07-24 14:59 9,216 --a------ C:\WINDOWS\system32\old_buritos.exeddd 2008-07-24 13:21 . 2008-07-29 14:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-24 13:20 . 2008-07-29 01:09 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-07-24 13:20 . 2008-07-24 13:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools 2008-07-24 13:20 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2008-07-24 13:20 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2008-07-24 13:20 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2008-07-24 13:20 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2008-07-24 12:31 . 2008-07-24 12:40 3,954 --a------ C:\WINDOWS\system32\tmp.reg 2008-07-24 12:30 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-07-24 12:30 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-07-24 12:30 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe 2008-07-24 12:30 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe 2008-07-24 12:30 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe 2008-07-24 12:30 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe 2008-07-24 12:30 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-07-24 12:30 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-07-24 12:30 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2008-07-24 10:29 . 2008-07-24 10:29 18,216 --a------ C:\Program Files\Common Files\luzeti.pif 2008-07-24 10:29 . 2008-07-24 10:29 16,743 --a------ C:\WINDOWS\uvycikiw.com 2008-07-24 10:29 . 2008-07-24 10:29 16,555 --a------ C:\Program Files\Common Files\qonan.reg 2008-07-24 10:29 . 2008-07-24 10:29 16,546 --a------ C:\Program Files\Common Files\rijym.reg 2008-07-24 10:29 . 2008-07-24 10:29 15,663 --a------ C:\WINDOWS\oxebotet.dll 2008-07-24 10:29 . 2008-07-24 10:29 14,438 --a------ C:\WINDOWS\xudysymexa._sy 2008-07-24 10:29 . 2008-07-24 10:29 13,641 --a------ C:\WINDOWS\uhipetato._dl 2008-07-24 10:29 . 2008-07-24 10:29 12,021 --a------ C:\WINDOWS\hyfakyda._sy 2008-07-24 10:29 . 2008-07-24 10:29 10,229 --a------ C:\WINDOWS\telywaf.ban 2008-07-24 10:29 . 2008-07-24 10:29 10,074 --a------ C:\WINDOWS\reqy.ban 2008-07-24 09:18 . 2008-07-24 09:18 19,891 --a------ C:\Documents and Settings\Administrator\Application Data\nozi.com 2008-07-24 09:18 . 2008-07-24 09:18 17,261 --a------ C:\Documents and Settings\Administrator\Application Data\pifageme.bat 2008-07-24 09:18 . 2008-07-24 09:18 17,193 --a------ C:\WINDOWS\system32\ibem.pif 2008-07-24 09:18 . 2008-07-24 09:18 16,844 --a------ C:\Documents and Settings\All Users\Application Data\ylumybeco.dat 2008-07-24 09:18 . 2008-07-24 09:18 16,146 --a------ C:\Documents and Settings\All Users\Application Data\icic.pif 2008-07-24 09:18 . 2008-07-24 09:18 15,998 --a------ C:\WINDOWS\kamy._sy 2008-07-24 09:18 . 2008-07-24 09:18 15,706 --a------ C:\WINDOWS\mejy.pif 2008-07-24 09:18 . 2008-07-24 09:18 14,070 --a------ C:\WINDOWS\ylig._dl 2008-07-24 09:18 . 2008-07-24 09:18 13,969 --a------ C:\WINDOWS\ijugoripuc.bin 2008-07-24 09:18 . 2008-07-24 09:18 13,000 --a------ C:\Documents and Settings\All Users\Application Data\amuluzico.exe 2008-07-24 09:18 . 2008-07-24 09:18 12,967 --a------ C:\WINDOWS\system32\taji.dll 2008-07-24 09:18 . 2008-07-24 09:18 12,290 --a------ C:\WINDOWS\ujyhyve.exe 2008-07-24 09:18 . 2008-07-24 09:18 11,268 --a------ C:\Documents and Settings\All Users\Application Data\ehyf.vbs 2008-07-24 09:18 . 2008-07-24 09:18 11,219 --a------ C:\Documents and Settings\Administrator\Application Data\zypowanud.com 2008-07-24 09:18 . 2008-07-24 09:18 11,054 --a------ C:\Program Files\Common Files\abyl.pif 2008-07-24 09:18 . 2008-07-24 09:18 10,379 --a------ C:\WINDOWS\omizav.db 2008-07-24 07:19 . 2008-07-24 07:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee 2008-07-23 21:12 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-07-23 20:53 . 2008-07-29 14:43 12,499 --a------ C:\WINDOWS\system32\Config.MPF 2008-07-23 20:47 . 2008-07-23 20:47 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor 2008-07-23 20:42 . 2008-07-27 22:11 <DIR> d-------- C:\Program Files\SiteAdvisor 2008-07-23 20:42 . 2008-07-23 20:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor 2008-07-23 20:42 . 2008-07-27 19:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor 2008-07-23 20:40 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys 2008-07-23 20:40 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys 2008-07-23 20:40 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys 2008-07-23 20:40 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys 2008-07-23 20:40 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys 2008-07-23 20:40 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys 2008-07-23 20:39 . 2008-07-23 20:39 <DIR> d-------- C:\Program Files\McAfee.com 2008-07-23 20:39 . 2008-07-23 20:40 <DIR> d-------- C:\Program Files\Common Files\McAfee 2008-07-23 18:58 . 2008-07-23 18:58 17,715 --a------ C:\Documents and Settings\All Users\Application Data\awubal.scr 2008-07-23 18:58 . 2008-07-23 18:58 16,274 --a------ C:\WINDOWS\system32\yselumur.bin 2008-07-23 18:58 . 2008-07-23 18:58 14,991 --a------ C:\Program Files\Common Files\dufe.dat 2008-07-23 18:58 . 2008-07-23 18:58 14,333 --a------ C:\Documents and Settings\All Users\Application Data\ecubag.pif 2008-07-23 18:58 . 2008-07-23 18:58 13,805 --a------ C:\WINDOWS\system32\kobux.exe 2008-07-23 18:58 . 2008-07-23 18:58 12,719 --a------ C:\Program Files\Common Files\ycyze.bin 2008-07-23 18:58 . 2008-07-23 18:58 12,497 --a------ C:\WINDOWS\govefi.exe 2008-07-23 18:58 . 2008-07-23 18:58 11,723 --a------ C:\Documents and Settings\All Users\Application Data\elojugiju.reg 2008-07-23 18:58 . 2008-07-23 18:58 10,423 --a------ C:\WINDOWS\ujesar.bin 2008-07-23 18:58 . 2008-07-23 18:58 10,390 --a------ C:\Documents and Settings\All Users\Application Data\dyvivajoga.dll 2008-07-18 13:33 . 2008-07-18 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\.jnlp-applet 2008-07-18 13:25 . 2008-07-18 13:25 <DIR> d-------- C:\WINDOWS\Sun 2008-07-18 13:24 . 2008-07-23 21:12 <DIR> d-------- C:\Program Files\Java 2008-07-18 13:23 . 2008-07-18 13:23 <DIR> d-------- C:\Program Files\Common Files\Java 2008-07-10 23:11 . 2008-07-10 23:11 5,162,202 --a------ C:\Deidra Poucher presentation 6 FINAL.zip 2008-07-10 23:06 . 2008-07-10 23:06 5,413,888 --a------ C:\Deidra Poucher presentation 6 FINAL.ppt 2008-07-09 19:14 . 2008-07-09 22:53 1,252,864 --a------ C:\Dina Miller presentation 4 PRESENTATION FINAL VERSION.ppt 2008-07-09 19:05 . 2008-07-09 19:05 1,673,944 --a------ C:\Chuck Crumpton presentation 7.zip 2008-07-09 19:04 . 2008-07-09 19:04 3,768,899 --a------ C:\Deidre Poucher presentation 6.zip 2008-07-09 19:04 . 2008-07-09 19:04 256,144 --a------ C:\Jack Rogers presentation 3.zip 2008-07-09 19:04 . 2008-07-09 19:04 148,742 --a------ C:\Alan Minsk presentation 1.zip 2008-07-09 19:04 . 2008-07-09 19:04 135,776 --a------ C:\Lisa Peacock presentation 2.zip 2008-07-09 19:04 . 2008-07-09 19:04 118,091 --a------ C:\Josh Boutwell presentation 8.zip 2008-07-09 19:03 . 2008-07-09 19:03 386,805 --a------ C:\Dina Miller presentation 4 handouts.zip 2008-07-09 18:53 . 2008-07-09 18:53 620,544 --a------ C:\Dina Miller presentation 4 handouts.ppt 2008-07-09 18:50 . 2008-07-09 18:50 935,041 --a------ C:\Amy Wright presentation 5.zip 2008-07-09 18:50 . 2008-07-09 18:50 345,600 --a------ C:\Lisa Peacock presentation 2.ppt 2008-07-09 18:49 . 2008-07-09 18:49 396,800 --a------ C:\Josh Boutwell presentation 8.ppt 2008-07-09 18:49 . 2008-07-09 18:49 279,014 --a------ C:\Jack Rogers presentation 3.pdf 2008-07-09 18:48 . 2008-07-09 18:48 2,330,624 --a------ C:\Chuck Crumpton presentation 7.ppt 2008-07-09 18:48 . 2008-07-09 18:48 293,888 --a------ C:\Alan Minsk presentation 1.ppt 2008-07-08 17:39 . 2008-07-08 17:39 4,109,312 --a------ C:\Deidre Poucher presentation 6.ppt 2008-07-01 16:57 . 2008-07-01 16:57 54,126 --a------ C:\uwhljackp.wav 2008-07-01 15:02 . 2008-07-01 15:02 287,811 --a------ C:\boxes_carts_194991.gif 2008-07-01 12:42 . 2008-07-01 12:42 53,552 --a------ C:\Decisions.gif 2008-07-01 12:39 . 2008-07-01 12:39 117,280 --a------ C:\eyebrows_thinking_131108.jpg 2008-07-01 12:38 . 2008-07-01 12:38 21,965 --a------ C:\264438_m.gif 2008-07-01 12:37 . 2008-07-01 12:36 142,891 --a------ C:\Emotion_24.gif 2008-07-01 11:42 . 2008-07-01 17:32 839,680 --a------ C:\2008 RAPS presentation DM.ppt 2008-07-01 11:12 . 2008-07-01 11:12 293,802 --a------ C:\wheel.wav 2008-07-01 11:10 . 2008-07-01 11:10 668,988 --a------ C:\WHEEL92.ra 2008-07-01 10:42 . 2008-07-01 10:49 61,036 --a------ C:\ubankrupt.wav 2008-07-01 10:39 . 2008-07-01 10:39 111,195 --a------ C:\utimer.wav 2008-07-01 10:38 . 2008-07-01 10:38 28,774 --a------ C:\puzzle.wav 2008-07-01 10:27 . 2008-07-01 10:27 <DIR> d-------- C:\Program Files\Common Files\xing shared . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-29 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-07-28 18:06 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM 2008-07-24 13:18 17,609 ----a-w C:\Program Files\Common Files\unure.lib 2008-07-24 12:07 --------- d-----w C:\Program Files\McAfee 2008-07-24 11:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2008-07-10 03:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ZoomBrowser EX 2008-07-10 03:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser 2008-07-01 14:27 --------- d-----w C:\Program Files\Common Files\Real 2008-07-01 05:08 --------- d-----w C:\Program Files\SpiralFrog 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-01 12:56 --------- d-----w C:\Program Files\Skype 2008-06-01 12:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype 2008-06-01 12:56 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype 2008-06-01 01:12 --------- d-----w C:\Program Files\Netflix 2005-09-10 00:55 7,155,864 ----a-w C:\Program Files\NGhost10.msi 2005-09-10 00:55 4,588,454 ----a-w C:\Program Files\setup.exe 2005-09-10 00:55 37,766,164 ----a-w C:\Program Files\Data1.cab 2005-09-10 00:55 35 ----a-w C:\Program Files\SCSSDist.ini . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" [2004-10-13 12:24 1694208] "H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2005-11-15 19:44 1200128] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] "SightSpeed"="C:\Program Files\SightSpeed\SightSpeed.exe" [2006-11-22 18:50 3234880] "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-25 13:25 67128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-02-28 20:13 4493312] "HPWNTOOLBOX"="C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe" [2004-07-21 12:35 327680] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-04-13 14:20 59040] "Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-09-09 20:09 1537648] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648] "Auto Run Software for Photo Frame"="C:\Program Files\Philips\Auto Run Software for Photo Frame\PhotoManager.exe" [2006-08-04 17:57 2110464] "LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 01:12 488984] "LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 01:13 774168] "LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2007-02-06 17:43 252704] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-01 10:27 185896] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 17:57 36640] "ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-07-16 09:16 1166216] "nwiz"="nwiz.exe" [2003-02-28 20:13 323584 C:\WINDOWS\system32\nwiz.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193] Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-01-03 22:06:09 1470480] CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk - C:\Program Files\CreataCard\Plus\FMRemind.exe [2006-04-16 22:18:21 189952] HPAiODevice(hp officejet 7100 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2003-06-25 00:23:40 495682] Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-25 13:25:43 67128] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 21:41:30 972064] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Hewlett-Packard\\hp business inkjet 1200 series\\Toolbox\\HPWNTBX.exe"= "C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Intuit\\QuickBooks Basic\\QBDBMgrN.exe"= "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "C:\\Program Files\\SightSpeed\\SightSpeed.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R1 NEOFLTR_530_10741;Juniper Networks TDI Filter Driver (NEOFLTR_530_10741);C:\WINDOWS\system32\Drivers\NEOFLTR_530_10741.SYS [2006-05-25 20:15] R2 OracleOraHome92Agent;OracleOraHome92Agent;C:\oracle\ora92\bin\agntsrvc.exe [2002-04-26 17:29] R2 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;C:\oracle\ora92\Apache\Apache\apache.exe [2002-04-18 22:02] S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2006-07-18 14:40] S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 19:34] S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;C:\oracle\ora92\BIN\ENCSVC.EXE [2002-02-13 08:23] S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;C:\oracle\ora92\BIN\AGNTSVC.EXE [2002-02-13 08:23] S3 OracleServiceALTANA;OracleServiceALTANA;c:\oracle\ora92\bin\ORACLE.EXE ALTANA [] S3 OracleServiceDEMO;OracleServiceDEMO;c:\oracle\ora92\bin\ORACLE.EXE DEMO [] S3 OracleServiceGPC;OracleServiceGPC;c:\oracle\ora92\bin\ORACLE.EXE GPC [] S3 OracleServiceHHEALTH;OracleServiceHHEALTH;c:\oracle\ora92\bin\ORACLE.EXE HHEALTH [] S3 OracleServiceIVAX;OracleServiceIVAX;c:\oracle\ora92\bin\ORACLE.EXE IVAX [] S3 OracleServiceORADMIN;OracleServiceORADMIN;c:\oracle\ora92\bin\ORACLE.EXE ORADMIN [] S3 OracleServicePRON401A;OracleServicePRON401A;c:\oracle\ora92\bin\ORACLE.EXE PRON401A [] S3 OracleServicePROTDES;OracleServicePROTDES;c:\oracle\ora92\bin\ORACLE.EXE PROTDES [] S3 OracleServiceQUATRX;OracleServiceQUATRX;c:\oracle\ora92\bin\ORACLE.EXE QUATRX [] S3 OracleServiceSRS1;OracleServiceSRS1;c:\oracle\ora92\bin\ORACLE.EXE SRS1 [] S3 OracleServiceSRSTST4A;OracleServiceSRSTST4A;c:\oracle\ora92\bin\ORACLE.EXE SRSTST4A [] S3 OracleServiceSRSTST4B;OracleServiceSRSTST4B;c:\oracle\ora92\bin\ORACLE.EXE SRSTST4B [] S3 OracleServiceSRSTST4T;OracleServiceSRSTST4T;c:\oracle\ora92\bin\ORACLE.EXE SRSTST4T [] S3 OracleServiceVOYAGER;OracleServiceVOYAGER;c:\oracle\ora92\bin\ORACLE.EXE VOYAGER [] S4 OracleServiceALLIED;OracleServiceALLIED;c:\oracle\ora92\bin\ORACLE.EXE ALLIED [] S4 OracleServiceC202A;OracleServiceC202A;c:\oracle\ora92\bin\ORACLE.EXE C202A [] S4 OracleServiceCLAYPRK;OracleServiceCLAYPRK;c:\oracle\ora92\bin\ORACLE.EXE CLAYPRK [] S4 OracleServiceCLINDAT1;OracleServiceCLINDAT1;c:\oracle\ora92\bin\ORACLE.EXE CLINDAT1 [] S4 OracleServiceES01A;OracleServiceES01A;c:\oracle\ora92\bin\ORACLE.EXE ES01A [] S4 OracleServiceES01B;OracleServiceES01B;c:\oracle\ora92\bin\ORACLE.EXE ES01B [] S4 OracleServiceL023A;OracleServiceL023A;c:\oracle\ora92\bin\ORACLE.EXE L023A [] S4 OracleServiceMACROC;OracleServiceMACROC;c:\oracle\ora92\bin\ORACLE.EXE MACROC [] S4 OracleServiceO201A;OracleServiceO201A;c:\oracle\ora92\bin\ORACLE.EXE O201A [] S4 OracleServiceO202A;OracleServiceO202A;c:\oracle\ora92\bin\ORACLE.EXE O202A [] S4 OracleServicePOMWOND;OracleServicePOMWOND;c:\oracle\ora92\bin\ORACLE.EXE POMWOND [] S4 OracleServicePTI;OracleServicePTI;c:\oracle\ora92\bin\ORACLE.EXE PTI [] Newly Created Service - MFEAVFK Newly Created Service - MFEBOPK . Contents of the 'Scheduled Tasks' folder 2008-07-24 C:\WINDOWS\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2008-07-24 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] . - - - - ORPHANS REMOVED - - - - HKLM-Run-buritos - buritos.exe HKLM-RunOnce-DELDIR0.EXE - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DELDIR0.EXE . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.google.com R0 -: HKLM-Main,Start Page = hxxp://www.google.com O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-29 14:46:38 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce DELDIR0.EXE = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"????????????????H?w(2?w????yX?wx????a?w???????w???wx????a?w????<????a?w????,??????????w? ?N??w????j??w ?????h???????v???C?:?\?P?r?o?g?r?a?m? ?F?i?l?e?s?\?M?c?A?f?e?e?\?M?c?A?f?e?e? ?S?h?a?r?e?d? ?C?o?m?p?o?n?e?n?t?s?\?G?u?a?r?d?i?a?n?\?????????????????h???x???????p??? ????????w???w????j??w?%?w?????$?wT???????????????????03?? scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92PagingServer] "ImagePath"="C:\oracle\ora92/bin/pagntsrv.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92TNSListener] "ImagePath"="C:\oracle\ora92\BIN\TNSLSNR " . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\SiteAdvisor\6261\saHook.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\gearsec.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\Program Files\McAfee\VirusScan\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\Norton Ghost\Agent\VProSvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\oracle\ora92\bin\omtsreco.exe C:\oracle\ora92\bin\TNSLSNR.EXE C:\oracle\ora92\bin\dbsnmp.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\oracle\ora92\jdk\bin\java.exe C:\oracle\ora92\bin\isqlplus C:\oracle\ora92\jdk\bin\java.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\PROGRA~1\MICROS~3\rapimgr.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe C:\WINDOWS\system32\imapi.exe . ************************************************************************ . Completion time: 2008-07-29 14:50:22 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-29 18:50:07 Pre-Run: 173,908,107,264 bytes free Post-Run: 174,112,948,224 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 343 --- E O F --- 2008-07-15 18:11:10 >>>>>>>>>>>>>>>>>>>>> End of ComboFix Log >>>>>>>>>>>>>>>>>>>>> Start of HiJackThis Log: Logfile of HijackThis v1.99.1 Scan saved at 15:05:01, on 7/29/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\System32\GEARSec.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\Program Files\McAfee\VirusScan\McShield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\Norton Ghost\Agent\VProSvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\oracle\ora92\bin\omtsreco.exe C:\oracle\ora92\bin\agntsrvc.exe C:\WINDOWS\system32\cmd.exe C:\oracle\ora92\Apache\Apache\apache.exe C:\oracle\ora92\BIN\TNSLSNR.exe C:\oracle\ora92\bin\dbsnmp.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\oracle\ora92\Apache\Apache\apache.exe C:\oracle\ora92\jdk\bin\java.exe c:\oracle\ora92\bin\isqlplus C:\oracle\ora92\jdk\bin\java.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\System32\alg.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Spyware Doctor\pctsTray.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton Ghost\Agent\GhostTray.exe C:\Program Files\Philips\Auto Run Software for Photo Frame\PhotoManager.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Logitech\QuickCam10\QuickCam10.exe C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\SiteAdvisor\6261\SiteAdv.exe C:\Program Files\Messenger\MSMSGS.EXE C:\PROGRA~1\MICROS~3\wcescomm.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SightSpeed\SightSpeed.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\CreataCard\Plus\FMRemind.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe C:\PROGRA~1\MICROS~3\rapimgr.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\WINDOWS\explorer.exe c:\PROGRA~1\mcafee\msc\mcshell.exe C:\Program Files\Spyware Doctor\pctsGui.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Auto Run Software for Photo Frame] "C:\Program Files\Philips\Auto Run Software for Photo Frame\PhotoManager.exe" /autorun O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SightSpeed] C:\Program Files\SightSpeed\SightSpeed.exe -minimized O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Plus\FMRemind.exe O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: http://*.mcafee.com O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing) O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe O23 - Service: OracleServiceALTANA - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceDEMO - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceGPC - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceHHEALTH - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceIVAX - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceORADMIN - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServicePRON401A - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServicePROTDES - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceQUATRX - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceSRS1 - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceSRSTST4A - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceSRSTST4B - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceSRSTST4T - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: OracleServiceVOYAGER - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe >>>>>>>>>>>>>>>>>>>>> End of HiJackThis Log