Solved Help- url.cpvfeed and winantivirus pro popups

[Resolved] Help- url.cpvfeed and winantivirus pro popups

Hi everyone,
Well, my husband's computer has me stumped. It took me a long time just to be able to get to this page.


MY big problem. POPUPS- constant and annoying. either url/cpvfeed or winantivirus pro. My antivirus (pc-cillin) warns about the program running and tells me to close my browser. It took me over ten minutes to be able to open this page with popups. They only seem to happen when I search or initially open the browser IE7.. This comp in WinXP PRO, SP2.

Here is the latest hijackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 01:44, on 2007-09-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1109280920265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174252980937
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab34501.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab43895.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


I already ran vundofix.exe. It did find some files initially but it is showing clear and I'm still getting the popups
Here's it's text file:

VundoFix V6.5.8

Checking Java version...

Scan started at 1:22:00 PM 09/09/2007

Listing files found while scanning....

C:\windows\system32\awtqnnl.dll
C:\WINDOWS\system32\fcccayv.dll
C:\WINDOWS\system32\fuhejbyp.ini
C:\WINDOWS\system32\glllwleg.dll
C:\windows\system32\khfffcc.dll
C:\WINDOWS\system32\pybjehuf.dll

Beginning removal...

Attempting to delete C:\windows\system32\awtqnnl.dll
C:\windows\system32\awtqnnl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fcccayv.dll
C:\WINDOWS\system32\fcccayv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fuhejbyp.ini
C:\WINDOWS\system32\fuhejbyp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\glllwleg.dll
C:\WINDOWS\system32\glllwleg.dll Has been deleted!

Attempting to delete C:\windows\system32\khfffcc.dll
C:\windows\system32\khfffcc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pybjehuf.dll
C:\WINDOWS\system32\pybjehuf.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.8

Checking Java version...

Scan started at 1:46:41 PM 09/09/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.8

Checking Java version...

Scan started at 4:38:48 PM 09/09/2007

Listing files found while scanning....

C:\windows\system32\efcbaab.dll

Beginning removal...

Attempting to delete C:\windows\system32\efcbaab.dll
C:\windows\system32\efcbaab.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.8

Checking Java version...

Scan started at 4:51:28 PM 09/09/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.8

Checking Java version...

Scan started at 10:04:10 PM 09/09/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.8

Checking Java version...

Scan started at 1:15:57 AM 10/09/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...


So if anyone could tell me if there's something in my hijackthis log or another tool to use I would be grateful. I actually downloaded and tried to install combofix but it didn't run correctly. I then saw the sticky about not using it so I'm glad it didn't work.

It's after 2 a.m. here so I've got to get some sleep but if anyone could offer some advice I'll check back tomorrow. Believe me, I have tried searching for a solution but nothing has worked so far. I've run the latest definitions of spybot and adaware.

Big thanks in advance

Tracey

 

Hi Tracey,

ComboFix is safe to use now. It may have been updated again, so download a fresh copy and try running it again. Let me know exactly what happens if it fails to complete (if memory or available cpu cycles is low, combofix may appear to hang ........ please be patient and allow ample time for it to complete). My standard instructions below.

Download ComboFix by sUBs from Here or Here, saving the file to your Desktop.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Thanks Noahdfear,
I will definitely try your suggestion. It may not have worked because I had my anti-virus running the background so it was denying it access.
I'll take your suggestion and post a new log here. Sorry I'm so long getting back on. This morning things were worse. I actually did a panda scan and it found a bunch of stuff too. Anyway, I'll post back soon

Thanks so much for your response!
Much appreciated

Tracey

 

No problem ..... I was gone to work all day anyway. Will await your reply.

 

My results

Hi again,
O.K., here it is:

ComboFix 07-09-10.6 - "Jackie Hamilton" 2007-09-10 21:23:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.137 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 )))))))))))))))))))))))))))))))
.

2007-09-10 19:58 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2007-09-10 01:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-10 00:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-10 00:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-09 19:32 <DIR> d-------- C:\DOCUME~1\JACKIE~1\APPLIC~1\AdobeUM
2007-09-09 14:21 981,871 ---hs---- C:\WINDOWS\SYSTEM32\klnmp.ini2
2007-09-09 13:22 <DIR> d-------- C:\VundoFix Backups
2007-09-09 09:11 998,063 ---hs---- C:\WINDOWS\SYSTEM32\klnmp.bak2
2007-09-08 18:27 6,448 ---hs---- C:\WINDOWS\SYSTEM32\klnmp.bak1
2007-09-08 18:25 244,832 --a------ C:\WINDOWS\SYSTEM32\pmnlk.dll
2007-09-07 23:49 <DIR> d-------- C:\DOCUME~1\TRACEY~1\APPLIC~1\MySpace
2007-08-30 19:39 <DIR> d-------- C:\DOCUME~1\ZACHAR~1\APPLIC~1\MySpace
2007-08-30 18:17 <DIR> d-------- C:\DOCUME~1\AMYHAM~1\APPLIC~1\MySpace
2007-08-30 14:19 <DIR> d-------- C:\DOCUME~1\JOHNHA~1\APPLIC~1\MySpace
2007-08-30 13:01 <DIR> d-------- C:\Program Files\MySpace

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-10 09:51 --------- d-------- C:\Program Files\UPHClean
2007-09-10 09:29 --------- d-------- C:\Program Files\Google
2007-09-09 23:00 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-09-08 18:19 --------- d-------- C:\Program Files\MSN Messenger
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2007-07-25 20:50 --------- d-------- C:\DOCUME~1\JOHNHA~1\APPLIC~1\Viewpoint
2007-07-25 20:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-07-19 02:59 3583488 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-07-12 19:31 765952 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\vgx.dll
2007-06-27 10:34 823808 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-06-27 10:34 671232 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-06-27 10:34 6058496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-06-27 10:34 52224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-06-27 10:34 477696 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-06-27 10:34 459264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-06-27 10:34 44544 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-06-27 10:34 384512 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-06-27 10:34 383488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-06-27 10:34 27648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-06-27 10:34 267776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-06-27 10:34 232960 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-06-27 10:34 230400 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-06-27 10:34 193024 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-06-27 10:34 153088 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-06-27 10:34 132608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-06-27 10:34 124928 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-06-27 10:34 1152000 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-06-27 10:34 105984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-06-27 10:34 102400 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-06-27 04:27 63488 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-06-27 04:27 625152 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-06-27 04:27 13824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-06-27 03:00 161792 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-06-26 22:10 317440 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\unregmp2.exe
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-11 23:51 10834944 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wmp.dll
2006-11-16 10:41 28672 --a------ C:\DOCUME~1\JOHNHA~1\atwbxdet.dll
2006-08-21 16:31 774144 --a------ C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F5EEC70-A9AB-4429-8F99-AE3CD6490C05}]
2007-09-08 18:25 244832 --a------ C:\WINDOWS\system32\pmnlk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol "= "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 12:43]
"P17Helper "= "P17.dll" [2004-06-10 13:51 C:\WINDOWS\SYSTEM32\P17.dll]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 03:00]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 02:05]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05]
"Easy-PrintToolBox "= "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-13 21:10]
"pccguide.exe "= "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 14:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-09-09 23:11]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\AMYHAM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\JACKIE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\JOHNHA~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\TRACEY~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\ZACHAR~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\\WINDOWS\\system32\\pmnlk

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

R1 hwinterface;hwinterface;C:\WINDOWS\system32\Drivers\hwinterface.sys
R2 tmxpflt;tmxpflt;C:\WINDOWS\system32\DRIVERS\tmxpflt.sys
R3 ovt519;PS2 EyeToy SLEH-00031 Webcam;C:\WINDOWS\system32\Drivers\ov519vid.sys
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-10 21:31:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-10 21:35:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-10 21:35
.
--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 9:40:37 PM, on 10/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seventeen.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1109280920265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174252980937
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab34501.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab43895.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Also, this all started happening Saturday night when my daughter was on msn messenger. When we go to open messenger now, a box comes up and states the publisher could not be verified????
Also, when I started up IE7 after running combofix, I got a box popping up stating that IE is not my default browser. I am still getting the popups
Winantiviruspro

Anyway, let me know what else I can do.

Thanks!
Tracey

 

Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\SYSTEM32\klnmp.ini2
C:\WINDOWS\SYSTEM32\klnmp.bak2
C:\WINDOWS\SYSTEM32\klnmp.bak1
C:\WINDOWS\SYSTEM32\pmnlk.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F5EEC70-A9AB-4429-8F99-AE3CD6490C05}]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\[COLOR="Black"]control[/COLOR]\lsa]
 "Authentication Packages "= "msv1_0 "

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

New logs and something else ?

Hi,
I noticed that when combofix was running that during the process a message came up and said "cannot open suspectsvc.cf

Also, on reboot my anti-virus automatically loads (I don't know how to disable it from doing so). Immediately after combofix finishes the log, I get three popup windows from my anti-virus stating suspicious software wants to perform task : dumphive.cfexe
Freeloader.Smitfraud - my option is to ignore or delete so I deleted the file.

Here are the logs:

ComboFix 07-09-10.6 - "Jackie Hamilton" 2007-09-10 22:56:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.195 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Jackie Hamilton\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\SYSTEM32\klnmp.ini2
C:\WINDOWS\SYSTEM32\klnmp.bak2
C:\WINDOWS\SYSTEM32\klnmp.bak1
C:\WINDOWS\SYSTEM32\pmnlk.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\klnmp.bak1
C:\WINDOWS\SYSTEM32\klnmp.bak2
C:\WINDOWS\SYSTEM32\klnmp.ini2
C:\WINDOWS\SYSTEM32\pmnlk.dll


((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 )))))))))))))))))))))))))))))))
.

2007-09-10 19:58 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2007-09-10 01:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-10 00:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-10 00:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-09 19:32 <DIR> d-------- C:\DOCUME~1\JACKIE~1\APPLIC~1\AdobeUM
2007-09-09 13:22 <DIR> d-------- C:\VundoFix Backups
2007-09-07 23:49 <DIR> d-------- C:\DOCUME~1\TRACEY~1\APPLIC~1\MySpace
2007-08-30 19:39 <DIR> d-------- C:\DOCUME~1\ZACHAR~1\APPLIC~1\MySpace
2007-08-30 18:17 <DIR> d-------- C:\DOCUME~1\AMYHAM~1\APPLIC~1\MySpace
2007-08-30 14:19 <DIR> d-------- C:\DOCUME~1\JOHNHA~1\APPLIC~1\MySpace
2007-08-30 13:01 <DIR> d-------- C:\Program Files\MySpace

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-10 09:51 --------- d-------- C:\Program Files\UPHClean
2007-09-10 09:29 --------- d-------- C:\Program Files\Google
2007-09-09 23:00 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-09-08 18:19 --------- d-------- C:\Program Files\MSN Messenger
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-25 20:50 --------- d-------- C:\DOCUME~1\JOHNHA~1\APPLIC~1\Viewpoint
2007-07-25 20:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-11-16 10:41 28672 --a------ C:\DOCUME~1\JOHNHA~1\atwbxdet.dll
2006-08-21 16:31 774144 --a------ C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-10_213416.48 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 40,960 2000-03-20 17:10:00 C:\WINDOWS\SYSTEM32\AC3API.DLL
----a-w 520,192 2006-02-10 01:05:00 C:\WINDOWS\SYSTEM32\ati2sgag.exe
----a-w 26,768 1995-07-13 16:01:00 C:\WINDOWS\SYSTEM32\CTL3D.DLL
----a-w 331,776 2002-02-20 17:00:00 C:\WINDOWS\SYSTEM32\CTMEDENG.DLL
----a-w 44,032 1999-12-13 15:01:00 C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
----a-w 25,088 1999-11-18 15:00:00 C:\WINDOWS\SYSTEM32\CTSVCCTL.EXE
----a-w 82,432 1995-08-30 16:02:00 C:\WINDOWS\SYSTEM32\CTWFLT32.DLL
----a-w 24,576 2002-10-20 20:05:46 C:\WINDOWS\SYSTEM32\dbmsgnet.dll
----a-w 33,340 2002-12-17 22:23:52 C:\WINDOWS\SYSTEM32\dbmsqlgc.dll
----a-w 249,856 2006-10-19 01:00:46 C:\WINDOWS\SYSTEM32\drmupgds.exe
----a-w 61,952 2006-10-17 17:58:20 C:\WINDOWS\SYSTEM32\icardie.dll
----a-w 26,112 2006-06-29 13:05:44 C:\WINDOWS\SYSTEM32\idndl.dll
----a-w 180,736 2006-10-27 20:09:58 C:\WINDOWS\SYSTEM32\ieui.dll
----a-w 49,152 1999-09-01 18:04:42 C:\WINDOWS\SYSTEM32\inetwh32.dll
----a-w 149,504 1995-01-13 20:10:00 C:\WINDOWS\SYSTEM32\MFCANS32.DLL
----a-w 108,032 1995-01-13 20:10:00 C:\WINDOWS\SYSTEM32\MFCUIA32.DLL
----a-w 212,992 2006-10-19 02:47:14 C:\WINDOWS\SYSTEM32\MFPLAT.dll
----a-w 259,072 2006-10-19 02:47:14 C:\WINDOWS\SYSTEM32\MP43DECD.dll
----a-w 317,440 2006-10-19 02:47:14 C:\WINDOWS\SYSTEM32\MP4SDECD.dll
----a-w 259,072 2006-10-19 02:47:14 C:\WINDOWS\SYSTEM32\MPG4DECD.dll
----a-w 312,128 2006-10-02 20:28:42 C:\WINDOWS\SYSTEM32\msdelta.dll
----a-w 12,288 2006-10-17 17:58:32 C:\WINDOWS\SYSTEM32\msfeedssync.exe
----a-w 499,712 2003-09-16 16:07:16 C:\WINDOWS\SYSTEM32\msvcp71.dll
----a-w 348,160 2003-09-09 20:06:48 C:\WINDOWS\SYSTEM32\msvcr71.dll
----a-w 24,576 2006-06-28 22:59:26 C:\WINDOWS\SYSTEM32\nlsdl.dll
----a-w 23,552 2006-06-29 13:05:44 C:\WINDOWS\SYSTEM32\normaliz.dll
----a-w 284,160 2006-10-19 02:47:18 C:\WINDOWS\SYSTEM32\PortableDeviceApi.dll
----a-w 101,888 2006-10-19 02:47:18 C:\WINDOWS\SYSTEM32\PortableDeviceClassExtension.dll
----a-w 166,912 2006-10-19 02:47:18 C:\WINDOWS\SYSTEM32\PortableDeviceTypes.dll
----a-w 132,096 2006-10-19 02:47:18 C:\WINDOWS\SYSTEM32\PortableDeviceWiaCompat.dll
----a-w 199,168 2006-10-19 02:47:18 C:\WINDOWS\SYSTEM32\PortableDeviceWMDRM.dll
----a-w 23,040 2004-08-04 11:00:00 C:\WINDOWS\SYSTEM32\PSAPI.DLL
----a-w 372,736 2005-05-05 20:50:04 C:\WINDOWS\SYSTEM32\Px.dll
----a-w 56,832 2005-06-14 08:00:00 C:\WINDOWS\SYSTEM32\pxcpya64.exe
----a-w 108,544 2005-06-14 08:00:00 C:\WINDOWS\SYSTEM32\pxcpyi64.exe
----a-w 430,080 2005-06-23 08:01:00 C:\WINDOWS\SYSTEM32\pxdrv.dll
----a-w 61,440 2005-08-03 10:00:00 C:\WINDOWS\SYSTEM32\pxhpinst.exe
----a-w 56,320 2005-04-25 09:03:00 C:\WINDOWS\SYSTEM32\pxinsa64.exe
----a-w 109,568 2005-04-25 09:03:00 C:\WINDOWS\SYSTEM32\pxinsi64.exe
----a-w 172,032 2005-05-05 20:49:07 C:\WINDOWS\SYSTEM32\pxmas.dll
----a-w 1,146,880 2005-05-05 20:53:13 C:\WINDOWS\SYSTEM32\pxsfs.dll
----a-w 339,968 2005-05-05 20:48:39 C:\WINDOWS\SYSTEM32\PxWave.dll
----a-w 10,752 2004-08-24 21:06:22 C:\WINDOWS\SYSTEM32\PXWMA.dll
----a-w 84,992 1998-06-05 16:00:00 C:\WINDOWS\SYSTEM32\SFCVRT32.DLL
----a-w 1,048,576 1998-01-08 15:00:00 C:\WINDOWS\SYSTEM32\SFMAN.DAT
----a-w 14,640 2006-11-17 20:14:30 C:\WINDOWS\SYSTEM32\spmsg.dll
----a-w 60,416 2007-07-18 12:42:22 C:\WINDOWS\SYSTEM32\tzchange.exe
----a-w 28,672 2006-03-17 00:38:01 C:\WINDOWS\SYSTEM32\verclsid.exe
----a-w 28,672 2005-06-22 08:00:00 C:\WINDOWS\SYSTEM32\VXBLOCK.dll
----a-w 336,768 2007-02-15 22:01:26 C:\WINDOWS\SYSTEM32\WgaTray.exe
----a-w 206,336 2006-10-17 18:05:58 C:\WINDOWS\SYSTEM32\WinFXDocObj.exe
----a-w 535,040 2006-10-19 02:47:20 C:\WINDOWS\SYSTEM32\wmdrmsdk.dll
----a-w 295,936 2006-10-19 02:47:20 C:\WINDOWS\SYSTEM32\wmpeffects.dll
----a-w 613,376 2006-10-19 02:47:20 C:\WINDOWS\SYSTEM32\wmpmde.dll
----a-w 130,048 2006-10-19 02:47:20 C:\WINDOWS\SYSTEM32\wmpps.dll
----a-w 1,543,680 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\WMVDECOD.dll
----a-w 1,574,912 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\WMVENCOD.dll
----a-w 1,382,912 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\WMVSDECD.dll
----a-w 767,488 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\WMVSENCD.dll
----a-w 656,896 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\WMVXENCD.dll
----a-w 2,603,008 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\WpdShext.dll
----a-w 17,408 2006-10-19 01:00:14 C:\WINDOWS\SYSTEM32\wpdshextautoplay.exe
----a-w 38,400 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\wpdshextres.dll
----a-w 133,632 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\WPDShServiceObj.dll
----a-w 95,344 2006-09-29 01:13:26 C:\WINDOWS\SYSTEM32\WUDFCoinstaller.dll
----a-w 146,432 2006-09-28 23:56:38 C:\WINDOWS\SYSTEM32\WudfHost.exe
----a-w 165,376 2006-09-28 23:56:16 C:\WINDOWS\SYSTEM32\WudfPlatform.dll
----a-w 55,808 2006-09-28 23:56:14 C:\WINDOWS\SYSTEM32\WudfSvc.dll
----a-w 316,416 2006-09-28 23:56:38 C:\WINDOWS\SYSTEM32\WUDFx.dll
----a-w 121,856 2006-07-14 15:51:51 C:\WINDOWS\SYSTEM32\xmllite.dll
----a-w 385,067 2000-07-24 23:32:08 C:\WINDOWS\SYSTEM32\_setup.exe
.
------w 40,960 2000-03-20 17:10:00 C:\WINDOWS\SYSTEM32\AC3API.DLL
------w 520,192 2006-02-10 01:05:00 C:\WINDOWS\SYSTEM32\ati2sgag.exe
------w 26,768 1995-07-13 16:01:00 C:\WINDOWS\SYSTEM32\CTL3D.DLL
------w 331,776 2002-02-20 17:00:00 C:\WINDOWS\SYSTEM32\CTMEDENG.DLL
------w 44,032 1999-12-13 15:01:00 C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
------w 25,088 1999-11-18 15:00:00 C:\WINDOWS\SYSTEM32\CTSVCCTL.EXE
------w 82,432 1995-08-30 16:02:00 C:\WINDOWS\SYSTEM32\CTWFLT32.DLL
------w 24,576 2002-10-20 20:05:46 C:\WINDOWS\SYSTEM32\dbmsgnet.dll
------w 33,340 2002-12-17 22:23:52 C:\WINDOWS\SYSTEM32\dbmsqlgc.dll
------w 249,856 2006-10-19 01:00:46 C:\WINDOWS\SYSTEM32\drmupgds.exe
------w 61,952 2006-10-17 17:58:20 C:\WINDOWS\SYSTEM32\icardie.dll
------w 26,112 2006-06-29 13:05:44 C:\WINDOWS\SYSTEM32\idndl.dll
------w 180,736 2006-10-27 20:09:58 C:\WINDOWS\SYSTEM32\ieui.dll
------w 49,152 1999-09-01 18:04:42 C:\WINDOWS\SYSTEM32\inetwh32.dll
------w 149,504 1995-01-13 20:10:00 C:\WINDOWS\SYSTEM32\MFCANS32.DLL
------w 108,032 1995-01-13 20:10:00 C:\WINDOWS\SYSTEM32\MFCUIA32.DLL
------w 212,992 2006-10-19 02:47:14 C:\WINDOWS\SYSTEM32\MFPLAT.dll
------w 259,072 2006-10-19 02:47:14 C:\WINDOWS\SYSTEM32\MP43DECD.dll
------w 317,440 2006-10-19 02:47:14 C:\WINDOWS\SYSTEM32\MP4SDECD.dll
------w 259,072 2006-10-19 02:47:14 C:\WINDOWS\SYSTEM32\MPG4DECD.dll
------w 312,128 2006-10-02 20:28:42 C:\WINDOWS\SYSTEM32\msdelta.dll
------w 12,288 2006-10-17 17:58:32 C:\WINDOWS\SYSTEM32\msfeedssync.exe
------w 499,712 2003-09-16 16:07:16 C:\WINDOWS\SYSTEM32\msvcp71.dll
------w 348,160 2003-09-09 20:06:48 C:\WINDOWS\SYSTEM32\msvcr71.dll
------w 24,576 2006-06-28 22:59:26 C:\WINDOWS\SYSTEM32\nlsdl.dll
------w 23,552 2006-06-29 13:05:44 C:\WINDOWS\SYSTEM32\normaliz.dll
------w 284,160 2006-10-19 02:47:18 C:\WINDOWS\SYSTEM32\PortableDeviceApi.dll
------w 101,888 2006-10-19 02:47:18 C:\WINDOWS\SYSTEM32\PortableDeviceClassExtension.dll
------w 166,912 2006-10-19 02:47:18 C:\WINDOWS\SYSTEM32\PortableDeviceTypes.dll
------w 132,096 2006-10-19 02:47:18 C:\WINDOWS\SYSTEM32\PortableDeviceWiaCompat.dll
------w 199,168 2006-10-19 02:47:18 C:\WINDOWS\SYSTEM32\PortableDeviceWMDRM.dll
------w 23,040 2004-08-04 11:00:00 C:\WINDOWS\SYSTEM32\PSAPI.DLL
------w 372,736 2005-05-05 20:50:04 C:\WINDOWS\SYSTEM32\Px.dll
------w 56,832 2005-06-14 08:00:00 C:\WINDOWS\SYSTEM32\pxcpya64.exe
------w 108,544 2005-06-14 08:00:00 C:\WINDOWS\SYSTEM32\pxcpyi64.exe
------w 430,080 2005-06-23 08:01:00 C:\WINDOWS\SYSTEM32\pxdrv.dll
------w 61,440 2005-08-03 10:00:00 C:\WINDOWS\SYSTEM32\pxhpinst.exe
------w 56,320 2005-04-25 09:03:00 C:\WINDOWS\SYSTEM32\pxinsa64.exe
------w 109,568 2005-04-25 09:03:00 C:\WINDOWS\SYSTEM32\pxinsi64.exe
------w 172,032 2005-05-05 20:49:07 C:\WINDOWS\SYSTEM32\pxmas.dll
------w 1,146,880 2005-05-05 20:53:13 C:\WINDOWS\SYSTEM32\pxsfs.dll
------w 339,968 2005-05-05 20:48:39 C:\WINDOWS\SYSTEM32\PxWave.dll
------w 10,752 2004-08-24 21:06:22 C:\WINDOWS\SYSTEM32\PXWMA.dll
------w 84,992 1998-06-05 16:00:00 C:\WINDOWS\SYSTEM32\SFCVRT32.DLL
------w 1,048,576 1998-01-08 15:00:00 C:\WINDOWS\SYSTEM32\SFMAN.DAT
------w 14,640 2006-11-17 20:14:30 C:\WINDOWS\SYSTEM32\spmsg.dll
------w 60,416 2007-07-18 12:42:22 C:\WINDOWS\SYSTEM32\tzchange.exe
------w 28,672 2006-03-17 00:38:01 C:\WINDOWS\SYSTEM32\verclsid.exe
------w 28,672 2005-06-22 08:00:00 C:\WINDOWS\SYSTEM32\VXBLOCK.dll
------w 336,768 2007-02-15 22:01:26 C:\WINDOWS\SYSTEM32\WgaTray.exe
------w 206,336 2006-10-17 18:05:58 C:\WINDOWS\SYSTEM32\WinFXDocObj.exe
------w 535,040 2006-10-19 02:47:20 C:\WINDOWS\SYSTEM32\wmdrmsdk.dll
------w 295,936 2006-10-19 02:47:20 C:\WINDOWS\SYSTEM32\wmpeffects.dll
------w 613,376 2006-10-19 02:47:20 C:\WINDOWS\SYSTEM32\wmpmde.dll
------w 130,048 2006-10-19 02:47:20 C:\WINDOWS\SYSTEM32\wmpps.dll
------w 1,543,680 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\WMVDECOD.dll
------w 1,574,912 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\WMVENCOD.dll
------w 1,382,912 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\WMVSDECD.dll
------w 767,488 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\WMVSENCD.dll
------w 656,896 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\WMVXENCD.dll
------w 2,603,008 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\WpdShext.dll
------w 17,408 2006-10-19 01:00:14 C:\WINDOWS\SYSTEM32\wpdshextautoplay.exe
------w 38,400 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\wpdshextres.dll
------w 133,632 2006-10-19 02:47:22 C:\WINDOWS\SYSTEM32\WPDShServiceObj.dll
------w 95,344 2006-09-29 01:13:26 C:\WINDOWS\SYSTEM32\WUDFCoinstaller.dll
------w 146,432 2006-09-28 23:56:38 C:\WINDOWS\SYSTEM32\WudfHost.exe
------w 165,376 2006-09-28 23:56:16 C:\WINDOWS\SYSTEM32\WudfPlatform.dll
------w 55,808 2006-09-28 23:56:14 C:\WINDOWS\SYSTEM32\WudfSvc.dll
------w 316,416 2006-09-28 23:56:38 C:\WINDOWS\SYSTEM32\WUDFx.dll
------w 121,856 2006-07-14 15:51:51 C:\WINDOWS\SYSTEM32\xmllite.dll
------w 385,067 2000-07-24 23:32:08 C:\WINDOWS\SYSTEM32\_setup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol "= "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 12:43]
"P17Helper "= "P17.dll" [2004-06-10 13:51 C:\WINDOWS\SYSTEM32\P17.dll]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 03:00]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 02:05]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05]
"Easy-PrintToolBox "= "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-13 21:10]
"pccguide.exe "= "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 14:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-09-09 23:11]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\AMYHAM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\JACKIE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\JOHNHA~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\TRACEY~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

C:\DOCUME~1\ZACHAR~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

R1 hwinterface;hwinterface;C:\WINDOWS\system32\Drivers\hwinterface.sys
R2 tmxpflt;tmxpflt;C:\WINDOWS\system32\DRIVERS\tmxpflt.sys
R3 ovt519;PS2 EyeToy SLEH-00031 Webcam;C:\WINDOWS\system32\Drivers\ov519vid.sys
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-10 23:02:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-10 23:04:22 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-10 23:04
C:\ComboFix2.txt ... 2007-09-10 21:35
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 11:07:58 PM, on 10/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccUpdUI.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\pcclient.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seventeen.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1109280920265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174252980937
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab34501.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab43895.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


I haven't seen another popup this time. What is your opinion on msn messenger showing as "unknown" publisher. Should I uninstall it and then reinstall? Thanks so much for your help on this.

 

That message on reboot was ComboFix finishing it's work and should have been allowed. I should have warned you of that possibility. No harm done though.

The logs look good. How's your machine running now? Have the popups stopped?

When IE tells you it's not the default browser, there should also be an option for it to not check if it's the default browser and/or to make it the default browser. Selecting either one should stop that message from coming up.

 

much better

Wow, what a difference! It's like night and day. Pc-cillin still slows things down (it has always done that) but NO more popups so far (yay!!!!!)

Thank you SOOOOO much. I was starting to think I might have to reinstall windows.


Have a great night and thanks again

Tracey

 

We're not quite done yet.

Delete the following files/folders.

C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
C:\WINDOWS\NirCmd.exe
C:\QOOBOX
C:\VundoFix Backups
all combofix and vundofix logs


Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin


The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot.


Download and install AVG Anti-Spyware (AVG-AS)

• When installation completes, start AVG-AS then click the Update tab at the top. Under Manual Update click Start update.
• After the update finishes (the status bar at the bottom will display "Update successful "), click on the Scanner tab at the top.
• Click the "Settings" tab and change the recommended action to Quarantine.
• Click Automatically generate report after every scan.
• Go back to the "Scan" tab and click "Complete System Scan ". This scan can take quite a while to run, so sit back and wait.
• AVG-AS will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action.
• Click the Apply all actions button. AVG-AS will display "All actions have been applied" on the right hand side.
• Click on "Save Report ", then "Save Report As ". Save the report where you know you can find it again (like on the Desktop) and take note of the name.
• Close AVG-AS and reboot.

Please post the contents of a new HiJackThis log and the AVG-AS report.


Is MSN Messenger still giving you a popup message? If so, copy all the information given in the message and post it here.


You probably won't like this part, but I see 4 users that frequent MySpace, and I'm going to quote a respected MVP-Security below.

I personally have seen quite a few computers become infected after clicking links at My Space. I don't recommend it's use either.


I'll check in tomorrow evening to see how you've progressed. Have a good night!

 

Update:
I did everything. I did run AVG but I didn't have the option to save report. It was greyed out. FYI - there were only two cookies so I deleted them. They were there probably because I ran the ATF cleaner while viewing this page.

Logfile of HijackThis v1.99.1
Scan saved at 01:41, on 2007-09-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1109280920265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174252980937
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab34501.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab43895.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

I ran a repair on MSN Messenger and all is good again.

Now, as far as myspace there are 2 sides to every coin. I have personally been on myspace for over a year and I have met some wonderful people that I consider very close friends. I have never been infected with a virus from myspace. The biggest problem there is usually hackers trying to gain access to accounts through phishing sites. There are safety precautions that users should follow and this applies to everywhere on the net. My daughters both have accounts that are private. They choose who they add as friends and they add only people they know or people that I approve of (such as bands or celeb accounts). I am actually working with a group of people on myspace trying to get rid of the poser/imposter situation in order to make it a safer place for everyone (especially children and teens). I list REAL celebrity accounts by verifying through photo/video verification, official websites that link to their myspace accounts or through publicists/managers/agents. Did you know Tom Hanks has a myspace account? He has a video on his profile and I also verified it through his publicist. I have spent countless hours verifying accounts so that fans know they're dealing with the real celebs and I do this so that an imposter won't have the opportunity to exploit someone (teenagers and younger users in particular). So, yes, there are bad people on myspace but there are bad people everywhere. It's too be expected since there are over 200 million accounts. There are many, many great people there to so don't be so quick to discount it. Anyway, I won't go on anymore about it but if you're interested, I would be happy to discuss it further.

I truly thank you for your help. This computer is running great. I may change the anti-virus on this comp to AVG free edition. I've been using that on my computer and it runs great. I think the reason this computer became infected was sheer stupidity on my part. I gave my daughter administrative privileges about a week ago so that she could install something, I forgot to change her back to a limited user.

Now, I'm off to bed
Take care,
Tracey

 

Delete ComboFix.exe and VundoFix.exe
Empty the recycle bin.

If you're satisfied that the computer is working properly, clear the System Restore points. They are infected.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.

Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showpost.php?p=356653&postcount=49

Surf safe!


As far as MySpace goes, I have not been quick about my decision to stay away, or keep my kids away, or recommend others stay away from that online resource. It doesn't take that many news stories to convince me of the potential for abuse.

http://www.msnbc.msn.com/id/12192496
http://www.msnbc.msn.com/id/18699520/
http://www.msnbc.msn.com/id/11064451/
http://www.msnbc.msn.com/id/11165576/
http://www.msnbc.msn.com/id/12210237/
http://www.msnbc.msn.com/id/10272868/
http://www.msnbc.msn.com/id/16688909/

The service you are providing there is valuable, don't get me wrong, but with as you stated over 200 million accounts, the celeb accounts, real or fake, are only a drop in a bucket of the potential hazards there. Tom Hanks has an account. That doesn't make it a safe place. Michael Jackson has one too.

As for infections, I've been helping to clean up those derived via MySpace since at least early 2005 if not longer. You said;

You are here to get help with removing a bad infection. Can you be sure you didn't get it at MySpace? You wouldn't be the first, and you certainly will not be the last.

 

Thanks again

All is still looking good and running clean.
Thanks for the link. I will be much more diligent about regular scans on this comp from now on.
No, I guess I don't know where the virus came from but if I had to guess it's probably from MSN messenger. My kids have picked up several bad ones from there. They're on msn much more frequently than myspace.

I know that there are problems with myspace and no, I can't solve it or make it safe all by myself. I'm trying to do something, no matter how small to make it safer. It's NOT going away anytime soon as it is still a very popular site for young people.
If a city becomes unsafe does everyone just move away. No, they beef up their security and get the community to unite. It doesn't happen right away and myspace needs people to start taking action. If they see an inappropriate profile, report it. WATCH your kids online. Many of my kids friends have myspace accounts that their parents don't know about. I would rather be there, watching, on my child's profile to see what is going on than have my child sneaking behind my back because I banned them from myspace.
No, I'm not saying they have free reign, but I get angry when parents let computers babysit their kids and then blame websites for their children's actions. We should know what our kids are doing online. If we don't know about computers then find someone who does and LEARN.

Anyway, myspace isn't for everyone but I'm not ready to throw in the towel just yet.
Thanks again for your help and hopefully I won't be back with anymore problems anytime soon!!!!

Take care,
Tracey

 

Happy to help Tracey I'll mark this topic resolved.


Keep up the good fight!