Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91636 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] getting unhijacked


  • This topic is locked This topic is locked
36 replies to this topic

#1 Pundah

Pundah

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 21 May 2008 - 04:57 PM

Hi, I'm sorry, I posted this a few weeks ago and had not been able to get back till now. I'm resubmitting with Silver's reply, which I thank you for. Silver you said:

Hi Pundah,

There is a commercial keylogging program installed on this machine, are you aware of this?
If you want to remove it I need to ask you to confirm for me whether you are the owner/administrator of this machine.

Yes, I'm awae of this, and I am the owner of the machine. I dont want to remove that, but I would like to get unjacked. Are the instructions you sent to unhijack, or just to remove the keylog program?
Thanks, and I will do better at getting back to the computer to check. Thank you!
Pundah

REPOST OF ORIGINAL

Hello, first thanks for this forum and your help. We wound up with what I think is a hijack when my partner was surfing. When we run google searches now, we get results but if we click those results we are taken thru several other search pages and not directly to the google results site. It hasnt seemed to cause any real problems but is really annoying and slows things down.

When it first happened, we had a box in the task bar that every 2 minutes would pop up and want to take us to a spyware software purchase. I managed to get rid of that, and I deleted the "program" from my applications folder, but we're still being hijacked on searches.

I hope I ran the log right: If I need to provide any other info I'm glad to. Not very knowledgeable with terms and such but will do my best. Thanks so much!

Logfile of HijackThis v1.99.1
Scan saved at 7:53:11 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: 209789 helper - {5C78E2DB-5AFC-4A3B-9B9F-6AF136562E6F} - C:\WINDOWS\system32\209789\209789.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [WinService32] svchost
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinLiveUpdate] C:\Program Files\Common Files\Microsoft Shared\DAO\system32\svchost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZUxdm265YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsu...asp/tgctlsr.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www1.snapfish...tlookImport.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119564746437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1119570358859
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://real.gamehous...mjolauncher.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://real.gamehous...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E6182DB0-BE70-4EA3-A8FB-D402C6D951D5} (VUploader Control) - http://photofiddle.c...loaderProj1.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe



This post has been edited by silver: May 1 2008, 05:07 AM

Attached File(s)
hijackthis_log_4_15_08.txt ( 10.97K ) Number of downloads: 7


Full Edit
Quick Edit

silver

View Member Profile
Add as Friend
Send Message
Find Member's Topics
Find Member's Posts May 1 2008, 05:11 AM Post #2


SuperMember


Group: Classroom Teacher
Posts: 2,148
Joined: 3-March 07
From: GMT+7
Member No.: 68,406
Operating System: Ubuntu / Vista / XP



Hi Pundah,

There is a commercial keylogging program installed on this machine, are you aware of this?
If you want to remove it I need to ask you to confirm for me whether you are the owner/administrator of this machine.

    Advertisements

Register to Remove


#2 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 31 May 2008 - 08:51 AM

Be sure to keep SunJava, updated 6.6 is the new version
In Add/Remove programs click on these and press *remove* if listed:
J2SE Runtime Environment 5.0 - 97.99Mb
J2SE Runtime Environment 5.0 Update 2 - 143.00Mb
J2SE Runtime Environment 5.0 Update 4 - 144.00Mb
J2SE Runtime Environment 5.0 Update 5- 151.00Mb
Java 2 Runtime Environment, SE v1.4.2_04 - 130.00Mb
Or any other outdated J2SE
It is important to remove older versions as these are the ones with the holes in them.
You will be surprised when you go to add/remove to see all of the versions sitting there.
Download Newest >>>> http://www.java.com/...nload/index.jsp
Once installed you can test to see that it is in fact installed >>>>
Sun Java Test

----------------------------------------------------

Run - ATF Cleaner instructions here.

----------------


Then download Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

#3 Pundah

Pundah

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 31 May 2008 - 04:28 PM

Thank you Silver Eagle! I am taking these steps now and will report back. FYI, I deleted several 5.0 javas - I also have Java TM 6 updates 1 and 2. Should I delete those? Thanks!

#4 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 31 May 2008 - 06:52 PM

Yes all of them but 6.0 update 6 :thumbup:

#5 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 06 June 2008 - 03:45 AM

Run - ATF Cleaner instructions here.

----------------


Then download Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Have yoou gotten around to this yet?

#6 Pundah

Pundah

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 12 June 2008 - 04:26 PM

Hi! Yes, I did, and that solved my problem of my search engine going to random and strange lands. Thank you so much! Now I'm having a bug problem. It's related to the malware I guess? I dont know what to do, dialog boxes keep popping up and it seems to be interfering with my antivirus program, too. What do I do next? Thank you! (Sorry for the delay I work insane hours and have a full household.)

#7 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 12 June 2008 - 08:17 PM

The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

I would like to see the log please.

#8 Pundah

Pundah

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 13 June 2008 - 04:18 PM

Hi, thanks for the quick reply. This is really terrible, my kids are terrified to come near the computer for the big black bugs crawling all over the screen. It's giving one of them nightmares even tho I've banned them from computer. It seems to want me to purchase for $50 the antimalware software. I dont have $50 with all these mouths to feed, if that is the problem. I tried to delete/uninstall with no luck. Thanks for your time and help! Here is the log of 6/13/08 6:20 pm est:

Logfile of HijackThis v1.99.1
Scan saved at 6:16:49 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\lphc3bmj0eg6r.exe
C:\Program Files\shc5bmj0eg6r\shc5bmj0eg6r.exe
C:\WINDOWS\system32\sysrest32.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\Program Files\AXPFixer\AXPFixer.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [WinService32] svchost
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [lphc3bmj0eg6r] C:\WINDOWS\system32\lphc3bmj0eg6r.exe
O4 - HKLM\..\Run: [SMshc5bmj0eg6r] C:\Program Files\shc5bmj0eg6r\shc5bmj0eg6r.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKLM\..\Run: [WinLiveUpdate] C:\Program Files\Common Files\Microsoft Shared\DAO\system32\svchost.exe
O4 - HKLM\..\Run: [AXPFixer] C:\Program Files\AXPFixer\AXPFixer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsu...asp/tgctlsr.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www1.snapfish...tlookImport.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119564746437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1119570358859
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://real.gamehous...mjolauncher.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://real.gamehous...outLauncher.cab
O16 - DPF: {E6182DB0-BE70-4EA3-A8FB-D402C6D951D5} (VUploader Control) - http://photofiddle.c...loaderProj1.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

#9 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 13 June 2008 - 08:30 PM

Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.



1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net


2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

#10 Pundah

Pundah

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 14 June 2008 - 07:02 AM

All right, thank you. I know how to snooze my anti virus but Malware Protector 2008 and Advanced AP Fixer are the 2 programs (newly stuck on my system) that I cant to anything with. I'll check with the folks you suggested about how to disable those, them come back and run your instructions. I have family things all weekend but will try to get to it, it's making us all crazy. Thanks!

    Advertisements

Register to Remove


#11 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 14 June 2008 - 06:43 PM

Try to run combofix it may run with out killing all of them.

#12 Pundah

Pundah

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 15 June 2008 - 05:39 PM

Hi Silver, well I was so hopeful but i dont think it worked. It got all the way to trying to run log, then gives dial box "SVCHOST jpeg dll not found. You must reinstall program. Cannot run log,but am posting hijac log. When it rebooted, axp fixer came back - the malware icons did not come back on desktop but they are in tray and the bugs are still crawlig on screen. Clock is still reset by combofix but the jpeg messge comes up every few minuts. entire system is sooo slow. thanyo! when it comes back i will donate.
Logfile of HijackThis v1.99.1
Scan saved at 19:28, on 2008-06-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CF18858.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\lphc3bmj0eg6r.exe
C:\Program Files\shc5bmj0eg6r\shc5bmj0eg6r.exe
C:\Program Files\AXPFixer\AXPFixer.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\ComboFix\Catchme.tmp
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccupdate\CCUpdate.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\ComboFix\vfind.cfexe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [WinService32] svchost
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [lphc3bmj0eg6r] C:\WINDOWS\system32\lphc3bmj0eg6r.exe
O4 - HKLM\..\Run: [SMshc5bmj0eg6r] C:\Program Files\shc5bmj0eg6r\shc5bmj0eg6r.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKLM\..\Run: [AXPFixer] C:\Program Files\AXPFixer\AXPFixer.exe
O4 - HKLM\..\Run: [WinLiveUpdate] C:\Program Files\Common Files\Microsoft Shared\DAO\system32\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsu...asp/tgctlsr.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www1.snapfish...tlookImport.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119564746437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1119570358859
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://real.gamehous...mjolauncher.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://real.gamehous...outLauncher.cab
O16 - DPF: {E6182DB0-BE70-4EA3-A8FB-D402C6D951D5} (VUploader Control) - http://photofiddle.c...loaderProj1.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

#13 Pundah

Pundah

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 15 June 2008 - 05:51 PM

Hey! I think something happened. First the log came thru (below). Then, the defender and fixer icons disappeared from the tray! My system seems faster again (oh, but the AP fixer dialog box just popped up :( And here come the bugs crawling. UGH. There is one other dialog box that comes up that doesnt seem to have any icons. It's called winifixer and it founds threats too the same # that defender and Xfixer find. Well and the defender dialog box just popped up too. The missing jpeg box keeps popping. Well I think we're in the right direction. Here is the log:


ComboFix 08-06-15.2 - Owner 2008-06-15 19:13:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.208 [GMT -4:00]
Running from: C:\Documents and Settings\Owner.RESTOREFEB05\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Desktop\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\How to Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Uninstall.lnk
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Tvm.log
C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\AXPDefender
C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk
C:\Documents and Settings\Owner.VIGGO\Local Settings\Temporary Internet Files\Tvm.log
C:\Program Files\Common Files\SLMSS
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\system32\ijl11pro.dll
C:\WINDOWS\system32\sysrest32.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-15 00:01 . 2008-06-14 23:51 52,736 --a------ C:\WINDOWS\system32\FF.tmp
2008-06-14 23:41 . 2008-06-14 23:31 52,736 --a------ C:\WINDOWS\system32\F9.tmp
2008-06-14 23:31 . 2008-06-14 23:20 52,736 --a------ C:\WINDOWS\system32\F6.tmp
2008-06-14 23:20 . 2008-06-14 23:10 52,736 --a------ C:\WINDOWS\system32\F3.tmp
2008-06-14 23:10 . 2008-06-14 23:00 52,736 --a------ C:\WINDOWS\system32\F0.tmp
2008-06-14 23:00 . 2008-06-14 22:49 52,736 --a------ C:\WINDOWS\system32\ED.tmp
2008-06-14 22:49 . 2008-06-14 22:39 52,736 --a------ C:\WINDOWS\system32\EA.tmp
2008-06-14 22:39 . 2008-06-14 22:28 52,736 --a------ C:\WINDOWS\system32\E7.tmp
2008-06-14 22:28 . 2008-06-14 22:18 52,736 --a------ C:\WINDOWS\system32\E4.tmp
2008-06-14 22:18 . 2008-06-14 22:08 52,736 --a------ C:\WINDOWS\system32\E1.tmp
2008-06-14 22:08 . 2008-06-14 21:58 52,736 --a------ C:\WINDOWS\system32\DE.tmp
2008-06-14 21:57 . 2008-06-14 21:47 52,736 --a------ C:\WINDOWS\system32\DB.tmp
2008-06-14 21:47 . 2008-06-14 21:37 52,736 --a------ C:\WINDOWS\system32\D8.tmp
2008-06-14 21:37 . 2008-06-14 21:27 52,736 --a------ C:\WINDOWS\system32\D5.tmp
2008-06-14 21:27 . 2008-06-14 21:16 52,736 --a------ C:\WINDOWS\system32\D2.tmp
2008-06-14 21:16 . 2008-06-14 21:06 52,736 --a------ C:\WINDOWS\system32\CF.tmp
2008-06-14 21:06 . 2008-06-14 20:56 52,736 --a------ C:\WINDOWS\system32\CC.tmp
2008-06-14 20:56 . 2008-06-14 20:46 52,736 --a------ C:\WINDOWS\system32\C9.tmp
2008-06-14 20:46 . 2008-06-14 20:36 52,736 --a------ C:\WINDOWS\system32\C6.tmp
2008-06-14 20:36 . 2008-06-14 20:26 52,736 --a------ C:\WINDOWS\system32\C3.tmp
2008-06-14 20:26 . 2008-06-14 20:16 52,736 --a------ C:\WINDOWS\system32\C0.tmp
2008-06-14 20:16 . 2008-06-14 20:05 52,736 --a------ C:\WINDOWS\system32\BC.tmp
2008-06-14 20:05 . 2008-06-14 19:55 52,736 --a------ C:\WINDOWS\system32\B9.tmp
2008-06-14 19:55 . 2008-06-14 19:45 52,736 --a------ C:\WINDOWS\system32\B5.tmp
2008-06-14 19:45 . 2008-06-14 19:35 52,736 --a------ C:\WINDOWS\system32\B0.tmp
2008-06-14 19:35 . 2008-06-14 19:25 52,736 --a------ C:\WINDOWS\system32\AD.tmp
2008-06-14 19:25 . 2008-06-14 19:15 52,736 --a------ C:\WINDOWS\system32\AA.tmp
2008-06-14 19:15 . 2008-06-14 19:05 52,736 --a------ C:\WINDOWS\system32\A7.tmp
2008-06-14 19:05 . 2008-06-14 18:55 52,736 --a------ C:\WINDOWS\system32\A3.tmp
2008-06-14 18:55 . 2008-06-14 18:45 52,736 --a------ C:\WINDOWS\system32\A0.tmp
2008-06-14 17:55 . 2008-06-14 17:45 52,736 --a------ C:\WINDOWS\system32\8E.tmp
2008-06-14 17:45 . 2008-06-14 17:34 52,736 --a------ C:\WINDOWS\system32\8B.tmp
2008-06-14 17:34 . 2008-06-14 17:24 52,736 --a------ C:\WINDOWS\system32\86.tmp
2008-06-14 17:24 . 2008-06-14 17:14 52,736 --a------ C:\WINDOWS\system32\81.tmp
2008-06-14 17:14 . 2008-06-14 17:04 52,736 --a------ C:\WINDOWS\system32\7D.tmp
2008-06-14 17:04 . 2008-06-14 16:54 52,736 --a------ C:\WINDOWS\system32\78.tmp
2008-06-14 16:54 . 2008-06-14 16:44 52,736 --a------ C:\WINDOWS\system32\75.tmp
2008-06-14 08:11 . 2008-06-14 08:01 52,736 --a------ C:\WINDOWS\system32\3AC.tmp
2008-06-14 08:01 . 2008-06-14 07:50 52,736 --a------ C:\WINDOWS\system32\3A9.tmp
2008-06-14 07:50 . 2008-06-14 07:40 52,736 --a------ C:\WINDOWS\system32\3A6.tmp
2008-06-14 07:40 . 2008-06-14 07:30 52,736 --a------ C:\WINDOWS\system32\3A3.tmp
2008-06-14 07:30 . 2008-06-14 07:19 52,736 --a------ C:\WINDOWS\system32\3A0.tmp
2008-06-14 07:19 . 2008-06-14 07:09 52,736 --a------ C:\WINDOWS\system32\39D.tmp
2008-06-14 07:09 . 2008-06-14 06:59 52,736 --a------ C:\WINDOWS\system32\39A.tmp
2008-06-14 06:58 . 2008-06-14 06:48 52,736 --a------ C:\WINDOWS\system32\397.tmp
2008-06-14 06:48 . 2008-06-14 06:38 52,736 --a------ C:\WINDOWS\system32\394.tmp
2008-06-14 06:38 . 2008-06-14 06:28 52,736 --a------ C:\WINDOWS\system32\391.tmp
2008-06-14 06:28 . 2008-06-14 06:17 52,736 --a------ C:\WINDOWS\system32\38E.tmp
2008-06-14 06:17 . 2008-06-14 06:07 52,736 --a------ C:\WINDOWS\system32\38B.tmp
2008-06-14 06:07 . 2008-06-14 05:56 52,736 --a------ C:\WINDOWS\system32\388.tmp
2008-06-14 05:56 . 2008-06-14 05:46 52,736 --a------ C:\WINDOWS\system32\385.tmp
2008-06-14 05:46 . 2008-06-14 05:36 52,736 --a------ C:\WINDOWS\system32\382.tmp
2008-06-14 05:36 . 2008-06-14 05:26 52,736 --a------ C:\WINDOWS\system32\37F.tmp
2008-06-14 05:26 . 2008-06-14 05:15 52,736 --a------ C:\WINDOWS\system32\37C.tmp
2008-06-14 05:15 . 2008-06-14 05:05 52,736 --a------ C:\WINDOWS\system32\379.tmp
2008-06-14 05:05 . 2008-06-14 04:55 52,736 --a------ C:\WINDOWS\system32\376.tmp
2008-06-14 04:55 . 2008-06-14 04:44 52,736 --a------ C:\WINDOWS\system32\373.tmp
2008-06-14 04:44 . 2008-06-14 04:34 52,736 --a------ C:\WINDOWS\system32\370.tmp
2008-06-14 04:34 . 2008-06-14 04:24 52,736 --a------ C:\WINDOWS\system32\36D.tmp
2008-06-14 04:24 . 2008-06-14 04:14 52,736 --a------ C:\WINDOWS\system32\36A.tmp
2008-06-14 04:14 . 2008-06-14 04:03 52,736 --a------ C:\WINDOWS\system32\367.tmp
2008-06-14 04:03 . 2008-06-14 03:53 52,736 --a------ C:\WINDOWS\system32\364.tmp
2008-06-14 03:53 . 2008-06-14 03:43 52,736 --a------ C:\WINDOWS\system32\361.tmp
2008-06-14 03:43 . 2008-06-14 03:33 52,736 --a------ C:\WINDOWS\system32\35E.tmp
2008-06-14 03:33 . 2008-06-14 03:22 52,736 --a------ C:\WINDOWS\system32\35B.tmp
2008-06-14 03:22 . 2008-06-14 03:12 52,736 --a------ C:\WINDOWS\system32\358.tmp
2008-06-14 03:12 . 2008-06-14 03:02 52,736 --a------ C:\WINDOWS\system32\355.tmp
2008-06-14 03:02 . 2008-06-14 02:52 52,736 --a------ C:\WINDOWS\system32\352.tmp
2008-06-14 02:52 . 2008-06-14 02:41 52,736 --a------ C:\WINDOWS\system32\34F.tmp
2008-06-14 02:41 . 2008-06-14 02:30 52,736 --a------ C:\WINDOWS\system32\34C.tmp
2008-06-14 02:30 . 2008-06-14 02:20 52,736 --a------ C:\WINDOWS\system32\348.tmp
2008-06-14 02:20 . 2008-06-14 02:09 52,736 --a------ C:\WINDOWS\system32\345.tmp
2008-06-14 02:09 . 2008-06-14 01:59 52,736 --a------ C:\WINDOWS\system32\342.tmp
2008-06-14 01:59 . 2008-06-14 01:49 52,736 --a------ C:\WINDOWS\system32\33F.tmp
2008-06-14 01:49 . 2008-06-14 01:39 52,736 --a------ C:\WINDOWS\system32\33C.tmp
2008-06-14 01:39 . 2008-06-14 01:29 52,736 --a------ C:\WINDOWS\system32\339.tmp
2008-06-14 01:29 . 2008-06-14 01:18 52,736 --a------ C:\WINDOWS\system32\336.tmp
2008-06-14 01:18 . 2008-06-14 01:08 52,736 --a------ C:\WINDOWS\system32\333.tmp
2008-06-14 01:08 . 2008-06-14 00:58 52,736 --a------ C:\WINDOWS\system32\330.tmp
2008-06-14 00:58 . 2008-06-14 00:48 52,736 --a------ C:\WINDOWS\system32\32D.tmp
2008-06-14 00:48 . 2008-06-14 00:38 52,736 --a------ C:\WINDOWS\system32\32A.tmp
2008-06-14 00:38 . 2008-06-14 00:27 52,736 --a------ C:\WINDOWS\system32\327.tmp
2008-06-14 00:27 . 2008-06-14 00:17 52,736 --a------ C:\WINDOWS\system32\324.tmp
2008-06-14 00:17 . 2008-06-14 00:04 52,736 --a------ C:\WINDOWS\system32\321.tmp
2008-06-14 00:04 . 2008-06-13 23:44 52,736 --a------ C:\WINDOWS\system32\31E.tmp
2008-06-13 23:44 . 2008-06-13 23:23 52,736 --a------ C:\WINDOWS\system32\31B.tmp
2008-06-13 23:23 . 2008-06-13 23:02 52,736 --a------ C:\WINDOWS\system32\318.tmp
2008-06-13 23:02 . 2008-06-13 22:42 52,736 --a------ C:\WINDOWS\system32\315.tmp
2008-06-13 22:41 . 2008-06-13 22:21 52,736 --a------ C:\WINDOWS\system32\312.tmp
2008-06-13 22:21 . 2008-06-13 22:01 52,736 --a------ C:\WINDOWS\system32\30F.tmp
2008-06-13 22:01 . 2008-06-13 21:40 52,736 --a------ C:\WINDOWS\system32\309.tmp
2008-06-13 21:40 . 2008-06-13 21:19 52,736 --a------ C:\WINDOWS\system32\305.tmp
2008-06-13 20:58 . 2008-06-13 20:38 52,736 --a------ C:\WINDOWS\system32\2DE.tmp
2008-06-13 20:38 . 2008-06-13 20:18 52,736 --a------ C:\WINDOWS\system32\2DB.tmp
2008-06-13 20:18 . 2008-06-13 19:57 52,736 --a------ C:\WINDOWS\system32\2D8.tmp
2008-06-13 19:37 . 2008-06-13 19:17 52,736 --a------ C:\WINDOWS\system32\28E.tmp
2008-06-13 17:58 . 2008-06-13 17:58 <DIR> d-------- C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\AXPFixer
2008-06-13 17:57 . 2008-06-13 17:57 <DIR> d-------- C:\Program Files\AXPFixer
2008-06-12 22:35 . 2008-06-12 22:25 52,736 --a------ C:\WINDOWS\system32\5F.tmp
2008-06-12 22:25 . 2008-06-12 22:15 52,736 --a------ C:\WINDOWS\system32\5C.tmp
2008-06-12 22:15 . 2008-06-12 22:05 52,736 --a------ C:\WINDOWS\system32\59.tmp
2008-06-12 22:05 . 2008-06-12 21:55 52,736 --a------ C:\WINDOWS\system32\55.tmp
2008-06-12 21:55 . 2008-06-12 21:39 52,736 --a------ C:\WINDOWS\system32\50.tmp
2008-06-12 21:39 . 2008-06-12 21:29 52,736 --a------ C:\WINDOWS\system32\48.tmp
2008-06-12 21:29 . 2008-06-12 21:19 52,736 --a------ C:\WINDOWS\system32\41.tmp
2008-06-12 21:19 . 2008-06-12 21:09 52,736 --a------ C:\WINDOWS\system32\3B.tmp
2008-06-12 21:09 . 2008-06-12 20:59 52,736 --a------ C:\WINDOWS\system32\30.tmp
2008-06-12 20:59 . 2008-06-12 20:48 52,736 --a------ C:\WINDOWS\system32\27.tmp
2008-06-12 20:44 . 2008-06-12 20:34 52,736 --a------ C:\WINDOWS\system32\BB.tmp
2008-06-12 20:34 . 2008-06-12 20:24 52,736 --a------ C:\WINDOWS\system32\B7.tmp
2008-06-12 20:24 . 2008-06-12 20:14 52,736 --a------ C:\WINDOWS\system32\B4.tmp
2008-06-12 20:04 . 2008-06-12 19:53 52,736 --a------ C:\WINDOWS\system32\4F.tmp
2008-06-12 19:43 . 2008-06-12 19:33 52,736 --a------ C:\WINDOWS\system32\46.tmp
2008-06-12 19:23 . 2008-06-12 19:13 52,736 --a------ C:\WINDOWS\system32\3E.tmp
2008-06-12 18:09 . 2008-06-12 17:59 52,736 --a------ C:\WINDOWS\system32\31.tmp
2008-06-12 17:59 . 2008-06-12 17:49 52,736 --a------ C:\WINDOWS\system32\2B.tmp
2008-06-12 17:49 . 2008-06-12 17:39 52,736 --a------ C:\WINDOWS\system32\28.tmp
2008-06-12 17:39 . 2008-06-12 17:29 52,736 --a------ C:\WINDOWS\system32\22.tmp
2008-06-12 17:29 . 2008-06-12 17:18 52,736 --a------ C:\WINDOWS\system32\1E.tmp
2008-06-12 17:18 . 2008-06-12 17:08 52,736 --a------ C:\WINDOWS\system32\19.tmp
2008-06-12 16:56 . 2008-06-12 16:46 52,736 --a------ C:\WINDOWS\system32\3F.tmp
2008-06-12 16:46 . 2008-06-12 16:36 52,736 --a------ C:\WINDOWS\system32\3C.tmp
2008-06-12 16:36 . 2008-06-12 16:26 52,736 --a------ C:\WINDOWS\system32\38.tmp
2008-06-12 16:26 . 2008-06-12 16:16 52,736 --a------ C:\WINDOWS\system32\33.tmp
2008-06-12 16:16 . 2008-06-12 16:06 52,736 --a------ C:\WINDOWS\system32\2E.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 06:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-13 22:12 91,376 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-06-13 22:12 32,240 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-06-13 22:12 26,352 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-06-13 22:12 21,488 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-06-13 22:12 21,104 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-06-09 22:52 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-04 22:37 880,560 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-04 22:37 108,368 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-31 21:46 --------- d-----w C:\Program Files\Java
2008-05-31 21:40 --------- d-----w C:\Program Files\Furcadia
2008-05-31 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dragon's Eye Productions
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 22:47 0 ----a-w C:\Program Files\temp01
2007-06-22 23:15 512 ---ha-w C:\Documents and Settings\Owner.VIGGO.000\hpothb07.dat
2007-06-22 23:15 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2007-06-22 23:15 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2007-06-22 23:14 529 ---ha-w C:\Program Files\hpothb07.tif
2007-06-22 23:14 318 -c-ha-w C:\Program Files\hpothb07.dat
2007-06-22 23:14 185 ---ha-w C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2006-11-18 21:50 524 ---ha-w C:\Documents and Settings\Owner.RESTOREFEB05\hpothb07.dat
2006-11-18 21:50 157 ---ha-w C:\Documents and Settings\Owner.VIGGO\hpothb07.dat
2006-01-22 16:09 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-11-26 01:33 167 ---ha-w C:\Documents and Settings\OWNERV~1~000\hpothb07.dat
2005-11-26 01:33 0 -c-ha-w C:\Documents and Settings\Royster\hpothb07.dat
2005-08-18 00:48 956 ---ha-w C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\hpothb07.dat
2005-06-21 22:56 158 ---ha-w C:\Documents and Settings\Guest\hpothb07.dat
2005-06-21 22:56 158 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2005-06-21 22:56 0 -c-ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2004-06-09 15:54 390 ----a-w C:\Program Files\Shortcut to Program Files.lnk
2004-05-24 16:34 166,887 ----a-w C:\WINDOWS\system32\config\systemprofile\Application Data\tvmknwrd.dll
2004-05-24 16:34 166,887 ----a-w C:\Documents and Settings\Owner.VIGGO.000\Application Data\tvmknwrd.dll
2004-05-24 16:34 166,887 ----a-w C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\tvmknwrd.dll
2004-05-24 16:34 166,887 ----a-w C:\Documents and Settings\Guest\Application Data\tvmknwrd.dll
2003-11-01 15:34 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Aim6"="" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 21:00 200767]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 15:51 118784]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 23:28 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-03-01 20:03 77824]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [2002-04-24 21:37 1544192]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 15:55 155648]
"WinService32"="svchost" []
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19 69632]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2008-06-13 18:12 234736]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-11 15:44 185896]
"cctray"="C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe" [2008-05-21 18:13 181512]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"lphc3bmj0eg6r"="C:\WINDOWS\system32\lphc3bmj0eg6r.exe" [2008-06-11 10:28 92160]
"SMshc5bmj0eg6r"="C:\Program Files\shc5bmj0eg6r\shc5bmj0eg6r.exe" [2008-06-11 04:59 1167360]
"sysrest32.exe"="C:\WINDOWS\system32\sysrest32.exe" [ ]
"AXPFixer"="C:\Program Files\AXPFixer\AXPFixer.exe" [2008-05-19 14:03 1564672]
"WinLiveUpdate"="C:\Program Files\Common Files\Microsoft Shared\DAO\system32\svchost.exe" [2005-06-17 13:37 636416]

C:\Documents and Settings\Owner.VIGGO.000\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2004-06-15 21:13:40 256000]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-22 21:37:11 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2007-01-27 15:54:31 1078]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

S3 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" [2006-01-03 14:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6a8777a-827f-11d9-9dc7-806d6172696f}]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-06-06 22:31:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#CN37Q2B178I3.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
"2008-06-15 23:22:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2008-06-15 03:50:22 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 19:20:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-15 19:48:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 23:47:23

Pre-Run: 41,013,518,336 bytes free
Post-Run: 41,715,965,952 bytes free

300 --- E O F --- 2008-06-11 14:40:54

#14 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 15 June 2008 - 06:04 PM

Close all programs leaving only HijackThis running. Place a check against each of the following,

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [lphc3bmj0eg6r] C:\WINDOWS\system32\lphc3bmj0eg6r.exe
O4 - HKLM\..\Run: [SMshc5bmj0eg6r] C:\Program Files\shc5bmj0eg6r\shc5bmj0eg6r.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe


Click on Fix Checked when finished and exit HijackThis.


  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    Go to Posted Image -> Run -> copy/paste in the following single line command & click OK

    "%userprofile%\desktop\combofix.exe" /killall

    Posted Image
  • Click OK and this will start ComboFix in a special way.
  • When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

* Reconnect to the internet

* Post the following logs/Reports:
  • ComboFix.txt
  • [b]Fresh HijackThis log run after all the other tools have performed their cleanup.


#15 Pundah

Pundah

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 16 June 2008 - 05:51 PM

Hi Silver, I appreciate your help very much. I followed your instructions. Remember that I cannot disable the axpfixer that I guess is causing the problems. I did snooze the antivirus tho. It worked as you said with these few differences: While the combofix log was running, the dialog box said do not run any other programs. But, as soon as it rebooted and started to run the log, axp fixer popped up. I closed it but could see it running in background in the task bar. Thru out the process, that "Sorry, jpeg dll not found. You must reinstall program" continued to pop up. 18 times so far, every few minutes. When axpfixer finished running in the background, it gave dialog box as usual saying 186 threat found, recommend cleaning. (That's the $50 purchase deal.) after I ran both logs and rebooted, the big yellow warning box was still in the center of my desktop, and AXPfixer was still there too. System remains very slow while axp running in background. When it finishes (and tells me to clean), it frees up and regains speed. I did notice that when I checked those 5 boxes you told me to check, there was one for AXPfixer. I guess checkng that wont get rid of it?

Anyway...thanks for haning in with us! Here are the 2 logs:

Logfile of HijackThis v1.99.1
Scan saved at 19:37, on 2008-06-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AXPFixer\AXPFixer.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [WinService32] svchost
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AXPFixer] C:\Program Files\AXPFixer\AXPFixer.exe
O4 - HKLM\..\Run: [WinLiveUpdate] C:\Program Files\Common Files\Microsoft Shared\DAO\system32\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsu...asp/tgctlsr.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www1.snapfish...tlookImport.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119564746437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1119570358859
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://real.gamehous...mjolauncher.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://real.gamehous...outLauncher.cab
O16 - DPF: {E6182DB0-BE70-4EA3-A8FB-D402C6D951D5} (VUploader Control) - http://photofiddle.c...loaderProj1.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

ComboFix 08-06-15.2 - Owner 2008-06-16 19:20:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.283 [GMT -4:00]
Running from: C:\Documents and Settings\Owner.RESTOREFEB05\desktop\combofix.exe
Command switches used :: /killall
.

((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-15 00:01 . 2008-06-14 23:51 52,736 --a------ C:\WINDOWS\system32\FF.tmp
2008-06-14 23:41 . 2008-06-14 23:31 52,736 --a------ C:\WINDOWS\system32\F9.tmp
2008-06-14 23:31 . 2008-06-14 23:20 52,736 --a------ C:\WINDOWS\system32\F6.tmp
2008-06-14 23:20 . 2008-06-14 23:10 52,736 --a------ C:\WINDOWS\system32\F3.tmp
2008-06-14 23:10 . 2008-06-14 23:00 52,736 --a------ C:\WINDOWS\system32\F0.tmp
2008-06-14 23:00 . 2008-06-14 22:49 52,736 --a------ C:\WINDOWS\system32\ED.tmp
2008-06-14 22:49 . 2008-06-14 22:39 52,736 --a------ C:\WINDOWS\system32\EA.tmp
2008-06-14 22:39 . 2008-06-14 22:28 52,736 --a------ C:\WINDOWS\system32\E7.tmp
2008-06-14 22:28 . 2008-06-14 22:18 52,736 --a------ C:\WINDOWS\system32\E4.tmp
2008-06-14 22:18 . 2008-06-14 22:08 52,736 --a------ C:\WINDOWS\system32\E1.tmp
2008-06-14 22:08 . 2008-06-14 21:58 52,736 --a------ C:\WINDOWS\system32\DE.tmp
2008-06-14 21:57 . 2008-06-14 21:47 52,736 --a------ C:\WINDOWS\system32\DB.tmp
2008-06-14 21:47 . 2008-06-14 21:37 52,736 --a------ C:\WINDOWS\system32\D8.tmp
2008-06-14 21:37 . 2008-06-14 21:27 52,736 --a------ C:\WINDOWS\system32\D5.tmp
2008-06-14 21:27 . 2008-06-14 21:16 52,736 --a------ C:\WINDOWS\system32\D2.tmp
2008-06-14 21:16 . 2008-06-14 21:06 52,736 --a------ C:\WINDOWS\system32\CF.tmp
2008-06-14 21:06 . 2008-06-14 20:56 52,736 --a------ C:\WINDOWS\system32\CC.tmp
2008-06-14 20:56 . 2008-06-14 20:46 52,736 --a------ C:\WINDOWS\system32\C9.tmp
2008-06-14 20:46 . 2008-06-14 20:36 52,736 --a------ C:\WINDOWS\system32\C6.tmp
2008-06-14 20:36 . 2008-06-14 20:26 52,736 --a------ C:\WINDOWS\system32\C3.tmp
2008-06-14 20:26 . 2008-06-14 20:16 52,736 --a------ C:\WINDOWS\system32\C0.tmp
2008-06-14 20:16 . 2008-06-14 20:05 52,736 --a------ C:\WINDOWS\system32\BC.tmp
2008-06-14 20:05 . 2008-06-14 19:55 52,736 --a------ C:\WINDOWS\system32\B9.tmp
2008-06-14 19:55 . 2008-06-14 19:45 52,736 --a------ C:\WINDOWS\system32\B5.tmp
2008-06-14 19:45 . 2008-06-14 19:35 52,736 --a------ C:\WINDOWS\system32\B0.tmp
2008-06-14 19:35 . 2008-06-14 19:25 52,736 --a------ C:\WINDOWS\system32\AD.tmp
2008-06-14 19:25 . 2008-06-14 19:15 52,736 --a------ C:\WINDOWS\system32\AA.tmp
2008-06-14 19:15 . 2008-06-14 19:05 52,736 --a------ C:\WINDOWS\system32\A7.tmp
2008-06-14 19:05 . 2008-06-14 18:55 52,736 --a------ C:\WINDOWS\system32\A3.tmp
2008-06-14 18:55 . 2008-06-14 18:45 52,736 --a------ C:\WINDOWS\system32\A0.tmp
2008-06-14 17:55 . 2008-06-14 17:45 52,736 --a------ C:\WINDOWS\system32\8E.tmp
2008-06-14 17:45 . 2008-06-14 17:34 52,736 --a------ C:\WINDOWS\system32\8B.tmp
2008-06-14 17:34 . 2008-06-14 17:24 52,736 --a------ C:\WINDOWS\system32\86.tmp
2008-06-14 17:24 . 2008-06-14 17:14 52,736 --a------ C:\WINDOWS\system32\81.tmp
2008-06-14 17:14 . 2008-06-14 17:04 52,736 --a------ C:\WINDOWS\system32\7D.tmp
2008-06-14 17:04 . 2008-06-14 16:54 52,736 --a------ C:\WINDOWS\system32\78.tmp
2008-06-14 16:54 . 2008-06-14 16:44 52,736 --a------ C:\WINDOWS\system32\75.tmp
2008-06-14 08:11 . 2008-06-14 08:01 52,736 --a------ C:\WINDOWS\system32\3AC.tmp
2008-06-14 08:01 . 2008-06-14 07:50 52,736 --a------ C:\WINDOWS\system32\3A9.tmp
2008-06-14 07:50 . 2008-06-14 07:40 52,736 --a------ C:\WINDOWS\system32\3A6.tmp
2008-06-14 07:40 . 2008-06-14 07:30 52,736 --a------ C:\WINDOWS\system32\3A3.tmp
2008-06-14 07:30 . 2008-06-14 07:19 52,736 --a------ C:\WINDOWS\system32\3A0.tmp
2008-06-14 07:19 . 2008-06-14 07:09 52,736 --a------ C:\WINDOWS\system32\39D.tmp
2008-06-14 07:09 . 2008-06-14 06:59 52,736 --a------ C:\WINDOWS\system32\39A.tmp
2008-06-14 06:58 . 2008-06-14 06:48 52,736 --a------ C:\WINDOWS\system32\397.tmp
2008-06-14 06:48 . 2008-06-14 06:38 52,736 --a------ C:\WINDOWS\system32\394.tmp
2008-06-14 06:38 . 2008-06-14 06:28 52,736 --a------ C:\WINDOWS\system32\391.tmp
2008-06-14 06:28 . 2008-06-14 06:17 52,736 --a------ C:\WINDOWS\system32\38E.tmp
2008-06-14 06:17 . 2008-06-14 06:07 52,736 --a------ C:\WINDOWS\system32\38B.tmp
2008-06-14 06:07 . 2008-06-14 05:56 52,736 --a------ C:\WINDOWS\system32\388.tmp
2008-06-14 05:56 . 2008-06-14 05:46 52,736 --a------ C:\WINDOWS\system32\385.tmp
2008-06-14 05:46 . 2008-06-14 05:36 52,736 --a------ C:\WINDOWS\system32\382.tmp
2008-06-14 05:36 . 2008-06-14 05:26 52,736 --a------ C:\WINDOWS\system32\37F.tmp
2008-06-14 05:26 . 2008-06-14 05:15 52,736 --a------ C:\WINDOWS\system32\37C.tmp
2008-06-14 05:15 . 2008-06-14 05:05 52,736 --a------ C:\WINDOWS\system32\379.tmp
2008-06-14 05:05 . 2008-06-14 04:55 52,736 --a------ C:\WINDOWS\system32\376.tmp
2008-06-14 04:55 . 2008-06-14 04:44 52,736 --a------ C:\WINDOWS\system32\373.tmp
2008-06-14 04:44 . 2008-06-14 04:34 52,736 --a------ C:\WINDOWS\system32\370.tmp
2008-06-14 04:34 . 2008-06-14 04:24 52,736 --a------ C:\WINDOWS\system32\36D.tmp
2008-06-14 04:24 . 2008-06-14 04:14 52,736 --a------ C:\WINDOWS\system32\36A.tmp
2008-06-14 04:14 . 2008-06-14 04:03 52,736 --a------ C:\WINDOWS\system32\367.tmp
2008-06-14 04:03 . 2008-06-14 03:53 52,736 --a------ C:\WINDOWS\system32\364.tmp
2008-06-14 03:53 . 2008-06-14 03:43 52,736 --a------ C:\WINDOWS\system32\361.tmp
2008-06-14 03:43 . 2008-06-14 03:33 52,736 --a------ C:\WINDOWS\system32\35E.tmp
2008-06-14 03:33 . 2008-06-14 03:22 52,736 --a------ C:\WINDOWS\system32\35B.tmp
2008-06-14 03:22 . 2008-06-14 03:12 52,736 --a------ C:\WINDOWS\system32\358.tmp
2008-06-14 03:12 . 2008-06-14 03:02 52,736 --a------ C:\WINDOWS\system32\355.tmp
2008-06-14 03:02 . 2008-06-14 02:52 52,736 --a------ C:\WINDOWS\system32\352.tmp
2008-06-14 02:52 . 2008-06-14 02:41 52,736 --a------ C:\WINDOWS\system32\34F.tmp
2008-06-14 02:41 . 2008-06-14 02:30 52,736 --a------ C:\WINDOWS\system32\34C.tmp
2008-06-14 02:30 . 2008-06-14 02:20 52,736 --a------ C:\WINDOWS\system32\348.tmp
2008-06-14 02:20 . 2008-06-14 02:09 52,736 --a------ C:\WINDOWS\system32\345.tmp
2008-06-14 02:09 . 2008-06-14 01:59 52,736 --a------ C:\WINDOWS\system32\342.tmp
2008-06-14 01:59 . 2008-06-14 01:49 52,736 --a------ C:\WINDOWS\system32\33F.tmp
2008-06-14 01:49 . 2008-06-14 01:39 52,736 --a------ C:\WINDOWS\system32\33C.tmp
2008-06-14 01:39 . 2008-06-14 01:29 52,736 --a------ C:\WINDOWS\system32\339.tmp
2008-06-14 01:29 . 2008-06-14 01:18 52,736 --a------ C:\WINDOWS\system32\336.tmp
2008-06-14 01:18 . 2008-06-14 01:08 52,736 --a------ C:\WINDOWS\system32\333.tmp
2008-06-14 01:08 . 2008-06-14 00:58 52,736 --a------ C:\WINDOWS\system32\330.tmp
2008-06-14 00:58 . 2008-06-14 00:48 52,736 --a------ C:\WINDOWS\system32\32D.tmp
2008-06-14 00:48 . 2008-06-14 00:38 52,736 --a------ C:\WINDOWS\system32\32A.tmp
2008-06-14 00:38 . 2008-06-14 00:27 52,736 --a------ C:\WINDOWS\system32\327.tmp
2008-06-14 00:27 . 2008-06-14 00:17 52,736 --a------ C:\WINDOWS\system32\324.tmp
2008-06-14 00:17 . 2008-06-14 00:04 52,736 --a------ C:\WINDOWS\system32\321.tmp
2008-06-14 00:04 . 2008-06-13 23:44 52,736 --a------ C:\WINDOWS\system32\31E.tmp
2008-06-13 23:44 . 2008-06-13 23:23 52,736 --a------ C:\WINDOWS\system32\31B.tmp
2008-06-13 23:23 . 2008-06-13 23:02 52,736 --a------ C:\WINDOWS\system32\318.tmp
2008-06-13 23:02 . 2008-06-13 22:42 52,736 --a------ C:\WINDOWS\system32\315.tmp
2008-06-13 22:41 . 2008-06-13 22:21 52,736 --a------ C:\WINDOWS\system32\312.tmp
2008-06-13 22:21 . 2008-06-13 22:01 52,736 --a------ C:\WINDOWS\system32\30F.tmp
2008-06-13 22:01 . 2008-06-13 21:40 52,736 --a------ C:\WINDOWS\system32\309.tmp
2008-06-13 21:40 . 2008-06-13 21:19 52,736 --a------ C:\WINDOWS\system32\305.tmp
2008-06-13 20:58 . 2008-06-13 20:38 52,736 --a------ C:\WINDOWS\system32\2DE.tmp
2008-06-13 20:38 . 2008-06-13 20:18 52,736 --a------ C:\WINDOWS\system32\2DB.tmp
2008-06-13 20:18 . 2008-06-13 19:57 52,736 --a------ C:\WINDOWS\system32\2D8.tmp
2008-06-13 19:37 . 2008-06-13 19:17 52,736 --a------ C:\WINDOWS\system32\28E.tmp
2008-06-13 17:58 . 2008-06-13 17:58 <DIR> d-------- C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\AXPFixer
2008-06-13 17:57 . 2008-06-13 17:57 <DIR> d-------- C:\Program Files\AXPFixer
2008-06-12 22:35 . 2008-06-12 22:25 52,736 --a------ C:\WINDOWS\system32\5F.tmp
2008-06-12 22:25 . 2008-06-12 22:15 52,736 --a------ C:\WINDOWS\system32\5C.tmp
2008-06-12 22:15 . 2008-06-12 22:05 52,736 --a------ C:\WINDOWS\system32\59.tmp
2008-06-12 22:05 . 2008-06-12 21:55 52,736 --a------ C:\WINDOWS\system32\55.tmp
2008-06-12 21:55 . 2008-06-12 21:39 52,736 --a------ C:\WINDOWS\system32\50.tmp
2008-06-12 21:39 . 2008-06-12 21:29 52,736 --a------ C:\WINDOWS\system32\48.tmp
2008-06-12 21:29 . 2008-06-12 21:19 52,736 --a------ C:\WINDOWS\system32\41.tmp
2008-06-12 21:19 . 2008-06-12 21:09 52,736 --a------ C:\WINDOWS\system32\3B.tmp
2008-06-12 21:09 . 2008-06-12 20:59 52,736 --a------ C:\WINDOWS\system32\30.tmp
2008-06-12 20:59 . 2008-06-12 20:48 52,736 --a------ C:\WINDOWS\system32\27.tmp
2008-06-12 20:44 . 2008-06-12 20:34 52,736 --a------ C:\WINDOWS\system32\BB.tmp
2008-06-12 20:34 . 2008-06-12 20:24 52,736 --a------ C:\WINDOWS\system32\B7.tmp
2008-06-12 20:24 . 2008-06-12 20:14 52,736 --a------ C:\WINDOWS\system32\B4.tmp
2008-06-12 20:04 . 2008-06-12 19:53 52,736 --a------ C:\WINDOWS\system32\4F.tmp
2008-06-12 19:43 . 2008-06-12 19:33 52,736 --a------ C:\WINDOWS\system32\46.tmp
2008-06-12 19:23 . 2008-06-12 19:13 52,736 --a------ C:\WINDOWS\system32\3E.tmp
2008-06-12 18:09 . 2008-06-12 17:59 52,736 --a------ C:\WINDOWS\system32\31.tmp
2008-06-12 17:59 . 2008-06-12 17:49 52,736 --a------ C:\WINDOWS\system32\2B.tmp
2008-06-12 17:49 . 2008-06-12 17:39 52,736 --a------ C:\WINDOWS\system32\28.tmp
2008-06-12 17:39 . 2008-06-12 17:29 52,736 --a------ C:\WINDOWS\system32\22.tmp
2008-06-12 17:29 . 2008-06-12 17:18 52,736 --a------ C:\WINDOWS\system32\1E.tmp
2008-06-12 17:18 . 2008-06-12 17:08 52,736 --a------ C:\WINDOWS\system32\19.tmp
2008-06-12 16:56 . 2008-06-12 16:46 52,736 --a------ C:\WINDOWS\system32\3F.tmp
2008-06-12 16:46 . 2008-06-12 16:36 52,736 --a------ C:\WINDOWS\system32\3C.tmp
2008-06-12 16:36 . 2008-06-12 16:26 52,736 --a------ C:\WINDOWS\system32\38.tmp
2008-06-12 16:26 . 2008-06-12 16:16 52,736 --a------ C:\WINDOWS\system32\33.tmp
2008-06-12 16:16 . 2008-06-12 16:06 52,736 --a------ C:\WINDOWS\system32\2E.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 14:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-13 22:12 91,376 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-06-13 22:12 32,240 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-06-13 22:12 26,352 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-06-13 22:12 21,488 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-06-13 22:12 21,104 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-06-09 22:52 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-04 22:37 880,560 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-04 22:37 108,368 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-31 21:46 --------- d-----w C:\Program Files\Java
2008-05-31 21:40 --------- d-----w C:\Program Files\Furcadia
2008-05-31 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dragon's Eye Productions
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 22:47 0 ----a-w C:\Program Files\temp01
2007-06-22 23:15 512 ---ha-w C:\Documents and Settings\Owner.VIGGO.000\hpothb07.dat
2007-06-22 23:15 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2007-06-22 23:15 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2007-06-22 23:14 529 ---ha-w C:\Program Files\hpothb07.tif
2007-06-22 23:14 318 -c-ha-w C:\Program Files\hpothb07.dat
2007-06-22 23:14 185 ---ha-w C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2006-11-18 21:50 524 ---ha-w C:\Documents and Settings\Owner.RESTOREFEB05\hpothb07.dat
2006-11-18 21:50 157 ---ha-w C:\Documents and Settings\Owner.VIGGO\hpothb07.dat
2006-01-22 16:09 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-11-26 01:33 167 ---ha-w C:\Documents and Settings\OWNERV~1~000\hpothb07.dat
2005-11-26 01:33 0 -c-ha-w C:\Documents and Settings\Royster\hpothb07.dat
2005-08-18 00:48 956 ---ha-w C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\hpothb07.dat
2005-06-21 22:56 158 ---ha-w C:\Documents and Settings\Guest\hpothb07.dat
2005-06-21 22:56 158 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2005-06-21 22:56 0 -c-ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2004-06-09 15:54 390 ----a-w C:\Program Files\Shortcut to Program Files.lnk
2004-05-24 16:34 166,887 ----a-w C:\WINDOWS\system32\config\systemprofile\Application Data\tvmknwrd.dll
2004-05-24 16:34 166,887 ----a-w C:\Documents and Settings\Owner.VIGGO.000\Application Data\tvmknwrd.dll
2004-05-24 16:34 166,887 ----a-w C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\tvmknwrd.dll
2004-05-24 16:34 166,887 ----a-w C:\Documents and Settings\Guest\Application Data\tvmknwrd.dll
2003-11-01 15:34 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-15_19.45.38.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-15 23:19:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-16 23:25:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-15 23:21:01 52,736 ----a-w C:\WINDOWS\system32\blphc3bmj0eg6r.scr
+ 2008-06-16 23:05:19 52,736 ----a-w C:\WINDOWS\system32\blphc3bmj0eg6r.scr
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Aim6"="" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 21:00 200767]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 15:51 118784]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 23:28 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-03-01 20:03 77824]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [2002-04-24 21:37 1544192]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 15:55 155648]
"WinService32"="svchost" []
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19 69632]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2008-06-13 18:12 234736]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-11 15:44 185896]
"cctray"="C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe" [2008-05-21 18:13 181512]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"AXPFixer"="C:\Program Files\AXPFixer\AXPFixer.exe" [2008-05-19 14:03 1564672]
"WinLiveUpdate"="C:\Program Files\Common Files\Microsoft Shared\DAO\system32\svchost.exe" [2005-06-17 13:37 636416]

C:\Documents and Settings\Owner.VIGGO.000\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2004-06-15 21:13:40 256000]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-22 21:37:11 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2007-01-27 15:54:31 1078]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

S4 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" [2006-01-03 14:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6a8777a-827f-11d9-9dc7-806d6172696f}]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-06-06 22:31:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#CN37Q2B178I3.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
"2008-06-16 23:22:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2008-06-15 23:50:20 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 19:27:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-06-16 19:36:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-16 23:35:31
ComboFix2.txt 2008-06-15 23:48:37

Pre-Run: 41,697,681,408 bytes free
Post-Run: 41,707,057,152 bytes free

277 --- E O F --- 2008-06-11 14:40:54

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users