14 replies to this topic

[Saluton]

I have started to encounter this every minute pop up from my norton antivirus. What should I do to remove? Attempted Intrusion "HTTP LOP Toolbar Activity" from your machine against ads.dns-look-up.com was detected and blocked. Intruder: DINE(1783). Risk Level: High. Protocol: TCP. Attacked IP: ads.dns-look-up.com. Attacked Port: http(80). Regards,

Edited by Saluton, 05 August 2007 - 02:04 PM.

[Scotty]

Hi! Welcome to the Tom Coyote forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient and I'd be grateful if you would note the following:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Double click on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
• Click Save to save the log file and then the log will open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

[Saluton]

Hi Scotty,

thanks for the help. Here are the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:15 AM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [plus copy comp five] C:\Documents and Settings\All Users\Application Data\eq rect plus copy\log grey.exe
O4 - HKLM\..\Run: [Ref Keep Seek Five] C:\Documents and Settings\All Users\Application Data\Funk Dale Five Eq\platform default body.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TWCU\TWCU.exe" -nogui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [heartactive] C:\DOCUME~1\John\APPLIC~1\RULEDR~1\purethis.exe
O4 - HKUS\S-1-5-21-790525478-1409082233-725345543-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Manuyag')
O4 - HKUS\S-1-5-21-790525478-1409082233-725345543-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Manuyag')
O4 - HKUS\S-1-5-21-790525478-1409082233-725345543-1005\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'Manuyag')
O4 - HKUS\S-1-5-21-790525478-1409082233-725345543-1005\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Manuyag')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - S-1-5-21-790525478-1409082233-725345543-1005 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Manuyag')
O4 - S-1-5-21-790525478-1409082233-725345543-1005 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Manuyag')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7172 bytes

[Scotty]

Hi Saluton

Download Findlop by Metallica. Unzip it to your desktop. Double click findlop.bat. It will open a notepad file. Copy the content of that file and paste it here in your reply.

[Saluton]

hi scott here is the findlop log: [TRACE] Enumerating jobs and queues [TRACE] Activating job 'AD77CF6991D043B1.job' [TRACE] Printing all job properties ApplicationName: 'c:\docume~1\john\applic~1\ruledr~1\remotewindupe.exe' Parameters: '' WorkingDirectory: '' Comment: '' Creator: 'John' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 10 IdleDeadline: 60 MostRecentRun: 07/23/2007 11:00:00 NextRun: 08/06/2007 13:00:00 StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET ExitCode: 0 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 1 TaskFlags: 0 1 Trigger Trigger 0: Type: Daily DaysInterval: 1 StartDate: 10/14/1999 EndDate: 00/00/0000 StartTime: 00:00 MinutesDuration: 1440 MinutesInterval: 60 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 [TRACE] Activating job 'AppleSoftwareUpdate.job' [TRACE] Printing all job properties ApplicationName: 'C:\Program Files\Apple Software Update\SoftwareUpdate.exe' Parameters: '-Task' WorkingDirectory: '' Comment: '' Creator: 'SYSTEM' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 10 IdleDeadline: 60 MostRecentRun: 07/23/2007 17:45:00 NextRun: 08/06/2007 17:45:00 StartError: S_OK ExitCode: 0 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 0 SystemRequired = 0 Hidden = 0 TaskFlags: 0 1 Trigger Trigger 0: Type: Weekly WeeksInterval: 1 DaysOfTheWeek: .M..... StartDate: 06/03/2007 EndDate: 00/00/0000 StartTime: 17:45 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 [TRACE] Activating job 'Norton AntiVirus - Run Full System Scan - John.job' [TRACE] Printing all job properties ApplicationName: 'C:\PROGRA~1\NORTON~1\Navw32.exe' Parameters: '/TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"' WorkingDirectory: '' Comment: 'This is a schedule scan task from Norton AntiVirus.' Creator: 'John' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 10 IdleDeadline: 60 MostRecentRun: 07/20/2007 20:00:00 NextRun: 08/10/2007 20:00:00 StartError: S_OK ExitCode: 0x1 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 0 TaskFlags: 0 1 Trigger Trigger 0: Type: Weekly WeeksInterval: 1 DaysOfTheWeek: .....F. StartDate: 04/17/2007 EndDate: 00/00/0000 StartTime: 20:00 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0

[Scotty]

Hi Saluton

Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3

• First close any other programs you have running as this will require a reboot
• Double click NoLop.exe to run it
• Now click the button labelled "Search and Destroy"
  <<your computer will now be scanned for infected files>>
• When scanning is finished you will be prompted to reboot only if infected, Click OK
• Now click the "REBOOT" Button.
• A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.--

Download and Run ComboFix

• Download this file from below:
  
  Here
  
• Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

[Saluton]

hi scotty,

thanks to your response, here are the log update:

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\John\Desktop
[8/7/2007]
[8:01:22 AM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\AD77CF6991D043B1.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Eq Rect Plus Copy
C:\Documents and Settings\All Users\Application Data\Funk Dale Five Eq
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Mozilla
C:\Documents and Settings\All Users\Application Data\Pc Suite
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Yahoo!
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\John\Application Data\Adobe
C:\Documents and Settings\John\Application Data\Apple Computer
C:\Documents and Settings\John\Application Data\Divx
C:\Documents and Settings\John\Application Data\Google
C:\Documents and Settings\John\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\John\Application Data\Identities
C:\Documents and Settings\John\Application Data\Macromedia
C:\Documents and Settings\John\Application Data\Microsoft
C:\Documents and Settings\John\Application Data\Microsoft Web Folders -- EMPTY Directory
C:\Documents and Settings\John\Application Data\Mozilla
C:\Documents and Settings\John\Application Data\Nokia
C:\Documents and Settings\John\Application Data\Nokia Multimedia Player
C:\Documents and Settings\John\Application Data\Pc Suite
C:\Documents and Settings\John\Application Data\Real -- EMPTY Directory
C:\Documents and Settings\John\Application Data\Rule Drive Deaf -- EMPTY Directory
C:\Documents and Settings\John\Application Data\Sun
C:\Documents and Settings\John\Application Data\Talkback
C:\Documents and Settings\John\Application Data\Utorrent
C:\Documents and Settings\John\Application Data\Yahoo!
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Manuyag\Application Data\Adobe
C:\Documents and Settings\Manuyag\Application Data\Apple Computer
C:\Documents and Settings\Manuyag\Application Data\Divx
C:\Documents and Settings\Manuyag\Application Data\Google
C:\Documents and Settings\Manuyag\Application Data\Identities
C:\Documents and Settings\Manuyag\Application Data\Limewire
C:\Documents and Settings\Manuyag\Application Data\Macromedia
C:\Documents and Settings\Manuyag\Application Data\Microsoft
C:\Documents and Settings\Manuyag\Application Data\Mozilla
C:\Documents and Settings\Manuyag\Application Data\Nokia
C:\Documents and Settings\Manuyag\Application Data\Nokia Multimedia Player
C:\Documents and Settings\Manuyag\Application Data\Pc Suite
C:\Documents and Settings\Manuyag\Application Data\Sun
C:\Documents and Settings\Manuyag\Application Data\Talkback
C:\Documents and Settings\Manuyag\Application Data\Utorrent
C:\Documents and Settings\Manuyag\Application Data\Yahoo!
C:\Documents and Settings\Networkservice\Application Data\Microsoft


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:30 AM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [plus copy comp five] C:\Documents and Settings\All Users\Application Data\eq rect plus copy\log grey.exe
O4 - HKLM\..\Run: [Ref Keep Seek Five] C:\Documents and Settings\All Users\Application Data\Funk Dale Five Eq\platform default body.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TWCU\TWCU.exe" -nogui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 5967 bytes

[Scotty]

Hi Saluton And the ComboFix log?

[Saluton]

hello

here are the log:

ComboFix 07-08-06.5 - "John" 2007-08-07 11:42:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.692 [GMT 12:00]
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-06 to 2007-08-06 )))))))))))))))))))))))))))))))


2007-08-07 11:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 08:02 <DIR> d-------- C:\NoLopBackups
2007-08-06 09:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-06 08:09 <DIR> d-------- C:\DOCUME~1\Manuyag\APPLIC~1\uTorrent
2007-08-05 13:16 <DIR> d-------- C:\hjt
2007-08-04 21:39 <DIR> d-------- C:\WINDOWS\Provisioning
2007-08-04 21:39 <DIR> d-------- C:\WINDOWS\PeerNet
2007-08-04 21:39 <DIR> d-------- C:\WINDOWS\ehome
2007-08-04 11:26 <DIR> d-------- C:\WINDOWS\Prefetch
2007-08-04 11:24 9,728 --a--c--- C:\WINDOWS\system32\dllcache\rwnh.dll
2007-08-04 11:24 9,728 --a--c--- C:\WINDOWS\system32\dllcache\query.exe
2007-08-04 11:24 9,216 --a--c--- C:\WINDOWS\system32\dllcache\wamps51.dll
2007-08-04 11:24 86,073 --a--c--- C:\WINDOWS\system32\dllcache\voicesub.dll
2007-08-04 11:24 8,704 --a--c--- C:\WINDOWS\system32\dllcache\snmptrap.exe
2007-08-04 11:24 79,872 --a--c--- C:\WINDOWS\system32\dllcache\rwia330.dll
2007-08-04 11:24 79,872 --a--c--- C:\WINDOWS\system32\dllcache\rwia001.dll
2007-08-04 11:24 76,800 --a--c--- C:\WINDOWS\system32\dllcache\wam51.dll
2007-08-04 11:24 76,288 --a--c--- C:\WINDOWS\system32\dllcache\uniime.dll
2007-08-04 11:24 73,728 --a--c--- C:\WINDOWS\system32\dllcache\w3ext.dll
2007-08-04 11:24 70,144 --a--c--- C:\WINDOWS\system32\dllcache\pintlphr.exe
2007-08-04 11:24 7,680 --a--c--- C:\WINDOWS\system32\dllcache\pwsdata.dll
2007-08-04 11:24 7,168 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_snprfdll.dll
2007-08-04 11:24 67,584 --a--c--- C:\WINDOWS\system32\dllcache\pmigrate.dll
2007-08-04 11:24 6,144 --a--c--- C:\WINDOWS\system32\dllcache\snmpmib.dll
2007-08-04 11:24 6,144 --a--c--- C:\WINDOWS\system32\dllcache\pmxgl.dll
2007-08-04 11:24 57,856 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_scripto.dll
2007-08-04 11:24 53,760 --a--c--- C:\WINDOWS\system32\dllcache\pintlcsd.dll
2007-08-04 11:24 53,248 --a--c--- C:\WINDOWS\system32\dllcache\wamreg51.dll
2007-08-04 11:24 53,248 --a--c--- C:\WINDOWS\system32\dllcache\nextlink.dll
2007-08-04 11:24 5,632 --a--c--- C:\WINDOWS\system32\dllcache\w3svapi.dll
2007-08-04 11:24 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smimsgif.dll
2007-08-04 11:24 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smierrsy.dll
2007-08-04 11:24 48,256 --a--c--- C:\WINDOWS\system32\dllcache\w32.dll
2007-08-04 11:24 46,592 --a--c--- C:\WINDOWS\system32\dllcache\svcext51.dll
2007-08-04 11:24 46,592 --a--c--- C:\WINDOWS\system32\dllcache\sspifilt.dll
2007-08-04 11:24 456,704 --a--c--- C:\WINDOWS\system32\dllcache\smtpsvc.dll
2007-08-04 11:24 455,168 --a--c--- C:\WINDOWS\system32\dllcache\tintsetp.exe
2007-08-04 11:24 45,056 --a--c--- C:\WINDOWS\system32\dllcache\ssinc51.dll
2007-08-04 11:24 44,544 --a--c--- C:\WINDOWS\system32\dllcache\nsepm.dll
2007-08-04 11:24 44,032 --a--c--- C:\WINDOWS\system32\dllcache\tintlphr.exe
2007-08-04 11:24 426,041 --a--c--- C:\WINDOWS\system32\dllcache\voicepad.dll
2007-08-04 11:24 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll
2007-08-04 11:24 40,448 --a--c--- C:\WINDOWS\system32\dllcache\snmpthrd.dll
2007-08-04 11:24 4,608 --a--c--- C:\WINDOWS\system32\dllcache\w3ctrs51.dll
2007-08-04 11:24 4,096 --a--c--- C:\WINDOWS\system32\dllcache\rpcref.dll
2007-08-04 11:24 38,912 --a--c--- C:\WINDOWS\system32\dllcache\sm9aw.dll
2007-08-04 11:24 38,912 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_ntfsdrv.dll
2007-08-04 11:24 363,520 --a--c--- C:\WINDOWS\system32\dllcache\w3svc.dll
2007-08-04 11:24 36,927 --a--c--- C:\WINDOWS\system32\dllcache\padrs411.dll
2007-08-04 11:24 358,400 --a--c--- C:\WINDOWS\system32\dllcache\snmpincl.dll
2007-08-04 11:24 32,768 --a--c--- C:\WINDOWS\system32\dllcache\snmp.exe
2007-08-04 11:24 31,744 --a--c--- C:\WINDOWS\system32\dllcache\smb6w.dll
2007-08-04 11:24 31,744 --a--c--- C:\WINDOWS\system32\dllcache\sma3w.dll
2007-08-04 11:24 31,744 --a--c--- C:\WINDOWS\system32\dllcache\pagecnt.dll
2007-08-04 11:24 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys
2007-08-04 11:24 31,232 --a--c--- C:\WINDOWS\system32\dllcache\tools.dll
2007-08-04 11:24 30,208 --a--c--- C:\WINDOWS\system32\dllcache\sm87w.dll
2007-08-04 11:24 30,208 --a--c--- C:\WINDOWS\system32\dllcache\sm81w.dll
2007-08-04 11:24 29,184 --a--c--- C:\WINDOWS\system32\dllcache\sm8cw.dll
2007-08-04 11:24 26,624 --a--c--- C:\WINDOWS\system32\dllcache\sm93w.dll
2007-08-04 11:24 26,624 --a--c--- C:\WINDOWS\system32\dllcache\sm92w.dll
2007-08-04 11:24 26,624 --a--c--- C:\WINDOWS\system32\dllcache\rw330ext.dll
2007-08-04 11:24 26,112 --a--c--- C:\WINDOWS\system32\dllcache\sm90w.dll
2007-08-04 11:24 26,112 --a--c--- C:\WINDOWS\system32\dllcache\sm8dw.dll
2007-08-04 11:24 26,112 --a--c--- C:\WINDOWS\system32\dllcache\sm8aw.dll
2007-08-04 11:24 26,112 --a--c--- C:\WINDOWS\system32\dllcache\sm89w.dll
2007-08-04 11:24 26,112 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_seos.dll
2007-08-04 11:24 259,072 --a--c--- C:\WINDOWS\system32\dllcache\snmpcl.dll
2007-08-04 11:24 25,088 --a--c--- C:\WINDOWS\system32\dllcache\sm59w.dll
2007-08-04 11:24 24,576 --a--c--- C:\WINDOWS\system32\dllcache\rw001ext.dll
2007-08-04 11:24 236,544 --a--c--- C:\WINDOWS\system32\dllcache\smi2smir.exe
2007-08-04 11:24 23,040 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_regtrace.exe
2007-08-04 11:24 221,696 --a--c--- C:\WINDOWS\system32\dllcache\seo.dll
2007-08-04 11:24 21,896 --a--c--- C:\WINDOWS\system32\dllcache\tdipx.sys
2007-08-04 11:24 20,992 --a--c--- C:\WINDOWS\system32\dllcache\permchk.dll
2007-08-04 11:24 20,736 --a--c--- C:\WINDOWS\system32\dllcache\ramdisk.sys
2007-08-04 11:24 19,464 --a--c--- C:\WINDOWS\system32\dllcache\tdspx.sys
2007-08-04 11:24 188,416 --a--c--- C:\WINDOWS\system32\dllcache\snmpsmir.dll
2007-08-04 11:24 185,344 --a--c--- C:\WINDOWS\system32\dllcache\thawbrkr.dll
2007-08-04 11:24 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll
2007-08-04 11:24 175,104 --a--c--- C:\WINDOWS\system32\dllcache\pintlcsa.dll
2007-08-04 11:24 16,896 --a--c--- C:\WINDOWS\system32\dllcache\status.dll
2007-08-04 11:24 16,384 --a--c--- C:\WINDOWS\system32\dllcache\quser.exe
2007-08-04 11:24 15,872 --a--c--- C:\WINDOWS\system32\dllcache\smierrsm.dll
2007-08-04 11:24 15,872 --a--c--- C:\WINDOWS\system32\dllcache\padrs404.dll
2007-08-04 11:24 15,360 --a--c--- C:\WINDOWS\system32\dllcache\padrs804.dll
2007-08-04 11:24 143,422 --a--c--- C:\WINDOWS\system32\dllcache\softkey.dll
2007-08-04 11:24 14,848 --a--c--- C:\WINDOWS\system32\dllcache\register.exe
2007-08-04 11:24 14,336 --a--c--- C:\WINDOWS\system32\dllcache\tsprof.exe
2007-08-04 11:24 14,336 --a--c--- C:\WINDOWS\system32\dllcache\padrs412.dll
2007-08-04 11:24 131,584 --a--c--- C:\WINDOWS\system32\dllcache\pmxviceo.dll
2007-08-04 11:24 13,192 --a--c--- C:\WINDOWS\system32\dllcache\tdasync.sys
2007-08-04 11:24 12,288 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpctrs.dll
2007-08-04 11:24 11,264 --a--c--- C:\WINDOWS\system32\dllcache\pmxmcro.dll
2007-08-04 11:24 103,424 --a--c--- C:\WINDOWS\system32\dllcache\uihelper.dll
2007-08-04 11:24 101,376 --a--c--- C:\WINDOWS\system32\dllcache\srusbusd.dll
2007-08-04 11:24 10,752 --a--c--- C:\WINDOWS\system32\dllcache\smtpapi.dll
2007-08-04 11:24 10,240 --a--c--- C:\WINDOWS\system32\dllcache\tmigrate.dll
2007-08-04 11:24 10,240 --a--c--- C:\WINDOWS\system32\dllcache\snmpstup.dll
2007-08-04 11:23 98,304 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 11:41 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-07 11:40 --------- d-------- C:\DOCUME~1\John\APPLIC~1\uTorrent
2007-08-04 11:19 --------- d-------- C:\Program Files\Movie Maker
2007-08-04 11:18 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-08-04 11:18 --------- d-------- C:\Program Files\Windows NT
2007-08-04 11:18 --------- d-------- C:\Program Files\Messenger
2007-08-04 09:32 --------- d-------- C:\Program Files\Yahoo!
2007-08-04 09:31 --------- d-------- C:\Program Files\Symantec
2007-08-04 09:30 --------- d-------- C:\Program Files\DivX
2007-08-04 09:29 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-03 17:41 --------- d--h----- C:\DOCUME~1\John\APPLIC~1\yahoo!
2007-08-03 17:39 --------- d-------- C:\Program Files\Google
2007-08-03 17:36 --------- d-------- C:\Program Files\LimeWire
2007-08-01 09:24 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-23 16:14 --------- d-------- C:\Program Files\Share_Accelerator_MM
2007-07-23 16:12 --------- d-------- C:\Program Files\Ahead
2007-07-15 23:14 --------- d-------- C:\Program Files\GustoSoft
2007-07-13 01:05 --------- d-------- C:\DOCUME~1\John\APPLIC~1\DivX
2007-07-03 07:41 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-03 07:41 36624 --a------ C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-03 07:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-03 07:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-03 07:41 118520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-07-03 07:41 116472 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-07-03 07:41 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-03 07:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-03 07:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-03 07:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-03 07:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-03 07:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-03 07:37 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-03 07:37 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-03 07:37 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-03 07:37 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-03 07:37 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-03 07:37 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-03 07:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-03 07:36 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-03 07:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-09 22:34 --------- d-------- C:\Program Files\Chord Alchemy 4
2007-06-08 10:07 --------- d-------- C:\Program Files\PowerISO
2007-06-08 09:31 --------- d-------- C:\Program Files\MagicISO
2007-06-06 15:55 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 08:22]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 02:49]
"WinampAgent"="C:\Program Files\Winamp3\winampa.exe" [2002-07-24 04:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-01-20 19:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27]
"plus copy comp five"="C:\Documents and Settings\All Users\Application Data\eq rect plus copy\log grey.exe" [2007-08-07 11:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 04:15]
"TWCU"="C:\Program Files\TP-LINK\TWCU\TWCU.exe" [2006-03-29 16:12]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 C:\WINDOWS\soundman.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-22 12:22]
"RegistryMechanic"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-06-11 00:15:11]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 08:05:56]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-04-19 14:35:42]

R1 SCDEmu;SCDEmu;C:\WINDOWS\system32\drivers\SCDEmu.sys
R1 SRTSPX;SRTSPX;C:\WINDOWS\system32\Drivers\SRTSPX.SYS
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys
R3 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 E100B;Intel® PRO Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;C:\WINDOWS\system32\DRIVERS\m4301A.sys
S3 Nokia USB Generic;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 Nokia USB Modem;Nokia USB Modem;C:\WINDOWS\system32\drivers\nmwcdcm.sys
S3 Nokia USB Phone Parent;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS


Contents of the 'Scheduled Tasks' folder
2007-08-06 05:45:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-07-20 09:39:17 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - John.job - C:\PROGRA~1\NORTON~1\Navw32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 11:44:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 11:45:28

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:02 AM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\uTorrent\utorrent.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [plus copy comp five] C:\Documents and Settings\All Users\Application Data\eq rect plus copy\log grey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TWCU\TWCU.exe" -nogui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 5884 bytes

[Scotty]

Hello

Open Notepad and Copy/Paste the text in the codebox below into it:

Folder::
C:\Documents and Settings\All Users\Application Data\eq rect plus copy
C:\NoLopBackups

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"plus copy comp five"=-

Save this as "CFScript"




Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a new HijackThis log.

[Saluton]

gud day mate

here are the log:

ComboFix 07-08-06.5 - "John" 2007-08-08 8:10:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.607 [GMT 12:00]
Command switches used :: C:\Documents and Settings\Manuyag\My Documents\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Application Data\eq rect plus copy
C:\Documents and Settings\All Users\Application Data\eq rect plus copy\log grey.exe
C:\NoLopBackups


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-07 11:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 09:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-06 08:09 <DIR> d-------- C:\DOCUME~1\Manuyag\APPLIC~1\uTorrent
2007-08-05 13:16 <DIR> d-------- C:\hjt
2007-08-04 21:39 <DIR> d-------- C:\WINDOWS\Provisioning
2007-08-04 21:39 <DIR> d-------- C:\WINDOWS\PeerNet
2007-08-04 21:39 <DIR> d-------- C:\WINDOWS\ehome
2007-08-04 11:26 <DIR> d-------- C:\WINDOWS\Prefetch
2007-08-04 11:24 9,728 --a--c--- C:\WINDOWS\system32\dllcache\rwnh.dll
2007-08-04 11:24 9,728 --a--c--- C:\WINDOWS\system32\dllcache\query.exe
2007-08-04 11:24 9,216 --a--c--- C:\WINDOWS\system32\dllcache\wamps51.dll
2007-08-04 11:24 86,073 --a--c--- C:\WINDOWS\system32\dllcache\voicesub.dll
2007-08-04 11:24 8,704 --a--c--- C:\WINDOWS\system32\dllcache\snmptrap.exe
2007-08-04 11:24 79,872 --a--c--- C:\WINDOWS\system32\dllcache\rwia330.dll
2007-08-04 11:24 79,872 --a--c--- C:\WINDOWS\system32\dllcache\rwia001.dll
2007-08-04 11:24 76,800 --a--c--- C:\WINDOWS\system32\dllcache\wam51.dll
2007-08-04 11:24 76,288 --a--c--- C:\WINDOWS\system32\dllcache\uniime.dll
2007-08-04 11:24 73,728 --a--c--- C:\WINDOWS\system32\dllcache\w3ext.dll
2007-08-04 11:24 70,144 --a--c--- C:\WINDOWS\system32\dllcache\pintlphr.exe
2007-08-04 11:24 7,680 --a--c--- C:\WINDOWS\system32\dllcache\pwsdata.dll
2007-08-04 11:24 7,168 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_snprfdll.dll
2007-08-04 11:24 67,584 --a--c--- C:\WINDOWS\system32\dllcache\pmigrate.dll
2007-08-04 11:24 6,144 --a--c--- C:\WINDOWS\system32\dllcache\snmpmib.dll
2007-08-04 11:24 6,144 --a--c--- C:\WINDOWS\system32\dllcache\pmxgl.dll
2007-08-04 11:24 57,856 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_scripto.dll
2007-08-04 11:24 53,760 --a--c--- C:\WINDOWS\system32\dllcache\pintlcsd.dll
2007-08-04 11:24 53,248 --a--c--- C:\WINDOWS\system32\dllcache\wamreg51.dll
2007-08-04 11:24 53,248 --a--c--- C:\WINDOWS\system32\dllcache\nextlink.dll
2007-08-04 11:24 5,632 --a--c--- C:\WINDOWS\system32\dllcache\w3svapi.dll
2007-08-04 11:24 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smimsgif.dll
2007-08-04 11:24 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smierrsy.dll
2007-08-04 11:24 48,256 --a--c--- C:\WINDOWS\system32\dllcache\w32.dll
2007-08-04 11:24 46,592 --a--c--- C:\WINDOWS\system32\dllcache\svcext51.dll
2007-08-04 11:24 46,592 --a--c--- C:\WINDOWS\system32\dllcache\sspifilt.dll
2007-08-04 11:24 456,704 --a--c--- C:\WINDOWS\system32\dllcache\smtpsvc.dll
2007-08-04 11:24 455,168 --a--c--- C:\WINDOWS\system32\dllcache\tintsetp.exe
2007-08-04 11:24 45,056 --a--c--- C:\WINDOWS\system32\dllcache\ssinc51.dll
2007-08-04 11:24 44,544 --a--c--- C:\WINDOWS\system32\dllcache\nsepm.dll
2007-08-04 11:24 44,032 --a--c--- C:\WINDOWS\system32\dllcache\tintlphr.exe
2007-08-04 11:24 426,041 --a--c--- C:\WINDOWS\system32\dllcache\voicepad.dll
2007-08-04 11:24 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll
2007-08-04 11:24 40,448 --a--c--- C:\WINDOWS\system32\dllcache\snmpthrd.dll
2007-08-04 11:24 4,608 --a--c--- C:\WINDOWS\system32\dllcache\w3ctrs51.dll
2007-08-04 11:24 4,096 --a--c--- C:\WINDOWS\system32\dllcache\rpcref.dll
2007-08-04 11:24 38,912 --a--c--- C:\WINDOWS\system32\dllcache\sm9aw.dll
2007-08-04 11:24 38,912 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_ntfsdrv.dll
2007-08-04 11:24 363,520 --a--c--- C:\WINDOWS\system32\dllcache\w3svc.dll
2007-08-04 11:24 36,927 --a--c--- C:\WINDOWS\system32\dllcache\padrs411.dll
2007-08-04 11:24 358,400 --a--c--- C:\WINDOWS\system32\dllcache\snmpincl.dll
2007-08-04 11:24 32,768 --a--c--- C:\WINDOWS\system32\dllcache\snmp.exe
2007-08-04 11:24 31,744 --a--c--- C:\WINDOWS\system32\dllcache\smb6w.dll
2007-08-04 11:24 31,744 --a--c--- C:\WINDOWS\system32\dllcache\sma3w.dll
2007-08-04 11:24 31,744 --a--c--- C:\WINDOWS\system32\dllcache\pagecnt.dll
2007-08-04 11:24 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys
2007-08-04 11:24 31,232 --a--c--- C:\WINDOWS\system32\dllcache\tools.dll
2007-08-04 11:24 30,208 --a--c--- C:\WINDOWS\system32\dllcache\sm87w.dll
2007-08-04 11:24 30,208 --a--c--- C:\WINDOWS\system32\dllcache\sm81w.dll
2007-08-04 11:24 29,184 --a--c--- C:\WINDOWS\system32\dllcache\sm8cw.dll
2007-08-04 11:24 26,624 --a--c--- C:\WINDOWS\system32\dllcache\sm93w.dll
2007-08-04 11:24 26,624 --a--c--- C:\WINDOWS\system32\dllcache\sm92w.dll
2007-08-04 11:24 26,624 --a--c--- C:\WINDOWS\system32\dllcache\rw330ext.dll
2007-08-04 11:24 26,112 --a--c--- C:\WINDOWS\system32\dllcache\sm90w.dll
2007-08-04 11:24 26,112 --a--c--- C:\WINDOWS\system32\dllcache\sm8dw.dll
2007-08-04 11:24 26,112 --a--c--- C:\WINDOWS\system32\dllcache\sm8aw.dll
2007-08-04 11:24 26,112 --a--c--- C:\WINDOWS\system32\dllcache\sm89w.dll
2007-08-04 11:24 26,112 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_seos.dll
2007-08-04 11:24 259,072 --a--c--- C:\WINDOWS\system32\dllcache\snmpcl.dll
2007-08-04 11:24 25,088 --a--c--- C:\WINDOWS\system32\dllcache\sm59w.dll
2007-08-04 11:24 24,576 --a--c--- C:\WINDOWS\system32\dllcache\rw001ext.dll
2007-08-04 11:24 236,544 --a--c--- C:\WINDOWS\system32\dllcache\smi2smir.exe
2007-08-04 11:24 23,040 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_regtrace.exe
2007-08-04 11:24 221,696 --a--c--- C:\WINDOWS\system32\dllcache\seo.dll
2007-08-04 11:24 21,896 --a--c--- C:\WINDOWS\system32\dllcache\tdipx.sys
2007-08-04 11:24 20,992 --a--c--- C:\WINDOWS\system32\dllcache\permchk.dll
2007-08-04 11:24 20,736 --a--c--- C:\WINDOWS\system32\dllcache\ramdisk.sys
2007-08-04 11:24 19,464 --a--c--- C:\WINDOWS\system32\dllcache\tdspx.sys
2007-08-04 11:24 188,416 --a--c--- C:\WINDOWS\system32\dllcache\snmpsmir.dll
2007-08-04 11:24 185,344 --a--c--- C:\WINDOWS\system32\dllcache\thawbrkr.dll
2007-08-04 11:24 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll
2007-08-04 11:24 175,104 --a--c--- C:\WINDOWS\system32\dllcache\pintlcsa.dll
2007-08-04 11:24 16,896 --a--c--- C:\WINDOWS\system32\dllcache\status.dll
2007-08-04 11:24 16,384 --a--c--- C:\WINDOWS\system32\dllcache\quser.exe
2007-08-04 11:24 15,872 --a--c--- C:\WINDOWS\system32\dllcache\smierrsm.dll
2007-08-04 11:24 15,872 --a--c--- C:\WINDOWS\system32\dllcache\padrs404.dll
2007-08-04 11:24 15,360 --a--c--- C:\WINDOWS\system32\dllcache\padrs804.dll
2007-08-04 11:24 143,422 --a--c--- C:\WINDOWS\system32\dllcache\softkey.dll
2007-08-04 11:24 14,848 --a--c--- C:\WINDOWS\system32\dllcache\register.exe
2007-08-04 11:24 14,336 --a--c--- C:\WINDOWS\system32\dllcache\tsprof.exe
2007-08-04 11:24 14,336 --a--c--- C:\WINDOWS\system32\dllcache\padrs412.dll
2007-08-04 11:24 131,584 --a--c--- C:\WINDOWS\system32\dllcache\pmxviceo.dll
2007-08-04 11:24 13,192 --a--c--- C:\WINDOWS\system32\dllcache\tdasync.sys
2007-08-04 11:24 12,288 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpctrs.dll
2007-08-04 11:24 11,264 --a--c--- C:\WINDOWS\system32\dllcache\pmxmcro.dll
2007-08-04 11:24 103,424 --a--c--- C:\WINDOWS\system32\dllcache\uihelper.dll
2007-08-04 11:24 101,376 --a--c--- C:\WINDOWS\system32\dllcache\srusbusd.dll
2007-08-04 11:24 10,752 --a--c--- C:\WINDOWS\system32\dllcache\smtpapi.dll
2007-08-04 11:24 10,240 --a--c--- C:\WINDOWS\system32\dllcache\tmigrate.dll
2007-08-04 11:24 10,240 --a--c--- C:\WINDOWS\system32\dllcache\snmpstup.dll
2007-08-04 11:23 98,304 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.dll
2007-08-04 11:23 92,416 --a--c--- C:\WINDOWS\system32\dllcache\mga.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 18:22 --------- d-------- C:\DOCUME~1\John\APPLIC~1\uTorrent
2007-08-07 11:53 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-04 11:19 --------- d-------- C:\Program Files\Movie Maker
2007-08-04 11:18 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-08-04 11:18 --------- d-------- C:\Program Files\Windows NT
2007-08-04 11:18 --------- d-------- C:\Program Files\Messenger
2007-08-04 09:32 --------- d-------- C:\Program Files\Yahoo!
2007-08-04 09:31 --------- d-------- C:\Program Files\Symantec
2007-08-04 09:30 --------- d-------- C:\Program Files\DivX
2007-08-04 09:29 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-03 17:41 --------- d--h----- C:\DOCUME~1\John\APPLIC~1\yahoo!
2007-08-03 17:39 --------- d-------- C:\Program Files\Google
2007-08-03 17:36 --------- d-------- C:\Program Files\LimeWire
2007-08-01 09:24 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-23 16:14 --------- d-------- C:\Program Files\Share_Accelerator_MM
2007-07-23 16:12 --------- d-------- C:\Program Files\Ahead
2007-07-15 23:14 --------- d-------- C:\Program Files\GustoSoft
2007-07-13 01:05 --------- d-------- C:\DOCUME~1\John\APPLIC~1\DivX
2007-07-03 07:41 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-03 07:41 36624 --a------ C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-03 07:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-03 07:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-03 07:41 118520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-07-03 07:41 116472 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-07-03 07:41 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-03 07:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-03 07:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-03 07:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-03 07:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-03 07:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-03 07:37 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-03 07:37 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-03 07:37 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-03 07:37 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-03 07:37 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-03 07:37 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-03 07:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-03 07:36 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-03 07:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-09 22:34 --------- d-------- C:\Program Files\Chord Alchemy 4
2007-06-08 10:07 --------- d-------- C:\Program Files\PowerISO
2007-06-08 09:31 --------- d-------- C:\Program Files\MagicISO
2007-06-06 15:55 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 08:22]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 02:49]
"WinampAgent"="C:\Program Files\Winamp3\winampa.exe" [2002-07-24 04:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-01-20 19:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 04:15]
"TWCU"="C:\Program Files\TP-LINK\TWCU\TWCU.exe" [2006-03-29 16:12]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 C:\WINDOWS\soundman.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-22 12:22]
"RegistryMechanic"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-06-11 00:15:11]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 08:05:56]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-04-19 14:35:42]

R1 SCDEmu;SCDEmu;C:\WINDOWS\system32\drivers\SCDEmu.sys
R1 SRTSPX;SRTSPX;C:\WINDOWS\system32\Drivers\SRTSPX.SYS
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys
R3 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 E100B;Intel® PRO Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;C:\WINDOWS\system32\DRIVERS\m4301A.sys
S3 Nokia USB Generic;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 Nokia USB Modem;Nokia USB Modem;C:\WINDOWS\system32\drivers\nmwcdcm.sys
S3 Nokia USB Phone Parent;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS


Contents of the 'Scheduled Tasks' folder
2007-08-06 05:45:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-07-20 09:39:17 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - John.job - C:\PROGRA~1\NORTON~1\Navw32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 08:12:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 8:13:18
C:\ComboFix-quarantined-files.txt ... 2007-08-08 08:13
C:\ComboFix2.txt ... 2007-08-07 11:45

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:57 AM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TWCU\TWCU.exe" -nogui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-21-790525478-1409082233-725345543-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Manuyag')
O4 - HKUS\S-1-5-21-790525478-1409082233-725345543-1005\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'Manuyag')
O4 - HKUS\S-1-5-21-790525478-1409082233-725345543-1005\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Manuyag')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - S-1-5-21-790525478-1409082233-725345543-1005 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Manuyag')
O4 - S-1-5-21-790525478-1409082233-725345543-1005 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Manuyag')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 6527 bytes

[Scotty]

Hi Saluton

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.

Download Superantispyware (SAS) free home version.

SAS Free

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:

• Close browsers before scanning
• Scan for tracking cookies
• Terminate memory threats before quarantining.
• Please leave the others unchecked.
• Click the Close button to leave the control center screen.

· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:

• After reboot, double-click the SUPERAntispyware icon on your desktop.
• Click Preferences. Click the Statistics/Logs tab.
• Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
• It will open in your default text editor (such as Notepad/Wordpad).
• Please highlight everything in the notepad, then right-click and choose copy.

· Click close and close again to exit the program.
· Please paste that information here for me.



Delete the older versions of Java and download the newest.
Please follow these steps to remove older version Java components.

• Close any programmes you may have running, ESPECIALLY your web browser
• Click Start > Control Panel.
• Click Add/Remove Programs.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove all versions of Java.
• Reboot your computer once all Java components are removed.

Then download the latest version of Java Runtime Environment (JRE) (4th one down the list), which is JRE6u2, and click Yes at the page warning, then accept the Licence Agreement before downloading the Offline file.

I would advise updating Adobe Reader, as the latest version clears up any vulnerabilities of previous versions.
First uninstall the version you have on your computer then download and install Adobe Reader 8.1.

Post back with the SuperAnti-spyware report and a new HijackThis log, please.

[Saluton]

hi

thanks for your help, everything seem to work fine and no more pop ups. here are the log details:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/08/2007 at 11:54 AM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:23:54

Memory items scanned : 416
Memory threats detected : 0
Registry items scanned : 4645
Registry threats detected : 0
File items scanned : 27594
File threats detected : 56

Adware.Tracking Cookie
C:\Documents and Settings\John\Cookies\john@mediaonenetwork[1].txt
C:\Documents and Settings\John\Cookies\john@doubleclick[1].txt
C:\Documents and Settings\John\Cookies\john@ad.z5x[2].txt
C:\Documents and Settings\John\Cookies\john@fastclick[2].txt
C:\Documents and Settings\John\Cookies\john@cgi-bin[1].txt
C:\Documents and Settings\John\Cookies\john@msnportal.112.2o7[1].txt
C:\Documents and Settings\John\Cookies\john@atdmt[2].txt
C:\Documents and Settings\John\Cookies\john@questionmarket[1].txt
C:\Documents and Settings\John\Cookies\john@overture[1].txt
C:\Documents and Settings\John\Cookies\john@ad.yieldmanager[1].txt
C:\Documents and Settings\John\Cookies\john@clickaider[1].txt
C:\Documents and Settings\John\Cookies\john@apnonline.112.2o7[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@2o7[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@3.adbrite[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@acvs.mediaonenetwork[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@ad.yieldmanager[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@ad.z5x[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@adbrite[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@adinterax[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@ads.adbrite[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@advertising[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@apnonline.112.2o7[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@atdmt[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@atwola[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@bs.serving-sys[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@burstnet[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@casalemedia[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@clickaider[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@divx.adbureau[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@doubleclick[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@fastclick[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@focalex[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@hitbox[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@mediaonenetwork[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@mediaplex[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@msnportal.112.2o7[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@overture[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@questionmarket[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@revsci[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@serving-sys[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@statse.webtrendslive[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@tacoda[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@tracker.mediatracker.co[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@tribalfusion[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@videoegg.adbureau[2].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@web4.realtracker[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@www.burstnet[1].txt
C:\Documents and Settings\Manuyag\Cookies\manuyag@xiti[1].txt
C:\Documents and Settings\Manuyag\Local Settings\Temp\Cookies\manuyag@112.2o7[2].txt
C:\Documents and Settings\Manuyag\Local Settings\Temp\Cookies\manuyag@acvs.mediaonenetwork[1].txt
C:\Documents and Settings\Manuyag\Local Settings\Temp\Cookies\manuyag@atdmt[1].txt
C:\Documents and Settings\Manuyag\Local Settings\Temp\Cookies\manuyag@doubleclick[1].txt
C:\Documents and Settings\Manuyag\Local Settings\Temp\Cookies\manuyag@fastclick[1].txt
C:\Documents and Settings\Manuyag\Local Settings\Temp\Cookies\manuyag@mediaonenetwork[1].txt


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:44 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TWCU\TWCU.exe" -nogui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 5137 bytes

[Scotty]

Hi Saluton

Now delete the Combofix.exe from your Desktop.

Navigate to and delete the following files and/or folders (if they are present):

Folders:
C:\Combofix
C:\Qoobox

This is my usual speech for when you are clean, which you appear to be.

• Please follow these simple steps in order to keep your computer clean and secure:
• Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable
  and reenable system restore to make sure there are no infected files found in a restore point.
  
  You can find instructions on how to enable and reenable system restore here:
  
  Managing Windows Millenium System Restore
  
  or
  
  Windows XP System Restore Guide
  
  Re-enable system restore with instructions from tutorial above
  
  
• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  
• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Set correct settings for files that should be hidden in Windows XP

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please checkHide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

And take a look at this LINKY for further recommendations and tips to stay clean.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

[Scotty]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php