Solved Need some help with Hijackthis log

BillB · 2008/03/05

[Resolved] Need some help with Hijackthis log

I'm trying to help a friend cleanup his PC, it seems to have some nasty stuff on it. I've installed Spybot, AVG Anti-Spyware and updated and run scans. They both removed some stuff, Virtumonde mostly. I've also installed and updated Spyware Blaster. He has Mcafee already installed so I updated it and ran a scan, it didn't find anything.

I believe there is still something wrong with it, during boot after the desktop loads several CMD windows pop-up and disappear rather quickly, too quickly to read anything in them. I'm posting the Hijackthis log for someone to have a look at, hopefully there's nothing left that's too bad.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:19 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Aventail\Connect\as32svc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Analog Devices\SoundMAX\smagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {8d984751-39cb-305b-e684-0847c1a50642} - {24605a1c-7480-486e-b503-bc93157489d8} - C:\WINDOWS\system32\hkffygeh.dll
O2 - BHO: (no name) - {2F6865AB-D5EE-42B7-A290-23DF1F4626CD} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe "
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe "
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [3ff743fa] rundll32.exe "C:\WINDOWS\system32\vpirrata.dll ",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\DOCUME~1\KEVINS~1\MYDOCU~1\COMCAS~1\data\xtras\MS01A0~2.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryCleanFixMFC] E:\Program Files\RegistryCleaner\RegistryCleaner.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: ComcastHSI - {9E3EBCA0-4B78-11D8-A19F-000C6EAF3F80} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {9E3EBCA1-4B78-11D8-A19F-000C6EAF3F80} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {9E3EBCA2-4B78-11D8-A19F-000C6EAF3F80} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_3.cab
O20 - Winlogon Notify: ddccyyy - ddccyyy.dll (file missing)
O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\smagent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///C:/My%20Documents/My%20Pictures/philip4.jpg

--
End of file - 9846 bytes

noahdfear · 2008/03/05

Hi Bill,

Download ComboFix by sUBs from here, saving the file to your desktop.

It's best disable realtime protection applications as they sometime interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

BillB · 2008/03/06

Hi Dave,

I just saw your post this morning, I'll follow the instructions this evening when I get home and post back then.

One more thing, I noticed that's a little strange, when you open my computer on this machine, there's a red 'X' by the C drive. When you try to click on it, it trys to install Roxio Easy CD V6, but that product is already installed.

BillB · 2008/03/06

Dave,

Here are the two logs;

ComboFix 08-03-05.1 - Kevin Saunders 2008-03-06 16:27:07.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.425 [GMT -5:00]
Running from: C:\Documents and Settings\Kevin Saunders\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:55 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Aventail\Connect\as32svc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Analog Devices\SoundMAX\smagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F6865AB-D5EE-42B7-A290-23DF1F4626CD} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe "
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe "
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [3ff743fa] rundll32.exe "C:\WINDOWS\system32\vpirrata.dll ",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\DOCUME~1\KEVINS~1\MYDOCU~1\COMCAS~1\data\xtras\MS01A0~2.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryCleanFixMFC] E:\Program Files\RegistryCleaner\RegistryCleaner.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: ComcastHSI - {9E3EBCA0-4B78-11D8-A19F-000C6EAF3F80} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {9E3EBCA1-4B78-11D8-A19F-000C6EAF3F80} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {9E3EBCA2-4B78-11D8-A19F-000C6EAF3F80} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_3.cab
O20 - Winlogon Notify: ddccyyy - ddccyyy.dll (file missing)
O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\smagent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///C:/My%20Documents/My%20Pictures/philip4.jpg

--
End of file - 9295 bytes

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM3cc47066.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\start.exe
C:\WINDOWS\system32\aodbakyl.dll
C:\WINDOWS\SYSTEM32\atarripv.ini
C:\WINDOWS\system32\batbnsff.dll
C:\WINDOWS\system32\cjeafwrx.dll
C:\WINDOWS\system32\enouicpl.dll
C:\WINDOWS\SYSTEM32\ffsnbtab.ini
C:\WINDOWS\SYSTEM32\gmqddfyu.ini
C:\WINDOWS\system32\gphdnteh.dll
C:\WINDOWS\system32\gykyymhm.dll
C:\WINDOWS\SYSTEM32\hbqkpjxq.ini
C:\WINDOWS\SYSTEM32\hhkmp.ini
C:\WINDOWS\SYSTEM32\hhkmp.ini2
C:\WINDOWS\system32\hkffygeh.dll
C:\WINDOWS\system32\hkmaaxrm.dll
C:\WINDOWS\system32\hsahswjt.dll
C:\WINDOWS\system32\jflwnhry.dll
C:\WINDOWS\SYSTEM32\lgdlbrgy.ini
C:\WINDOWS\system32\lgkhkwpx.dll
C:\WINDOWS\system32\lkcqljrr.dll
C:\WINDOWS\SYSTEM32\lpciuone.ini
C:\WINDOWS\SYSTEM32\mhmyykyg.ini
C:\WINDOWS\SYSTEM32\nurhngkq.ini
C:\WINDOWS\SYSTEM32\nyqckaae.ini
C:\WINDOWS\system32\qwjidvqb.dll
C:\WINDOWS\system32\qxjpkqbh.dll
C:\WINDOWS\SYSTEM32\rmgiiugv.ini
C:\WINDOWS\SYSTEM32\rvlbwhpu.ini
C:\WINDOWS\SYSTEM32\uhoqkmhf.ini
C:\WINDOWS\system32\uphwblvr.dll
C:\WINDOWS\system32\uyfddqmg.dll
C:\WINDOWS\SYSTEM32\vreafjow.ini
C:\WINDOWS\SYSTEM32\wrifmyrx.ini
C:\WINDOWS\system32\xrymfirw.dll
C:\WINDOWS\system32\yercnlac.dll
C:\WINDOWS\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-05 19:36 . 2008-03-05 19:36 <DIR> d-------- C:\HJT
2008-03-04 22:44 . 2008-03-04 22:44 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-04 20:34 . 2008-03-04 20:34 <DIR> d-------- C:\Documents and Settings\Kevin Saunders\Application Data\Grisoft
2008-03-04 20:34 . 2008-03-04 20:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-03-04 20:34 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-03-04 18:36 . 2008-03-04 18:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-04 18:30 . 2008-03-04 18:30 <DIR> d-------- C:\tmp
2008-02-24 13:41 . 2008-02-24 13:41 <DIR> d--hs---- C:\FOUND.035
2008-02-22 17:10 . 2008-02-22 17:10 <DIR> d--hs---- C:\FOUND.034

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 14:51 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-02 11:10 96,832 ----a-w C:\WINDOWS\SYSTEM32\qbjpwwdf.dll
2008-01-31 00:48 94,208 ----a-w C:\WINDOWS\DUMP51c9.tmp
2008-01-27 17:25 --------- d-----w C:\Program Files\Support Tools
2008-01-13 22:02 90,112 ----a-w C:\WINDOWS\UpdReg .EXE
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mrxdav.sys
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2004-05-16 16:54 266 --sh--w C:\Program Files\desktop.ini
2004-05-16 16:54 11,079 ---h--w C:\Program Files\folder.htt
2001-10-08 17:59 18,880 ----a-w C:\WINDOWS\FONTS\SETE01A.TMP
2001-10-08 17:59 18,880 ----a-w C:\WINDOWS\FONTS\SETE019.TMP
2001-10-08 17:59 18,880 ----a-w C:\WINDOWS\FONTS\SETE018.TMP
2001-10-08 17:59 18,880 ----a-w C:\WINDOWS\FONTS\SETE017.TMP
2001-10-08 17:59 18,880 ----a-w C:\WINDOWS\FONTS\SETE016.TMP
2001-10-08 17:59 18,880 ----a-w C:\WINDOWS\FONTS\SETE015.TMP
2001-10-08 17:59 18,880 ----a-w C:\WINDOWS\FONTS\SETE014.TMP
2005-10-12 01:01 8 --sh--w C:\WINDOWS\All Users\DRM\pdrm.dat
.
Code:
<pre>
----a-w            90,112 2008-01-13 22:02:34  C:\WINDOWS\UpdReg .EXE
----a-w            65,536 2008-01-13 22:02:30  C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe
----a-w           335,872 2008-01-13 22:02:32  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w            28,672 2008-01-13 22:02:36  C:\Program Files\Creative\SBLive\Program\ADGJDet .exe
----a-w            63,712 2008-01-13 22:02:34  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w            98,304 2008-01-13 23:16:12  C:\Program Files\QuickTime\qttask .exe
----a-w            98,304 2008-01-13 23:16:12  C:\Program Files\QuickTime\qttask  .exe
----a-w            98,304 2008-01-13 23:16:12  C:\Program Files\QuickTime\qttask   .exe
----a-w            98,304 2008-01-13 23:16:12  C:\Program Files\QuickTime\qttask    .exe
----a-w            98,304 2008-01-13 23:16:10  C:\Program Files\QuickTime\qttask     .exe
----a-w            98,304 2008-01-13 23:16:10  C:\Program Files\QuickTime\qttask      .exe
----a-w            98,304 2008-01-13 23:16:10  C:\Program Files\QuickTime\qttask       .exe
----a-w            98,304 2008-01-13 23:16:10  C:\Program Files\QuickTime\qttask        .exe
----a-w            98,304 2008-01-13 23:16:10  C:\Program Files\QuickTime\qttask         .exe
----a-w            98,304 2008-01-13 23:16:10  C:\Program Files\QuickTime\qttask          .exe
----a-w            98,304 2008-01-13 23:16:10  C:\Program Files\QuickTime\qttask           .exe
----a-w            98,304 2008-01-13 23:16:10  C:\Program Files\QuickTime\qttask            .exe
----a-w            98,304 2008-01-13 23:16:10  C:\Program Files\QuickTime\qttask             .exe
----a-w            98,304 2008-01-01 16:26:58  C:\Program Files\QuickTime\qttask              .exe
----a-w           868,352 2008-01-13 22:02:32  C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
----a-w           319,488 2008-01-13 22:02:32  C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
----a-w         1,694,208 2008-01-04 16:32:16  C:\Program Files\Messenger\msmsgs .exe
----a-w            53,248 2008-01-13 22:02:30  C:\Program Files\REGSHAVE\REGSHAVE .EXE
----a-w            68,856 2008-01-13 22:02:46  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           192,512 2008-01-13 23:02:46  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MSSYSM~1 .EXE
----a-w           192,512 2008-01-13 23:02:46  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MSSYSM~2 .EXE
----a-w           192,512 2008-01-13 23:02:46  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MSSYSM~3 .EXE
----a-w           192,512 2008-01-13 23:02:46  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MSSYSM~4 .EXE
----a-w           192,512 2008-01-13 23:02:44  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS28C2~1 .EXE
----a-w           192,512 2008-01-13 23:02:44  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS28C2~2 .EXE
----a-w           192,512 2008-01-13 23:02:44  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS28C2~3 .EXE
----a-w           192,512 2008-01-13 23:02:44  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS28C2~4 .EXE
----a-w           192,512 2008-01-13 23:02:44  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS872A~1 .EXE
----a-w           192,512 2008-01-13 23:02:44  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS872A~2 .EXE
----a-w           192,512 2008-01-13 23:02:44  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS872A~3 .EXE
----a-w           192,512 2008-01-13 23:02:44  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS872A~4 .EXE
----a-w           192,512 2008-01-13 23:02:44  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS9997~1 .EXE
----a-w           192,512 2008-01-13 23:02:46  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS9997~2 .EXE
----a-w           192,512 2008-01-13 23:02:46  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS9997~3 .EXE
----a-w           192,512 2008-01-13 23:02:46  C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS9997~4 .EXE
</pre>
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24605a1c-7480-486e-b503-bc93157489d8}]
C:\WINDOWS\system32\hkffygeh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F6865AB-D5EE-42B7-A290-23DF1F4626CD}]
C:\WINDOWS\system32\pmkhh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 22:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager "= "C:\DOCUME~1\KEVINS~1\MYDOCU~1\COMCAS~1\data\xtras\MS01A0~2.EXE" [ ]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [ ]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:56 15360]
"RegistryCleanFixMFC "= "E:\Program Files\RegistryCleaner\RegistryCleaner.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray "= "SysTray.Exe" [2001-08-23 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"REGSHAVE "= "C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ]
"RoxioEngineUtility "= "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [ ]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [ ]
"RoxioAudioCentral "= "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [ ]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"KernelFaultCheck "= "C:\WINDOWS\system32\dumprep 0 -k" [ ]
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [ ]
"CTHelper "= "CTHELPER.EXE" [2003-08-28 03:45 24576 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [ ]
"3ff743fa "= "C:\WINDOWS\system32\vpirrata.dll" [ ]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"combofix "= "C:\WINDOWS\system32\CF9942.exe" [2004-08-04 04:56 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector "= "C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]
Exif Launcher.lnk - D:\Program Files\FinePixViewer\QuickDCF.exe [2005-08-28 23:43:24 200704]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "= 0 (0x0)
"DisableTaskMgr "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccyyy]
ddccyyy.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Saunders^Start Menu^Programs^Startup^Axis & Allies Registration.lnk]
path=C:\Documents and Settings\Kevin Saunders\Start Menu\Programs\Startup\Axis & Allies Registration.lnk
backup=C:\WINDOWS\pss\Axis & Allies Registration.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ATI Launchpad "= "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE "
"LDM "=\Program\BackWeb-8876480.exe
"RemoteCenter "=C:\Program Files\Creative\SBLive\RemoteCenter\Rc\RcMan.EXE
"ScanSpyware v3.5 "= "C:\PROGRAM FILES\SCANSPYWARE V3.5\SCANNER.EXE "
"SpySweeper "=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
"Yahoo! Pager "=E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CTHelper "=CTHELPER.EXE
"ICServer "=C:\PROGRAM FILES\INTERCAST\COMPONENTS\ICSERVER.EXE
"HydarVisionDesktopManager "=desk98.exe
"ATIPTA "=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"smapp "=C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
"Alogserv "=C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
"MCAgentExe "=C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
"MCUpdateExe "=C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
"MPFExe "=C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
"InCD "=C:\Program Files\ahead\InCD\InCD.exe
"POINTER "=point32.exe
"BJCFD "=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"SAClient "= "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
"SAUpdate "= "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe "
"ComcastSUPPORT "=C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
"ICSMGR "=ICSMGR.EXE
"CriticalUpdate "=C:\WINDOWS\SYSTEM32\WUCRTUPD.EXE -startup
"zBrowser Launcher "=C:\Program Files\Logitech\iTouch\iTouch.exe
"Logitech Utility "=LOGI_MWX.EXE
"MMTray "=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
"DDCM "= "C:\PROGRAM FILES\WILDTANGENT\DDC\DDCMANAGER\DDCMan.exe" -Background
"DDCActiveMenu "= "C:\PROGRAM FILES\WILDTANGENT\DDC\ACTIVEMENU\DDCACTIVEMENU.EXE" -boot
"Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
"DealHelperUpdate "=C:\WINDOWS\DHUpdt.exe
"DealHelperBrwsr "=C:\WINDOWS\dhbrwsr.exe
"messview "=C:\PROGRA~1\DARTMA~1\HoldPingWeb.exe
"NewsUpd "=C:\Program Files\Creative\News\NewsUpd.EXE /q
"Disc Detector "=C:\Program Files\Creative\ShareDLL\CtNotify.exe
"GPL WIPE JUMP BURN "=C:\Documents and Settings\Philip Saunders\Application Data\The Window Gpl Wipe\Joy loud.exe
"PCDRealtime "=C:\WINDOWS\realtime.exe
"TaskMonitor "=C:\WINDOWS\taskmon.exe
"bpcpost.exe "=C:\WINDOWS\SYSTEM\bpcpost.exe
"LoadPowerProfile "=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"LifeScape Media Detector "=C:\Program Files\Picasa\PicasaMediaDetector.exe
"REGSHAVE "=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"IntelliType "= "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
"projselector "= "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
"RoxioEngineUtility "= "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
"RoxioDragToDisc "= "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe "
"RoxioAudioCentral "= "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe "
"ScanRegistry "=C:\WINDOWS\scanregw.exe /autorun
"StillImageMonitor "=C:\WINDOWS\SYSTEM32\STIMON.EXE
"HP Software Update "=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
"mdac_runonce "=C:\WINDOWS\SYSTEM32\RUNONCE.EXE
"Picasa Media Detector "=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"AVG7_CC "=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
"AVG7_AMSVR "=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"ATISmart "=C:\WINDOWS\SYSTEM32\ati2s9ag.exe
"TVWakeup "=C:\Progra~1\TVView~1\tvwakeup.exe
"SchedulingAgent "=mstask.exe
"VidSvr "=
"Announcements "=C:\Program Files\TV Viewer\annclist.exe
"McAfeeVirusScanService "=C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
"ATIPOLL "=ati2evxx.exe
"LoadPowerProfile "=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"KB891711 "=C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"FirewallDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"D:\\Westwood\\Renegade\\Game.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2005-09-11 09:48]
R2 Viewpoint Manager Service;Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 Astdi;Astdi;C:\Program Files\Aventail\Connect\asnttdi.sys [2003-12-07 18:15]
S3 Ascrypto;Ascrypto;C:\Program Files\Aventail\Connect\ascrypto.sys [2003-12-07 18:15]
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\system32\drivers\ASUSHWIO.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exeadvpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 16:34:49
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Aventail\Connect\as32svc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Analog Devices\SoundMAX\smagent.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2008-03-06 16:36:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-06 21:36:26
.
2008-02-15 19:40:00 --- E O F ---

noahdfear · 2008/03/07

Had an extremely long day and I'm wiped out. I'll respond this evening with further cleanup instructions.

noahdfear · 2008/03/07

Bill, there are a number of registry entries that cause me to ask, was this machine upgraded from Win98 or ME?

ScanSpyware v3.5 is on the list of rogue antispyware apps, and I recommend you uninstall it.

Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\SYSTEM32\qbjpwwdf.dll
C:\WINDOWS\DUMP51c9.tmp
C:\WINDOWS\FONTS\SETE01A.TMP
C:\WINDOWS\FONTS\SETE019.TMP
C:\WINDOWS\FONTS\SETE018.TMP
C:\WINDOWS\FONTS\SETE017.TMP
C:\WINDOWS\FONTS\SETE016.TMP
C:\WINDOWS\FONTS\SETE015.TMP
C:\WINDOWS\FONTS\SETE014.TMP
RenV::
C:\WINDOWS\UpdReg .EXE
C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\Creative\SBLive\Program\ADGJDet .exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask  .exe
C:\Program Files\QuickTime\qttask   .exe
C:\Program Files\QuickTime\qttask    .exe
C:\Program Files\QuickTime\qttask     .exe
C:\Program Files\QuickTime\qttask      .exe
C:\Program Files\QuickTime\qttask       .exe
C:\Program Files\QuickTime\qttask        .exe
C:\Program Files\QuickTime\qttask         .exe
C:\Program Files\QuickTime\qttask          .exe
C:\Program Files\QuickTime\qttask           .exe
C:\Program Files\QuickTime\qttask            .exe
C:\Program Files\QuickTime\qttask             .exe
C:\Program Files\QuickTime\qttask              .exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\REGSHAVE\REGSHAVE .EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MSSYSM~1 .EXE
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MSSYSM~2 .EXE
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MSSYSM~3 .EXE
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MSSYSM~4 .EXE
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS28C2~1 .EXE
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS28C2~2 .EXE
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS28C2~3 .EXE
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS28C2~4 .EXE
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS872A~1 .EXE
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS872A~2 .EXE
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS872A~3 .EXE
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS872A~4 .EXE
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS9997~1 .EXE
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS9997~2 .EXE
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS9997~3 .EXE
C:\Documents and Settings\Kevin Saunders\My Documents\Comcast PhotoShow 4\data\Xtras\MS9997~4 .EXE
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24605a1c-7480-486e-b503-bc93157489d8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F6865AB-D5EE-42B7-A290-23DF1F4626CD}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "KernelFaultCheck "=-
 "3ff743fa "=-
 "combofix "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccyyy]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
 "ScanSpyware v3.5 "=-

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

BillB · 2008/03/08

Hi Dave,

If anything, I believe it would have been updated from Win98SE to XP, but it seems to me he had to reformat and reload XP once before, but I will verify with him. I didn't see anything called ScanSpyware to uninstall. Also, there is a pop-up error message appearing after the desktop loads;
C:\windows\system32\vpirrata.dll module not found.

Here is the combofix log;

ComboFix 08-03-07.4 - Kevin Saunders 2008-03-08 12:02:47.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.337 [GMT -5:00]
Running from: C:\Documents and Settings\Kevin Saunders\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kevin Saunders\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\DUMP51c9.tmp
C:\WINDOWS\FONTS\SETE014.TMP
C:\WINDOWS\FONTS\SETE015.TMP
C:\WINDOWS\FONTS\SETE016.TMP
C:\WINDOWS\FONTS\SETE017.TMP
C:\WINDOWS\FONTS\SETE018.TMP
C:\WINDOWS\FONTS\SETE019.TMP
C:\WINDOWS\FONTS\SETE01A.TMP
C:\WINDOWS\SYSTEM32\qbjpwwdf.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\DUMP51c9.tmp
C:\WINDOWS\FONTS\SETE014.TMP
C:\WINDOWS\FONTS\SETE015.TMP
C:\WINDOWS\FONTS\SETE016.TMP
C:\WINDOWS\FONTS\SETE017.TMP
C:\WINDOWS\FONTS\SETE018.TMP
C:\WINDOWS\FONTS\SETE019.TMP
C:\WINDOWS\FONTS\SETE01A.TMP
C:\WINDOWS\system32\fkhoxglf.dllbox
C:\WINDOWS\SYSTEM32\qbjpwwdf.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-05 19:36 . 2008-03-05 19:36 <DIR> d-------- C:\HJT
2008-03-04 22:44 . 2008-03-04 22:44 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-04 20:34 . 2008-03-04 20:34 <DIR> d-------- C:\Documents and Settings\Kevin Saunders\Application Data\Grisoft
2008-03-04 20:34 . 2008-03-04 20:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-03-04 20:34 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-03-04 18:36 . 2008-03-04 18:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-04 18:30 . 2008-03-04 18:30 <DIR> d-------- C:\tmp
2008-02-24 13:41 . 2008-02-24 13:41 <DIR> d--hs---- C:\FOUND.035
2008-02-22 17:10 . 2008-02-22 17:10 <DIR> d--hs---- C:\FOUND.034

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 14:51 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-27 17:25 --------- d-----w C:\Program Files\Support Tools
2008-01-13 22:02 90,112 ----a-w C:\WINDOWS\UpdReg.EXE
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mrxdav.sys
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2004-05-16 16:54 266 --sh--w C:\Program Files\desktop.ini
2004-05-16 16:54 11,079 ---h--w C:\Program Files\folder.htt
2005-10-12 01:01 8 --sh--w C:\WINDOWS\All Users\DRM\pdrm.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F6865AB-D5EE-42B7-A290-23DF1F4626CD}]
C:\WINDOWS\system32\pmkhh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 22:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager "= "C:\DOCUME~1\KEVINS~1\MYDOCU~1\COMCAS~1\data\xtras\MS01A0~2.EXE" [ ]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2008-01-04 11:32 1694208]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:56 15360]
"RegistryCleanFixMFC "= "E:\Program Files\RegistryCleaner\RegistryCleaner.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray "= "SysTray.Exe" [2001-08-23 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"REGSHAVE "= "C:\Program Files\REGSHAVE\REGSHAVE.exe" [2008-01-13 17:02 53248]
"RoxioEngineUtility "= "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2008-01-13 17:02 65536]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2008-01-13 17:02 868352]
"RoxioAudioCentral "= "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2008-01-13 17:02 319488]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-13 17:02 335872]
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2008-01-13 17:02 63712]
"CTHelper "= "CTHELPER.EXE" [2003-08-28 03:45 24576 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2008-01-13 17:02 28672]
"3ff743fa "= "C:\WINDOWS\system32\vpirrata.dll" [ ]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector "= "C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]
Exif Launcher.lnk - D:\Program Files\FinePixViewer\QuickDCF.exe [2005-08-28 23:43:24 200704]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccyyy]
ddccyyy.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Saunders^Start Menu^Programs^Startup^Axis & Allies Registration.lnk]
path=C:\Documents and Settings\Kevin Saunders\Start Menu\Programs\Startup\Axis & Allies Registration.lnk
backup=C:\WINDOWS\pss\Axis & Allies Registration.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ATI Launchpad "= "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE "
"LDM "=\Program\BackWeb-8876480.exe
"RemoteCenter "=C:\Program Files\Creative\SBLive\RemoteCenter\Rc\RcMan.EXE
"ScanSpyware v3.5 "= "C:\PROGRAM FILES\SCANSPYWARE V3.5\SCANNER.EXE "
"SpySweeper "=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
"Yahoo! Pager "=E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CTHelper "=CTHELPER.EXE
"ICServer "=C:\PROGRAM FILES\INTERCAST\COMPONENTS\ICSERVER.EXE
"HydarVisionDesktopManager "=desk98.exe
"ATIPTA "=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"smapp "=C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
"Alogserv "=C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
"MCAgentExe "=C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
"MCUpdateExe "=C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
"MPFExe "=C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
"InCD "=C:\Program Files\ahead\InCD\InCD.exe
"POINTER "=point32.exe
"BJCFD "=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"SAClient "= "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
"SAUpdate "= "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe "
"ComcastSUPPORT "=C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
"ICSMGR "=ICSMGR.EXE
"CriticalUpdate "=C:\WINDOWS\SYSTEM32\WUCRTUPD.EXE -startup
"zBrowser Launcher "=C:\Program Files\Logitech\iTouch\iTouch.exe
"Logitech Utility "=LOGI_MWX.EXE
"MMTray "=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
"DDCM "= "C:\PROGRAM FILES\WILDTANGENT\DDC\DDCMANAGER\DDCMan.exe" -Background
"DDCActiveMenu "= "C:\PROGRAM FILES\WILDTANGENT\DDC\ACTIVEMENU\DDCACTIVEMENU.EXE" -boot
"Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
"DealHelperUpdate "=C:\WINDOWS\DHUpdt.exe
"DealHelperBrwsr "=C:\WINDOWS\dhbrwsr.exe
"messview "=C:\PROGRA~1\DARTMA~1\HoldPingWeb.exe
"NewsUpd "=C:\Program Files\Creative\News\NewsUpd.EXE /q
"Disc Detector "=C:\Program Files\Creative\ShareDLL\CtNotify.exe
"GPL WIPE JUMP BURN "=C:\Documents and Settings\Philip Saunders\Application Data\The Window Gpl Wipe\Joy loud.exe
"PCDRealtime "=C:\WINDOWS\realtime.exe
"TaskMonitor "=C:\WINDOWS\taskmon.exe
"bpcpost.exe "=C:\WINDOWS\SYSTEM\bpcpost.exe
"LoadPowerProfile "=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"LifeScape Media Detector "=C:\Program Files\Picasa\PicasaMediaDetector.exe
"REGSHAVE "=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"IntelliType "= "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
"projselector "= "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
"RoxioEngineUtility "= "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
"RoxioDragToDisc "= "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe "
"RoxioAudioCentral "= "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe "
"ScanRegistry "=C:\WINDOWS\scanregw.exe /autorun
"StillImageMonitor "=C:\WINDOWS\SYSTEM32\STIMON.EXE
"HP Software Update "=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
"mdac_runonce "=C:\WINDOWS\SYSTEM32\RUNONCE.EXE
"Picasa Media Detector "=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"AVG7_CC "=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
"AVG7_AMSVR "=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"ATISmart "=C:\WINDOWS\SYSTEM32\ati2s9ag.exe
"TVWakeup "=C:\Progra~1\TVView~1\tvwakeup.exe
"SchedulingAgent "=mstask.exe
"VidSvr "=
"Announcements "=C:\Program Files\TV Viewer\annclist.exe
"McAfeeVirusScanService "=C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
"ATIPOLL "=ati2evxx.exe
"LoadPowerProfile "=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"KB891711 "=C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"D:\\Westwood\\Renegade\\Game.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2005-09-11 09:48]
R2 Viewpoint Manager Service;Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 Astdi;Astdi;C:\Program Files\Aventail\Connect\asnttdi.sys [2003-12-07 18:15]
S3 Ascrypto;Ascrypto;C:\Program Files\Aventail\Connect\ascrypto.sys [2003-12-07 18:15]
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\system32\drivers\ASUSHWIO.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exeadvpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 12:06:18
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-08 12:07:17
ComboFix-quarantined-files.txt 2008-03-08 17:07:14
ComboFix2.txt 2008-03-06 21:36:32
.
2008-02-15 19:40:00 --- E O F ---

noahdfear · 2008/03/08

No need to bother with confirming which flavor of 98, Bill. I just wanted to know if the machine was an upgrade from a 9x system so that the entries I see related have an explanation for existing.

Looks like some of the registry fix in the last run was unsuccessful, so lets give it another shot. Make sure to disable McAfee's realtime protection first so as not to interfere. Check this link for specific instructions if needed.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F6865AB-D5EE-42B7-A290-23DF1F4626CD}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "3ff743fa "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccyyy]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
 "ScanSpyware v3.5 "=-
Driver::
SVKP
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

BillB · 2008/03/08

Here's the new Combo fix log;

ComboFix 08-03-07.4 - Kevin Saunders 2008-03-08 14:34:50.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.359 [GMT -5:00]
Running from: C:\Documents and Settings\Kevin Saunders\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kevin Saunders\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-05 19:36 . 2008-03-05 19:36 <DIR> d-------- C:\HJT
2008-03-04 22:44 . 2008-03-04 22:44 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-04 20:34 . 2008-03-04 20:34 <DIR> d-------- C:\Documents and Settings\Kevin Saunders\Application Data\Grisoft
2008-03-04 20:34 . 2008-03-04 20:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-03-04 20:34 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-03-04 18:36 . 2008-03-04 18:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-04 18:30 . 2008-03-04 18:30 <DIR> d-------- C:\tmp
2008-02-24 13:41 . 2008-02-24 13:41 <DIR> d--hs---- C:\FOUND.035
2008-02-22 17:10 . 2008-02-22 17:10 <DIR> d--hs---- C:\FOUND.034

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 14:51 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-27 17:25 --------- d-----w C:\Program Files\Support Tools
2008-01-13 22:02 90,112 ----a-w C:\WINDOWS\UpdReg.EXE
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mrxdav.sys
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2004-05-16 16:54 266 --sh--w C:\Program Files\desktop.ini
2004-05-16 16:54 11,079 ---h--w C:\Program Files\folder.htt
2005-10-12 01:01 8 --sh--w C:\WINDOWS\All Users\DRM\pdrm.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F6865AB-D5EE-42B7-A290-23DF1F4626CD}]
C:\WINDOWS\system32\pmkhh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 22:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager "= "C:\DOCUME~1\KEVINS~1\MYDOCU~1\COMCAS~1\data\xtras\MS01A0~2.EXE" [ ]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2008-01-04 11:32 1694208]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:56 15360]
"RegistryCleanFixMFC "= "E:\Program Files\RegistryCleaner\RegistryCleaner.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray "= "SysTray.Exe" [2001-08-23 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"REGSHAVE "= "C:\Program Files\REGSHAVE\REGSHAVE.exe" [2008-01-13 17:02 53248]
"RoxioEngineUtility "= "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2008-01-13 17:02 65536]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2008-01-13 17:02 868352]
"RoxioAudioCentral "= "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2008-01-13 17:02 319488]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-13 17:02 335872]
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2008-01-13 17:02 63712]
"CTHelper "= "CTHELPER.EXE" [2003-08-28 03:45 24576 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2008-01-13 17:02 28672]
"3ff743fa "= "C:\WINDOWS\system32\vpirrata.dll" [ ]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"combofix "= "C:\WINDOWS\system32\CF27985.exe" [2004-08-04 04:56 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector "= "C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]
Exif Launcher.lnk - D:\Program Files\FinePixViewer\QuickDCF.exe [2005-08-28 23:43:24 200704]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccyyy]
ddccyyy.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Saunders^Start Menu^Programs^Startup^Axis & Allies Registration.lnk]
path=C:\Documents and Settings\Kevin Saunders\Start Menu\Programs\Startup\Axis & Allies Registration.lnk
backup=C:\WINDOWS\pss\Axis & Allies Registration.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ATI Launchpad "= "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE "
"LDM "=\Program\BackWeb-8876480.exe
"RemoteCenter "=C:\Program Files\Creative\SBLive\RemoteCenter\Rc\RcMan.EXE
"ScanSpyware v3.5 "= "C:\PROGRAM FILES\SCANSPYWARE V3.5\SCANNER.EXE "
"SpySweeper "=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
"Yahoo! Pager "=E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CTHelper "=CTHELPER.EXE
"ICServer "=C:\PROGRAM FILES\INTERCAST\COMPONENTS\ICSERVER.EXE
"HydarVisionDesktopManager "=desk98.exe
"ATIPTA "=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"smapp "=C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
"Alogserv "=C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
"MCAgentExe "=C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
"MCUpdateExe "=C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
"MPFExe "=C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
"InCD "=C:\Program Files\ahead\InCD\InCD.exe
"POINTER "=point32.exe
"BJCFD "=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"SAClient "= "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
"SAUpdate "= "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe "
"ComcastSUPPORT "=C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
"ICSMGR "=ICSMGR.EXE
"CriticalUpdate "=C:\WINDOWS\SYSTEM32\WUCRTUPD.EXE -startup
"zBrowser Launcher "=C:\Program Files\Logitech\iTouch\iTouch.exe
"Logitech Utility "=LOGI_MWX.EXE
"MMTray "=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
"DDCM "= "C:\PROGRAM FILES\WILDTANGENT\DDC\DDCMANAGER\DDCMan.exe" -Background
"DDCActiveMenu "= "C:\PROGRAM FILES\WILDTANGENT\DDC\ACTIVEMENU\DDCACTIVEMENU.EXE" -boot
"Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
"DealHelperUpdate "=C:\WINDOWS\DHUpdt.exe
"DealHelperBrwsr "=C:\WINDOWS\dhbrwsr.exe
"messview "=C:\PROGRA~1\DARTMA~1\HoldPingWeb.exe
"NewsUpd "=C:\Program Files\Creative\News\NewsUpd.EXE /q
"Disc Detector "=C:\Program Files\Creative\ShareDLL\CtNotify.exe
"GPL WIPE JUMP BURN "=C:\Documents and Settings\Philip Saunders\Application Data\The Window Gpl Wipe\Joy loud.exe
"PCDRealtime "=C:\WINDOWS\realtime.exe
"TaskMonitor "=C:\WINDOWS\taskmon.exe
"bpcpost.exe "=C:\WINDOWS\SYSTEM\bpcpost.exe
"LoadPowerProfile "=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"LifeScape Media Detector "=C:\Program Files\Picasa\PicasaMediaDetector.exe
"REGSHAVE "=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"IntelliType "= "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
"projselector "= "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
"RoxioEngineUtility "= "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
"RoxioDragToDisc "= "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe "
"RoxioAudioCentral "= "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe "
"ScanRegistry "=C:\WINDOWS\scanregw.exe /autorun
"StillImageMonitor "=C:\WINDOWS\SYSTEM32\STIMON.EXE
"HP Software Update "=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
"mdac_runonce "=C:\WINDOWS\SYSTEM32\RUNONCE.EXE
"Picasa Media Detector "=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"AVG7_CC "=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
"AVG7_AMSVR "=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"ATISmart "=C:\WINDOWS\SYSTEM32\ati2s9ag.exe
"TVWakeup "=C:\Progra~1\TVView~1\tvwakeup.exe
"SchedulingAgent "=mstask.exe
"VidSvr "=
"Announcements "=C:\Program Files\TV Viewer\annclist.exe
"McAfeeVirusScanService "=C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
"ATIPOLL "=ati2evxx.exe
"LoadPowerProfile "=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"KB891711 "=C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"D:\\Westwood\\Renegade\\Game.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

R2 Viewpoint Manager Service;Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 Astdi;Astdi;C:\Program Files\Aventail\Connect\asnttdi.sys [2003-12-07 18:15]
S3 Ascrypto;Ascrypto;C:\Program Files\Aventail\Connect\ascrypto.sys [2003-12-07 18:15]
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\system32\drivers\ASUSHWIO.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exeadvpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 14:41:03
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Aventail\Connect\as32svc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Analog Devices\SoundMAX\smagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-03-08 14:42:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 19:42:26
ComboFix3.txt 2008-03-06 21:36:32
ComboFix2.txt 2008-03-08 17:07:20
.
2008-02-15 19:40:00 --- E O F ---

noahdfear · 2008/03/08

Bill, please open Spybot and go to the Advanced mode, then disable SDHelper. Run the same script as in my last post but this time do just the Registry:: section and leave off the Driver:: section.

BillB · 2008/03/09

Hi Dave,

I reran the script after disabling SDHelper. I'm attaching the new Combofix log.

noahdfear · 2008/03/09

I don't see any log.

BillB · 2008/03/09

The file is too big to attach, I've zipped it to attach it.

noahdfear · 2008/03/09

Wow! The snapshot section was huge, which indicates you may have applied some updates.

Looks as though it was successful this time.

Lets see if we've missed anything. Please do an online scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

BillB · 2008/03/09

Hi Dave,

Here are the logs;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:46 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Aventail\Connect\as32svc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Analog Devices\SoundMAX\smagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe "
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe "
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\DOCUME~1\KEVINS~1\MYDOCU~1\COMCAS~1\data\xtras\MS01A0~2.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryCleanFixMFC] E:\Program Files\RegistryCleaner\RegistryCleaner.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {9E3EBCA0-4B78-11D8-A19F-000C6EAF3F80} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {9E3EBCA1-4B78-11D8-A19F-000C6EAF3F80} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {9E3EBCA2-4B78-11D8-A19F-000C6EAF3F80} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_3.cab
O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\smagent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///C:/My%20Documents/My%20Pictures/philip4.jpg

--
End of file - 9045 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 09, 2008 11:10:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/03/2008
Kaspersky Anti-Virus database records: 620850
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
J:\

Scan Statistics:
Total number of scanned objects: 60087
Number of viruses found: 6
Number of infected objects: 43
Number of suspicious objects: 0
Duration of the scan process: 00:51:23

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_n4EkPE2JTvVMw1k Object is locked skipped
C:\WINDOWS\TEMP\mcafee_5w3k4CJnhTNa9Xx Object is locked skipped
C:\WINDOWS\TEMP\mcafee_82vsqA7j6Pbd6Xq Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_F8eXHKvilgqHhIr Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_TiexDBwNMxlfAkH Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_tZEpsYgqzROpdnt Object is locked skipped
C:\WINDOWS\TEMP\mcafee_dsavB7xa6XzRgUg Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000000-00000000-0000000C-00001102-00000002-80661102}.CDF Object is locked skipped
C:\Program Files\Aventail\Connect\aslog.lgf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{CEDE3653-B5D6-41A6-8ADF-AB7DAC0EC919}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\logout.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kevin Saunders\ntuser.dat Object is locked skipped
C:\Documents and Settings\Kevin Saunders\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Local Settings\Temp\~DF7D0.tmp Object is locked skipped
C:\Documents and Settings\Kevin Saunders\Cookies\index.dat Object is locked skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP429\A0441624.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP429\A0441631.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP429\A0441655.DLL Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP429\A0441659.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441720.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441721.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441722.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441723.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441724.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441725.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441726.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441727.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441728.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441729.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441730.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441731.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441732.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441733.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bce skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441734.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441735.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441736.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP432\A0441737.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP433\A0441842.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped
C:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP435\change.log Object is locked skipped
C:\FOUND.035\FILE0001.CHK Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\aodbakyl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\batbnsff.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cjeafwrx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\enouicpl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gphdnteh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gykyymhm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hkffygeh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hkmaaxrm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hsahswjt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jflwnhry.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lgkhkwpx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lkcqljrr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qwjidvqb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qxjpkqbh.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bce skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uphwblvr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uyfddqmg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xrymfirw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yercnlac.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qbjpwwdf.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped
D:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP435\change.log Object is locked skipped
E:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP435\change.log Object is locked skipped
F:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP435\change.log Object is locked skipped
G:\System Volume Information\_restore{FB8D8A9A-F030-4A51-ABBD-B4038D17E103}\RP435\change.log Object is locked skipped

Scan process completed.

noahdfear · 2008/03/09

Great! Here's the log stripped down.

===== Infected Objects =====

"C:\FOUND.035\FILE0001.CHK "

===== Details =====

Number of items = 43

C:\FOUND.035\FILE0001.CHK --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\aodbakyl.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\batbnsff.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cjeafwrx.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\enouicpl.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gphdnteh.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gykyymhm.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hkffygeh.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hkmaaxrm.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hsahswjt.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jflwnhry.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lgkhkwpx.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lkcqljrr.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qwjidvqb.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qxjpkqbh.dll.vir --> Win32.SuperJuan.bce
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uphwblvr.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uyfddqmg.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xrymfirw.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yercnlac.dll.vir --> Win32.Virtumonde.gen
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qbjpwwdf.dll.vir --> Win32.SuperJuan.auj

===== System Restore's cache: =====

Number of items = 23
Client-IRC.Win32.mIRC.616
Client-IRC.Win32.mIRC.617
Virus.Win32.Trats.d
Win32.SuperJuan.auj
Win32.SuperJuan.bce
Win32.Virtumonde.gen

Let's finish up. Delete C:\FOUND.035 and C:\FOUND.034

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to work without autorun (preferred), or how to reset it.

Finally, download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot

How's the machine behaving now?

BillB · 2008/03/10

Hi Dave,

The machine is a lot better now, error message during boot is gone, cmd pop-ups are gone, no pop-ups while surfing either. There were a bunch of those Found.xxx folders, is it safe to delete the rest of them as well?

The only problem remaining that I can see is the red 'X' by the C drive in My Computer and Explorer, not sure what that's from.

noahdfear · 2008/03/10

Yes, it's safe to delete those found.xxx folders.

The red X is usually caused by someone/something attempting to customise the icon. The following registry fix will remove the non-default key where the customization takes place, allowing the default icon to be restored.

Highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)
Code:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]
Double click fix.reg and allow it to merge with the registry. If the icon is still present when you open My Computer, restart the computer.

BillB · 2008/03/11

Hi Dave,

That did the trick, I think all is well with it now. I'm going to return it tonight and tell him to let me know if there are any other problems.

Thanks very much for the help, I appreciate it.

noahdfear · 2008/03/11

Glad to hear it Bill. Happy to help!

Log in or Sign up

Solved Need some help with Hijackthis log

BillB Well-Known Member Thread Starter

noahdfear Inactive

BillB Well-Known Member Thread Starter

BillB Well-Known Member Thread Starter

noahdfear Inactive

noahdfear Inactive

BillB Well-Known Member Thread Starter

noahdfear Inactive

BillB Well-Known Member Thread Starter

noahdfear Inactive

BillB Well-Known Member Thread Starter

noahdfear Inactive

BillB Well-Known Member Thread Starter

Attached Files:

combotext.zip

noahdfear Inactive

BillB Well-Known Member Thread Starter

noahdfear Inactive

BillB Well-Known Member Thread Starter

noahdfear Inactive

BillB Well-Known Member Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Solved Need some help with Hijackthis log

BillB Well-Known Member Thread Starter

noahdfear Inactive

BillB Well-Known Member Thread Starter

BillB Well-Known Member Thread Starter

noahdfear Inactive

noahdfear Inactive

BillB Well-Known Member Thread Starter

noahdfear Inactive

BillB Well-Known Member Thread Starter

noahdfear Inactive

BillB Well-Known Member Thread Starter

noahdfear Inactive

BillB Well-Known Member Thread Starter

Attached Files:

combotext.zip

noahdfear Inactive

BillB Well-Known Member Thread Starter

noahdfear Inactive

BillB Well-Known Member Thread Starter

noahdfear Inactive

BillB Well-Known Member Thread Starter

noahdfear Inactive

Share This Page

Useful Searches