Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] setthetrend, ads popup

Started by Life Is Great! , Dec 17 2007 08:32 AM

  • This topic is locked This topic is locked
13 replies to this topic

#1 Life Is Great!

Life Is Great!

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 17 December 2007 - 08:32 AM

Good morning. I have recently had an issue with my computer where I am getting random IE windows opening with ads from setthetrend.com, some dating service, auto buying ads, etc. Can someone please help me remove this from my system?

    Advertisements

Register to Remove

#2 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 18 December 2007 - 06:42 AM

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

The first step in cleaning the malware off your computer is creating a HijackThis log:

Download HJTInstall.exe to your desktop.

  • Doubleclick HJTInstall.exe to install HijackThis.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Please post it back here.

Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#3 Life Is Great!

Life Is Great!

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 18 December 2007 - 08:33 AM

Back at ya!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:36 AM, on 12/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Application Data\WinTouch\WinTouch.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MSC\mcupdui.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
O1 - Hosts: 166.73.148.228 phlelweb1 phlelweb1.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.148.229 phlelweb2 phlelweb2.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.148.230 phlelwmp1 phlelwmp1.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.148.231 phlelwmp2 phlelwmp2.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.148.232 phlelprx1 phlelprx1.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.148.233 phlelprx2 phlelprx2.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.169.101 phlelwmi1 phlelwmi1.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.169.102 phlelwmi2 phlelwmi2.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.169.103 phlelapp1 phlelapp1.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.169.104 phlelapp2 phlelapp2.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.169.105 phlelsm1 phlelsm1.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.169.106 phlelsm2 phlelsm2.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.169.107 phleldb1 phleldb1.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.169.108 phleldb2 phleldb2.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.169.109 phleloem1 phleloem1.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.169.110 phlelrep1 phlelrep1.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.35.3 arlelweb1 arlelweb1.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.35.4 arlelweb2 arlelweb2.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.35.5 arlelwmp1 arlelwmp1.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.35.6 arlelwmp2 arlelwmp2.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.35.7 arlelprx1 arlelprx1.elending.fiservlendingsolutions.com
O1 - Hosts: 166.73.35.8 arlelprx2 arlelprx2.elending.fiservlendingsolutions.com
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Administrator\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\pmyiy.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0FACC666-E038-43FF-B1A5-064FFB536934} (Upload.clsUpload) - http://els-tenrox-01...load/Upload.CAB
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://els-tenrox-01...oad/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://testdirector/tdbin/Spider80.ocx
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://ra.arlington...=5500,0,50914,1
O16 - DPF: {3E059DAB-6894-435C-B758-2977F014D734} (TClientProc.ClientSettings) - http://els-tenrox-01...TClientProc.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125037037531
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://ra.arlington...=5500,0,50803,1
O16 - DPF: {7EB1930A-8342-4899-BD05-2D8722053AE1} (TWorkflowMapX.WorkflowMapX) - http://els-tenrox-01.../TWorkflowX.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://fiserv.webex...bex/ieatgpc.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://ra.arlington...=5500,0,50928,1
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E040F7-272A-4D7D-B161-1ED7A34172A3}: NameServer = 217.115.138.24,10.253.4.132
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = els.fiserv.net,fiserv.net,els.emergis.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{17E040F7-272A-4D7D-B161-1ED7A34172A3}: NameServer = 217.115.138.24,10.253.4.132
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = els.fiserv.net,fiserv.net,els.emergis.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{17E040F7-272A-4D7D-B161-1ED7A34172A3}: NameServer = 217.115.138.24,10.253.4.132
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = els.fiserv.net,fiserv.net,els.emergis.com
O23 - Service: McAfee Application Installer Cleanup (0097021197874843) (0097021197874843mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\009702~1.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\nvwtwxir.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14418 bytes

#4 Life Is Great!

Life Is Great!

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 18 December 2007 - 08:54 AM

Hey Simon, One thing I noticed is that there are many entries for 'fiservlendingsolutions', that is from the days when I used this as a work laptop. It is now a personal laptop so those entries do not apply and can be removed if possible to clean it up.

#5 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 18 December 2007 - 09:31 AM

Hi :)

It is now a personal laptop so those entries do not apply and can be removed if possible to clean it up.

Some of them I can remove (the O1 entries), but others I would rather not touch (the O17 entries).

Step 1

Please download HostsXpert.

  • Unzip HostsXpert.zip to your desktop.
  • Double click on HostsXpert.exe.
  • Click on Restore Original Hosts to restore your Hosts file to its default condidtion.
  • Click on Make Hosts Read Only to secure it against further infection.
  • Close the program when complete.

Step 2

Please download ATF Cleaner. Double-click on ATF-Cleaner.exe to start the program.

  • Under the Main tab, put a check next to Select All.
    Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  • If you use the Firefox browser:
    Click on Firefox at the top and put a check next to Select All.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  • If you use the Opera browser:
    Click on Opera at the top and put a check next to Select All.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

Step 3

Please download Combofix:


Double-click on combofix.exe and follow the prompts.
When finished, it will produce a log for you. Save it to a convenient location.

Note: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

Step 4

Please download and install CCleaner.

  • Open CCleaner. In the Left Pane, click Tools.
  • Verify that Uninstall is highlighted in color, or click on it.
  • In the lower right, click Save to Text File.
  • Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
  • You can leave the filename as install.txt.
  • Click Save.
  • Exit Ccleaner by clicking on the X button in the upper right of the CCleaner window.

Step 5

In your next reply, please post:

  • the Combofix log (C:\Combofix.txt)
  • the CCleaner Uninstall List (install.txt)
  • a new HijackThis log

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#6 Life Is Great!

Life Is Great!

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 18 December 2007 - 10:05 AM

Will do Simon. I have an appointment that I need to leave for now, but I will do what you have sent me tonight and report my results tomorrow with the applicable logs. Thank you very very much!

#7 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 18 December 2007 - 10:07 AM

Will do Simon. I have an appointment that I need to leave for now, but I will do what you have sent me tonight and report my results tomorrow with the applicable logs. Thank you very very much!

That's fine :thumbup:
Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#8 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 22 December 2007 - 08:20 AM

Are you still with me?
Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#9 Life Is Great!

Life Is Great!

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 24 December 2007 - 10:42 AM

Hi Simon,
I apologize for the delay - I got caught up in the holiday shopping maddness!

Well I have done a couple of things:
I ran HostsXPert - I had a little problem as it said it couldn't create a Host file, but I put the host file back to one before i had updated it and then it worked.
Then I ran ATFCleaner and it seemed to work.
I then ran ComboFix - below is the log:

ComboFix 07-12-21.4 - Administrator 2007-12-24 10:41:28.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\I0JQBJL6\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\ICROSO~1.NET
C:\Program Files\QdrDrive
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aajitual.dll
C:\WINDOWS\system32\cbyqgtqg.dll
C:\WINDOWS\system32\cuvopvoq.ini
C:\WINDOWS\system32\erbriybq.dll
C:\WINDOWS\system32\guwopdey.dll
C:\WINDOWS\system32\hmqsbwxm.ini
C:\WINDOWS\system32\kowkifqt.ini
C:\WINDOWS\system32\lautijaa.ini
C:\WINDOWS\system32\mxwbsqmh.dll
C:\WINDOWS\system32\oywpfiap.ini
C:\WINDOWS\system32\paifpwyo.dll
C:\WINDOWS\system32\pbgmwouc.dll
C:\WINDOWS\system32\pmvsents.dll
C:\WINDOWS\system32\ptsvrkbe.dll
C:\WINDOWS\system32\qovpovuc.dll
C:\WINDOWS\system32\srrwmoeb.dll
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\tqfikwok.dll
C:\WINDOWS\system32\tttss.bak1
C:\WINDOWS\system32\tttss.bak2
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\yedpowug.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-23 17:39 . 2007-12-23 17:40 14,033 --a------ C:\posC9D.tmp
2007-12-22 12:22 . 2007-12-22 12:22 14,033 --a------ C:\pos9B9.tmp
2007-12-22 12:21 . 2007-12-22 12:21 165,472 --a------ C:\WINDOWS\system32\rinwexad.dll
2007-12-21 20:51 . 2007-12-21 20:51 14,033 --a------ C:\pos386.tmp
2007-12-21 19:10 . 2007-12-21 19:10 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-21 19:10 . 2007-12-21 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-21 19:07 . 2007-12-21 19:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 18:49 . 2007-12-21 18:49 14,033 --a------ C:\pos3E8.tmp
2007-12-21 18:48 . 2007-12-21 18:48 14,033 --a------ C:\pos2E0.tmp
2007-12-21 09:48 . 2007-12-21 09:48 13,033 --a------ C:\pos1FB.tmp
2007-12-21 09:48 . 2007-12-21 18:44 13,033 --a------ C:\pos1F4.tmp
2007-12-21 09:48 . 2007-12-21 18:44 12,033 --a------ C:\pos1F3.tmp
2007-12-21 09:48 . 2007-12-21 09:48 11,033 --a------ C:\pos1FA.tmp
2007-12-21 09:48 . 2007-12-21 09:48 11,033 --a------ C:\pos1F9.tmp
2007-12-21 09:48 . 2007-12-21 09:48 10,033 --a------ C:\pos1F8.tmp
2007-12-21 09:48 . 2007-12-21 09:48 10,033 --a------ C:\pos1F7.tmp
2007-12-21 09:48 . 2007-12-21 09:48 5,033 --a------ C:\pos1F6.tmp
2007-12-21 09:48 . 2007-12-21 09:48 5,033 --a------ C:\pos1F5.tmp
2007-12-21 09:46 . 2007-12-21 09:46 14,033 --a------ C:\posF.tmp
2007-12-20 10:17 . 2007-12-20 10:17 165,472 --a------ C:\WINDOWS\system32\jjspolpe.dll
2007-12-18 09:31 . 2007-12-18 09:31 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-17 10:21 . 2007-12-18 10:21 294 --ahs---- C:\WINDOWS\system32\rsvlhpyv.ini
2007-12-15 10:18 . 2007-12-16 10:18 354 --ahs---- C:\WINDOWS\system32\fwacusll.ini
2007-12-14 10:21 . 2007-12-14 10:21 294 --ahs---- C:\WINDOWS\system32\xujrxfgo.ini
2007-12-12 09:18 . 2007-12-13 09:19 354 --ahs---- C:\WINDOWS\system32\umdfyfbc.ini
2007-12-11 09:21 . 2007-12-11 09:21 294 --ahs---- C:\WINDOWS\system32\jawfklqj.ini
2007-12-07 18:57 . 2007-12-07 18:58 <DIR> d-------- C:\Program Files\Google
2007-12-07 18:57 . 2007-12-23 11:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-07 17:38 . 2007-12-08 17:38 714 --ahs---- C:\WINDOWS\system32\kbtopqde.ini
2007-12-06 17:41 . 2007-12-06 17:41 654 --ahs---- C:\WINDOWS\system32\wrhbfsqs.ini
2007-12-06 16:33 . 2007-12-06 17:24 594 --ahs---- C:\WINDOWS\system32\brddyyuu.ini
2007-12-05 16:01 . 2007-12-06 16:31 474 --ahs---- C:\WINDOWS\system32\stiltpht.ini
2007-12-05 07:35 . 2007-12-05 07:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSNInstaller
2007-12-04 10:45 . 2007-12-05 07:37 792,944 --ahs---- C:\WINDOWS\system32\sniqkuwf.ini
2007-12-03 18:37 . 2007-12-03 19:16 0 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-03 17:04 . 2007-12-03 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 12:56 . 2007-12-03 12:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-12-03 12:56 . 2007-12-24 10:56 13,315 --a------ C:\WINDOWS\system32\Config.MPF
2007-12-03 12:55 . 2007-12-17 09:17 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-12-03 12:55 . 2007-12-17 00:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-03 12:55 . 2007-12-14 10:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2007-12-03 12:53 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-12-03 12:50 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-12-03 12:50 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-12-03 12:50 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-12-03 12:50 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-12-03 12:50 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-12-03 12:50 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-12-03 12:46 . 2007-12-03 12:48 <DIR> d-------- C:\Program Files\McAfee.com
2007-12-03 12:43 . 2007-12-24 10:25 <DIR> d-------- C:\Program Files\McAfee
2007-12-03 12:43 . 2007-12-03 12:50 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-12-03 12:01 . 2007-12-03 12:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-03 10:48 . 2007-12-03 20:25 792,848 --ahs---- C:\WINDOWS\system32\adqogafi.ini
2007-12-02 06:38 . 2007-12-03 10:39 793,761 --ahs---- C:\WINDOWS\system32\vaaycxac.ini
2007-12-01 18:29 . 2007-12-03 12:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-01 18:29 . 2007-12-01 18:29 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-01 12:17 . 2007-12-01 12:17 <DIR> d-------- C:\Program Files\Viewpoint
2007-12-01 12:17 . 2007-12-01 19:37 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-12-01 12:17 . 2007-12-01 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-01 12:17 . 2007-12-01 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-01 12:17 . 2007-12-01 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-12-01 12:15 . 2007-12-01 12:18 540 --ah----- C:\IPH.PH

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-19 00:40 --------- d-----w C:\Program Files\Trillian
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 21:36 --------- d-----w C:\Program Files\MSXML 4.0
2007-11-04 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2007-11-04 17:11 --------- d-----w C:\Program Files\Common Files\HP
2007-11-04 17:09 --------- d-----w C:\Program Files\HP
2007-11-04 17:09 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-04 17:08 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-10-25 15:50 --------- d-----w C:\Program Files\Java
2007-05-02 11:41 28,672 ----a-w C:\Documents and Settings\Administrator\atwbxdet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CB2B78C-9CF8-43B9-A195-1C0969683C6F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1149038B-3311-4F3C-876A-540AA1410995}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{161D2143-9093-4471-B3B2-B5535FA8334E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A868BEE-3CC5-4F34-A0B2-17A4FC65645B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3308B5D6-ECAD-4CD3-A78B-87D89702BDCF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{699CA617-CAF7-4EB1-963A-56AF1260F764}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6bde67b5-1c47-4b14-a2c0-dd2d1147c11a}]
C:\WINDOWS\system32\erbriybq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7351F2D1-6CC8-445B-88CD-4B5BB3C0B1B8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A648504-7910-4568-A4CD-FE842D675482}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94223A32-AEDE-4405-A7C5-77D569CF3293}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96FFC7FA-625F-4624-921E-E85766A0C333}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98AF7946-CAE4-4AD1-8568-ADC764E3EACD}]
C:\WINDOWS\system32\ssttt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C510B7A2-CDC2-4386-8921-6D83BF8CE028}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CEE570A0-92BD-457B-B4B7-A65AFF839B79}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-21 07:16]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-21 07:11]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 11:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 14:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 03:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-03 03:05]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 07:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 07:11]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 15:24]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-11-19 11:14]
"hpWirelessAssistant"="C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-08 19:23]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 17:44]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-20 13:37]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 16:30]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-10-25 00:37]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 14:52]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 16:57]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 03:00]

C:\Documents and Settings\mharper\Start Menu\Programs\Startup\
Uninstall.lnk - C:\Program Files\War-ftpd\uninstall.exe [2007-01-30 15:59:39]
War FTPD Tray icon.lnk - C:\Program Files\War-ftpd\WarTrayIcon.exe [2007-01-30 15:59:39]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-15 08:53:17]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-03-12 23:16:34]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2005-08-25 23:52:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-12-07 18:57:55]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2007-04-23 08:19:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"SFCDisable"=dword:00000004

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gofkoctp]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ugceahrw]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [2003-11-13 12:29]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 11:26]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2004-10-11 14:34]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2004-09-24 22:36]
R3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys [2005-09-14 07:45]
S2 0191931198509914mcinstcleanup;McAfee Application Installer Cleanup (0191931198509914);C:\WINDOWS\TEMP\019193~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service []
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 21:28]
S3 f5ipfw;F5 Networks StoneWall Filter;C:\WINDOWS\system32\drivers\urfltw2k.sys [2005-09-14 07:45]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []

*Newly Created Service* - 0191931198509914MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2007-12-15 07:04:30 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-12-03 17:48:33 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 11:05:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?1?4?7??P???? ?4?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-24 11:07:42 - machine was rebooted
.
2007-12-23 18:31:56 --- E O F ---


********************************************************************************
*********************************************************************************
************************************************************************

I then installed CCleaner and followed the instructions to set it up but I'm not sure what to do after I click on Save on the Tools tab. IT says to exit CCleaner, but I'm not sure if I'm suppose to run the cleaner on the previous tab. So what do I do there?

Now a couple of notes for you:
- I had Spybot Search & Destroy installed, but I uninstalled it after I ran ComboFix because it was giving me a bunch of decisions to make with adding and deleting values, etc.
- Also, in my Windows Explorer window I notice now that my C drive has a great big red X beside it. I'm worried about that - it kinda looks like the Spybot X when it had deleted something. Docs on the drive seem to come up but I don't like that red X.

So let me know what I do with CCleaner, I'll do that, then run another Hijack log and see where we are. And let me know what you think why the Red X.

Thank you Simon - Happy Holidays!

#10 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 24 December 2007 - 03:18 PM

Hi :) Merry Christmas!

I then installed CCleaner and followed the instructions to set it up but I'm not sure what to do after I click on Save on the Tools tab. IT says to exit CCleaner, but I'm not sure if I'm suppose to run the cleaner on the previous tab. So what do I do there?

You don't have to run the cleaner. I only want the Uninstall List, which should be created when you press Save. Please follow the instructions for creating it and post it in your next reply.

I had Spybot Search & Destroy installed, but I uninstalled it after I ran ComboFix because it was giving me a bunch of decisions to make with adding and deleting values, etc.

I'm sorry, I should've noticed that. You can install it back after the fix if you like.

Also, in my Windows Explorer window I notice now that my C drive has a great big red X beside it. I'm worried about that - it kinda looks like the Spybot X when it had deleted something. Docs on the drive seem to come up but I don't like that red X.

I'm not sure at the moment what that means, do you know how to take a screenshot so I have a better idea of how it looks?

Step 1

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

File::

C:\posC9D.tmp
C:\pos9B9.tmp
C:\WINDOWS\system32\rinwexad.dll
C:\pos386.tmp
C:\pos3E8.tmp
C:\pos2E0.tmp
C:\pos1FB.tmp
C:\pos1F4.tmp
C:\pos1F3.tmp
C:\pos1FA.tmp
C:\pos1F9.tmp
C:\pos1F8.tmp
C:\pos1F7.tmp
C:\pos1F6.tmp
C:\pos1F5.tmp
C:\posF.tmp
C:\WINDOWS\system32\jjspolpe.dll
C:\WINDOWS\system32\rsvlhpyv.ini
C:\WINDOWS\system32\fwacusll.ini
C:\WINDOWS\system32\xujrxfgo.ini
C:\WINDOWS\system32\umdfyfbc.ini
C:\WINDOWS\system32\jawfklqj.ini
C:\WINDOWS\system32\kbtopqde.ini
C:\WINDOWS\system32\wrhbfsqs.ini
C:\WINDOWS\system32\brddyyuu.ini
C:\WINDOWS\system32\stiltpht.ini
C:\WINDOWS\system32\sniqkuwf.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\adqogafi.ini
C:\WINDOWS\system32\vaaycxac.ini
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CB2B78C-9CF8-43B9-A195-1C0969683C6F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1149038B-3311-4F3C-876A-540AA1410995}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{161D2143-9093-4471-B3B2-B5535FA8334E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A868BEE-3CC5-4F34-A0B2-17A4FC65645B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3308B5D6-ECAD-4CD3-A78B-87D89702BDCF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{699CA617-CAF7-4EB1-963A-56AF1260F764}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6bde67b5-1c47-4b14-a2c0-dd2d1147c11a}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7351F2D1-6CC8-445B-88CD-4B5BB3C0B1B8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A648504-7910-4568-A4CD-FE842D675482}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94223A32-AEDE-4405-A7C5-77D569CF3293}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96FFC7FA-625F-4624-921E-E85766A0C333}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98AF7946-CAE4-4AD1-8568-ADC764E3EACD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C510B7A2-CDC2-4386-8921-6D83BF8CE028}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CEE570A0-92BD-457B-B4B7-A65AFF839B79}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"SFCDisable"=dword:00000000
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gofkoctp]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ugceahrw]

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 2

Please do an online scan with Kaspersky WebScanner.

Click on Kaspersky Online Scanner. On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.

  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:

  • Scan using the following Anti-Virus database:

    Extended (if available, otherwise Standard)

  • Scan Options:

    Scan Archives
    Scan Mail Bases

  • Click OK.
  • Now under Select a Target to Scan:

    Select My Computer.

  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button and save the file to your desktop.

Step 3

In your next reply, please post:

  • the CCleaner Uninstall List (install.txt)
  • the Combofix log (C:\Combofix.txt)
  • the Kaspersky Online Scan report
  • a new HijackThis log

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#11 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 28 December 2007 - 02:23 PM

Are you still with me?
Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#12 Life Is Great!

Life Is Great!

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 30 December 2007 - 09:46 AM

Ok Simon,
I think I have what you want:

CCleaner install.txt file
1600
1600_Help
1600Trb
Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Photoshop 7.0.1
Adobe Reader 7.0.9
Agere Systems AC'97 Modem
AiO_Scan
AiOSoftware
Alt-Tab Task Switcher Powertoy for Windows XP
ATI Display Driver
BufferChm
Calculator Powertoy for Windows XP
CCleaner (remove only)
ClearType Tuning Control Panel Applet
CmdHere Powertoy For Windows XP
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
CueTour
Dell Photo AIO Printer 942
Destinations
Director
DocProc
DocumentViewer
Fax
Formatter Plus V1.3
Google Toolbar for Internet Explorer
Google Updater
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
HP Accessories Product Tour
HP BIOS Configuration for ProtectTools 1.00 C1
HP Extended Capabilities 4.7
HP Help and Support
HP Image Zone 4.7
HP Product Assistant
HP ProtectTools Security Manager 1.00 C3
HP PSC & OfficeJet 4.7
HP Software Update
HP Wireless Assistant
HpSdpAppCoreApp
HPSystemDiagnostics
Image Resizer Powertoy for Windows XP
InstantShare
Intel® Graphics Media Accelerator Driver for Mobile
InterVideo DVD Check
InterVideo WinDVD
J2SE Development Kit 5.0 Update 4
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 4
Java™ 6 Update 2
Java™ 6 Update 3
Lexmark Photo Center
Lexmark Z700-P700 Series
MarketResearch
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft ActiveSync 3.5
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft IntelliPoint 6.1
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Mozilla Firefox (1.0.6)
MSXML 4.0 SP2 (KB936181)
Odyssey Client
PanoStandAlone
PhotoGallery
ProductContext
PuTTY version 0.58
QFolder
Quest Software TOAD Professional Edition 7.4
Quick Launch Buttons 5.10 A2
Quicken 2007
QuickTime
Readme
Scan
ScannerCopy
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
SkinsHP1
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoundMAX
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TextPad 5
TIxx21
TrayApp
Trillian
Tweak UI
Unload
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Viewpoint Media Player
Virtual Desktop Manager Powertoy for Windows XP
VPN Client
WebEx
WebFldrs XP
webMethods 6.5 C:\Program Files\webMethods65
WebReg
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
Windows XP Hotfix - KB893086
WinSCP 3.7.5 beta
Wireless-G Notebook Adapter
XMLSPY 2004 Enterprise Edition


Combofix.txt
ComboFix 07-12-21.4 - Administrator 2007-12-30 10:08:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.70 [GMT -5:00]
Running from: C:\Downloads\ComboFix.exe
Command switches used :: C:\Downloads\CFScript.txt
* Created a new restore point

FILE
C:\pos1F3.tmp
C:\pos1F4.tmp
C:\pos1F5.tmp
C:\pos1F6.tmp
C:\pos1F7.tmp
C:\pos1F8.tmp
C:\pos1F9.tmp
C:\pos1FA.tmp
C:\pos1FB.tmp
C:\pos2E0.tmp
C:\pos386.tmp
C:\pos3E8.tmp
C:\pos9B9.tmp
C:\posC9D.tmp
C:\posF.tmp
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\adqogafi.ini
C:\WINDOWS\system32\brddyyuu.ini
C:\WINDOWS\system32\fwacusll.ini
C:\WINDOWS\system32\jawfklqj.ini
C:\WINDOWS\system32\jjspolpe.dll
C:\WINDOWS\system32\kbtopqde.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rinwexad.dll
C:\WINDOWS\system32\rsvlhpyv.ini
C:\WINDOWS\system32\sniqkuwf.ini
C:\WINDOWS\system32\stiltpht.ini
C:\WINDOWS\system32\umdfyfbc.ini
C:\WINDOWS\system32\vaaycxac.ini
C:\WINDOWS\system32\wrhbfsqs.ini
C:\WINDOWS\system32\xujrxfgo.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pos1F3.tmp
C:\pos1F4.tmp
C:\pos1F5.tmp
C:\pos1F6.tmp
C:\pos1F7.tmp
C:\pos1F8.tmp
C:\pos1F9.tmp
C:\pos1FA.tmp
C:\pos1FB.tmp
C:\pos2E0.tmp
C:\pos386.tmp
C:\pos3E8.tmp
C:\pos9B9.tmp
C:\posC9D.tmp
C:\posF.tmp
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\adqogafi.ini
C:\WINDOWS\system32\brddyyuu.ini
C:\WINDOWS\system32\fwacusll.ini
C:\WINDOWS\system32\jawfklqj.ini
C:\WINDOWS\system32\jjspolpe.dll
C:\WINDOWS\system32\kbtopqde.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rinwexad.dll
C:\WINDOWS\system32\rsvlhpyv.ini
C:\WINDOWS\system32\sniqkuwf.ini
C:\WINDOWS\system32\stiltpht.ini
C:\WINDOWS\system32\umdfyfbc.ini
C:\WINDOWS\system32\vaaycxac.ini
C:\WINDOWS\system32\wrhbfsqs.ini
C:\WINDOWS\system32\xujrxfgo.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))
.

2007-12-30 07:39 . 2007-12-30 07:39 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-28 16:33 . 2007-12-28 17:20 <DIR> d-------- C:\Kodak Pictures
2007-12-28 16:30 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-28 16:30 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-24 11:23 . 2007-12-24 11:23 <DIR> d-------- C:\Program Files\CCleaner
2007-12-23 17:39 . 2007-12-23 17:40 14,033 --a------ C:\posC99.tmp
2007-12-22 12:22 . 2007-12-22 12:22 14,033 --a------ C:\pos9AD.tmp
2007-12-21 20:52 . 2007-12-21 20:52 14,033 --a------ C:\pos7C3.tmp
2007-12-21 20:51 . 2007-12-21 20:52 13,033 --a------ C:\pos3F0.tmp
2007-12-21 20:51 . 2007-12-21 20:52 12,033 --a------ C:\pos3F1.tmp
2007-12-21 20:51 . 2007-12-21 20:52 11,033 --a------ C:\pos3F3.tmp
2007-12-21 20:51 . 2007-12-21 20:52 11,033 --a------ C:\pos39E.tmp
2007-12-21 20:51 . 2007-12-21 20:51 10,033 --a------ C:\pos371.tmp
2007-12-21 20:51 . 2007-12-21 20:52 9,033 --a------ C:\pos3F2.tmp
2007-12-21 20:51 . 2007-12-21 20:52 8,033 --a------ C:\pos3F4.tmp
2007-12-21 20:51 . 2007-12-21 20:51 7,033 --a------ C:\pos37A.tmp
2007-12-21 20:51 . 2007-12-21 20:51 7,033 --a------ C:\pos367.tmp
2007-12-21 20:51 . 2007-12-21 20:51 6,033 --a------ C:\pos383.tmp
2007-12-21 20:51 . 2007-12-21 20:51 6,033 --a------ C:\pos379.tmp
2007-12-21 19:10 . 2007-12-21 19:10 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-21 19:10 . 2007-12-21 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-21 19:07 . 2007-12-21 19:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 18:48 . 2007-12-21 18:48 14,033 --a------ C:\pos2C5.tmp
2007-12-21 09:47 . 2007-12-21 09:47 14,033 --a------ C:\posEE.tmp
2007-12-21 09:46 . 2007-12-21 09:46 14,033 --a------ C:\posD.tmp
2007-12-20 10:17 . 2007-12-20 10:17 14,033 --a------ C:\pos5E1.tmp
2007-12-18 09:31 . 2007-12-18 09:31 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-07 18:57 . 2007-12-07 18:58 <DIR> d-------- C:\Program Files\Google
2007-12-07 18:57 . 2007-12-29 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-05 07:35 . 2007-12-05 07:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSNInstaller
2007-12-03 17:04 . 2007-12-24 11:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 12:56 . 2007-12-03 12:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-12-03 12:56 . 2007-12-29 16:31 13,315 --a------ C:\WINDOWS\system32\Config.MPF
2007-12-03 12:55 . 2007-12-17 09:17 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-12-03 12:55 . 2007-12-17 00:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-03 12:55 . 2007-12-28 20:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2007-12-03 12:53 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-12-03 12:50 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-12-03 12:50 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-12-03 12:50 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-12-03 12:50 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-12-03 12:50 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-12-03 12:50 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-12-03 12:46 . 2007-12-03 12:48 <DIR> d-------- C:\Program Files\McAfee.com
2007-12-03 12:43 . 2007-12-30 07:39 <DIR> d-------- C:\Program Files\McAfee
2007-12-03 12:43 . 2007-12-03 12:50 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-12-03 12:01 . 2007-12-03 12:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-01 12:17 . 2007-12-01 12:17 <DIR> d-------- C:\Program Files\Viewpoint
2007-12-01 12:17 . 2007-12-01 19:37 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-12-01 12:17 . 2007-12-01 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-01 12:17 . 2007-12-01 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-01 12:17 . 2007-12-01 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-12-01 12:15 . 2007-12-01 12:18 540 --ah----- C:\IPH.PH
2007-11-10 16:36 . 2007-11-10 16:36 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-04 12:12 . 2007-11-04 12:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-11-04 12:10 . 2007-11-04 12:11 <DIR> d-------- C:\Program Files\Common Files\HP
2007-11-04 12:08 . 2007-11-04 12:09 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-11-04 12:08 . 2007-11-04 12:08 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-11-04 11:47 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-11-04 11:47 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-11-04 11:47 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-11-04 11:47 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-11-04 11:47 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-11-04 11:47 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-11-04 11:42 . 2007-11-04 12:09 <DIR> d-------- C:\Program Files\HP
2007-11-04 11:41 . 2007-11-04 12:22 68,939 --a------ C:\WINDOWS\hpoins05.dat
2007-11-04 11:41 . 2004-12-14 11:07 19,696 --------- C:\WINDOWS\hpomdl05.dat
2007-11-04 11:40 . 2004-12-14 11:07 708,608 -ra------ C:\WINDOWS\system32\hpotiop.dll
2007-11-04 11:40 . 2004-12-14 11:07 278,528 -ra------ C:\WINDOWS\system32\hpgwiamd.dll
2007-11-04 11:40 . 2004-12-14 11:07 274,432 -ra------ C:\WINDOWS\system32\HPZc3212.dll
2007-11-04 11:40 . 2004-12-14 11:07 229,376 -ra------ C:\WINDOWS\system32\hpovst08.dll
2007-11-04 11:40 . 2004-12-14 11:07 51,120 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-11-04 11:40 . 2004-12-14 11:07 21,744 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2007-11-04 11:40 . 2004-12-14 11:07 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-11-04 11:40 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-11-04 11:40 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2007-11-04 11:02 . 2007-11-04 11:02 140 --a------ C:\WINDOWS\dellstat.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-19 00:40 --------- d-----w C:\Program Files\Trillian
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 09:55 3,065,856 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-11 05:57 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 05:57 666,112 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 05:57 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 05:57 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 05:57 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 05:57 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 05:57 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 05:57 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 05:57 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 05:57 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 05:57 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 05:57 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 05:57 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 05:57 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 05:57 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 05:57 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 05:57 1,024,000 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 10:48 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-05-02 11:41 28,672 ----a-w C:\Documents and Settings\Administrator\atwbxdet.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-24_11.05.54.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-24 14:07:17 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-30 12:38:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-24 14:07:17 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-30 12:38:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-24 14:07:17 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-30 12:38:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-24 16:00:04 63,590 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-29 20:31:47 63,590 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-24 16:00:04 404,536 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-29 20:31:47 404,536 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-21 07:16]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-21 07:11]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 11:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 14:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 03:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-03 03:05]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 07:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 07:11]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 15:24]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-11-19 11:14]
"hpWirelessAssistant"="C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-08 19:23]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 17:44]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-20 13:37]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 16:30]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-10-25 00:37]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 14:52]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 16:57]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29]

C:\Documents and Settings\mharper\Start Menu\Programs\Startup\
Uninstall.lnk - C:\Program Files\War-ftpd\uninstall.exe [2007-01-30 15:59:39]
War FTPD Tray icon.lnk - C:\Program Files\War-ftpd\WarTrayIcon.exe [2007-01-30 15:59:39]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-15 08:53:17]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-03-12 23:16:34]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2005-08-25 23:52:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-12-07 18:57:55]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2007-04-23 08:19:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gofkoctp]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ugceahrw]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [2003-11-13 12:29]
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 21:28]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 11:26]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2004-10-11 14:34]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2004-09-24 22:36]
R3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys [2005-09-14 07:45]
S2 0083761199018354mcinstcleanup;McAfee Application Installer Cleanup (0083761199018354);C:\WINDOWS\TEMP\008376~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service []
S3 f5ipfw;F5 Networks StoneWall Filter;C:\WINDOWS\system32\drivers\urfltw2k.sys [2005-09-14 07:45]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-15 07:04:30 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-12-03 17:48:33 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 10:12:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?1?4?7??????? ?4?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-30 10:13:44
C:\ComboFix2.txt ... 2007-12-24 11:07
.
2007-12-23 18:31:56 --- E O F ---



Kaspersky log
I could not get past the first page on the website to run it - got an error.

New Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:08 AM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0FACC666-E038-43FF-B1A5-064FFB536934} (Upload.clsUpload) - http://els-tenrox-01...load/Upload.CAB
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://els-tenrox-01...oad/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://testdirector/tdbin/Spider80.ocx
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://ra.arlington...=5500,0,50914,1
O16 - DPF: {3E059DAB-6894-435C-B758-2977F014D734} (TClientProc.ClientSettings) - http://els-tenrox-01...TClientProc.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125037037531
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://ra.arlington...=5500,0,50803,1
O16 - DPF: {7EB1930A-8342-4899-BD05-2D8722053AE1} (TWorkflowMapX.WorkflowMapX) - http://els-tenrox-01.../TWorkflowX.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://fiserv.webex...bex/ieatgpc.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://ra.arlington...=5500,0,50928,1
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E040F7-272A-4D7D-B161-1ED7A34172A3}: NameServer = 217.115.138.24,10.253.4.132
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = els.fiserv.net,fiserv.net,els.emergis.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{17E040F7-272A-4D7D-B161-1ED7A34172A3}: NameServer = 217.115.138.24,10.253.4.132
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = els.fiserv.net,fiserv.net,els.emergis.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{17E040F7-272A-4D7D-B161-1ED7A34172A3}: NameServer = 217.115.138.24,10.253.4.132
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = els.fiserv.net,fiserv.net,els.emergis.com
O23 - Service: McAfee Application Installer Cleanup (0083761199018354) (0083761199018354mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\008376~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12799 bytes

I want to send you a image of the Red X by my C drive - how shall I do that? I did some searches and the only issues I ever saw wtih Red X's was on mapped drives, not the root drive, so I'm not sure what is going on. I did see some programs to clean up the registry - what do you think of those?

Anyway, let me know if I got you all that you need. Thank you Simon.

#13 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 30 December 2007 - 02:42 PM

Hi :)

These URL's: http://els-tenrox-01, do you know what they are?

To create a screenshot from your Hard Drive, double-click on My Computer, then click on the Prt Scr key on your keyboard (it's normally located next to the F12 button).
Then go to Start > All Programs > Accessories > Paint.
In Paint, go to Edit > Paste, then File > Save as.... Be sure to save the files as '.JPG' format.
Then go to to http://www.rapidshare.com/, click on Browse..., browse to the screenshot and press Open, the Upload!.
Give me the web address to the file in your next reply.

Step 1

Click on Start, then Control Panel. Double click on Add or Remove Programs.

Please remove the following program(s):

  • J2SE Runtime Environment 5.0
  • J2SE Runtime Environment 5.0 Update 4
  • Java™ 6 Update 2

Step 2

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

File::

C:\posC99.tmp
C:\pos9AD.tmp
C:\pos7C3.tmp
C:\pos3F0.tmp
C:\pos3F1.tmp
C:\pos3F3.tmp
C:\pos39E.tmp
C:\pos371.tmp
C:\pos3F2.tmp
C:\pos3F4.tmp
C:\pos37A.tmp
C:\pos367.tmp
C:\pos383.tmp
C:\pos379.tmp
C:\pos2C5.tmp
C:\posEE.tmp
C:\posD.tmp
C:\pos5E1.tmp

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gofkoctp]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ugceahrw]

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 3

Please visit TotalScan.

  • Under Scan Now click the Full Scan button.
  • Follow the prompts to install the Active X if necessary.
  • It will take a while, let it run unhindered.
  • When the scan is finished, a report will be generated.
  • Next to Scan Details click the small Save button and save the report to your desktop.

Step 4

In your next reply, please post:

  • the Combofix log (C:\Combofix.txt)
  • the TotalScan log
  • a new HijackThis log
  • the website address to the screenshot

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#14 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 01 January 2008 - 09:42 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·