Numerous Viruses - keep loading aft

Computing.Net > Forums > Security and Virus > Numerous Viruses - keep loading aft

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Numerous Viruses - keep loading aft

Name: CaretaD
Date: August 19, 2006 at 06:35:10 Pacific
OS: windows XP
CPU/Ram: ??
Product: HP Pavilion

Comment:

I have numerous viruses (Qoolaid, DefenderTrojan, and pop-up ad programs), that McAfee is not able to get rid of -- I used the Hijack program and have a log of the programs.
Chris

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: August 19, 2006 at 11:00:25 Pacific

Reply:

Please post your Hijack This log.

Response Number 2

Name: CaretaD
Date: August 19, 2006 at 18:44:17 Pacific

Reply:

Logfile of HijackThis v1.99.1
Scan saved at 7:38:19 AM, on 8/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\IA\command.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svsnt.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\mlsdf8hjotzflryfm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\cvn0.exe
C:\WINDOWS\system32\n9nyb.exe
C:\dfndrff_11a.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\nwnmff_11.exe
C:\WINDOWS\system32\ghynf.exe
C:\kybrdff_11a.exe
C:\WINDOWS\yrvszeiA.exe
C:\WINDOWS\sys09482739779.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PSLister\PSLister.exe
C:\Program Files\Sierra\Planner\Plnrnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Program Files\adwarealert\AdwareAlert.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\HP\KBD\KBD.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\ALCXMNTR.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: SearchHelper - {B6A5B638-6025-4C2C-A899-867B416453D2} - C:\Program Files\SearchHelper\SearchHelper.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing)
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [defender] C:\\dfndrff_11a.exe
O4 - HKLM\..\Run: [rcrfcca1] RUNDLL32.exe w9be8644.dll,n 002fcc9f000000039be8644
O4 - HKLM\..\Run: [newname] C:\\nwnmff_11.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_11a.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [yrvszeiA] C:\WINDOWS\yrvszeiA.exe
O4 - HKLM\..\Run: [sys09482739779] C:\WINDOWS\sys09482739779.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [adwarealert] C:\Program Files\adwarealert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123954833640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\l0r0la9m1d.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Print Spooler Service (SpoolSvc212) - Unknown owner - C:\WINDOWS\system32\mlsdf8hjotzflryfm.exe
O23 - Service: System Internal AntiVirus (SVSAV) - Unknown owner - C:\WINDOWS\system32\svsnt.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yrvszei.exe
Chris

Response Number 3

Name: jabuck
Date: August 19, 2006 at 21:20:23 Pacific

Reply:

First of all there is a mentally deranged individual emailing the people I am trying to help telling them I am try to blow up their computer so if this happens to you please let us know and post their email address if possible. Or probably easier just to delete the email and give them no attention.
You have several infections. First download Brute Force Uninstaller.
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly should you need it:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Next to the "scriptfile to execute" window you will see a little icon that looks like a globe with a plug in it.
When you click that icon, a little window will open that says: "Please enter the full URL to the sript you want to execute"
In the field, copy and paste next URL:
http://metallica.geekstogo.com/alcanshorty.bfu
Click Ok.
Then click execute in Brute Force Uninstaller.
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose "save as" and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the "scriptfile to execute" window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.
Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.
Post a new Hijack This log please, as there is much more work to do before the computer is clean.

Response Number 4

Name: CaretaD
Date: August 20, 2006 at 15:12:43 Pacific

Reply:

Thanks for your help -
Logfile of HijackThis v1.99.1
Scan saved at 3:33:46 PM, on 8/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svsnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\cvn0.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\sys09482739779.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PSLister\PSLister.exe
C:\Program Files\Sierra\Planner\Plnrnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\n9nyb.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ghynf.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\adwarealert\AdwareAlert.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\HP\KBD\KBD.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\ALCXMNTR.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: SearchHelper - {B6A5B638-6025-4C2C-A899-867B416453D2} - C:\Program Files\SearchHelper\SearchHelper.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing)
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [defender] C:\\dfndrff_11a.exe
O4 - HKLM\..\Run: [rcrfcca1] RUNDLL32.exe w9be8644.dll,n 002fcc9f000000039be8644
O4 - HKLM\..\Run: [newname] C:\\nwnmff_11.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_11a.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [yrvszeiA] C:\WINDOWS\yrvszeiA.exe
O4 - HKLM\..\Run: [sys09482739779] C:\WINDOWS\sys09482739779.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [adwarealert] C:\Program Files\adwarealert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123954833640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\l0r0la9m1d.dll (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\dnl8013ue.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Print Spooler Service (SpoolSvc212) - Unknown owner - C:\WINDOWS\system32\dior4f4ioukqw.exe
O23 - Service: System Internal AntiVirus (SVSAV) - Unknown owner - C:\WINDOWS\system32\svsnt.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yrvszei.exe (file missing)
Chris

Response Number 5

Name: jabuck
Date: August 20, 2006 at 16:44:25 Pacific

Reply:

That helped some but has missed some items I had hoped would be removed.
Please download ComboFix to the Desktop from this link:
http://download.bleepingcomputer.com/sUBs/combofix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the combofix.txt log and a new Hijack This log.

button element FF valign photoshop extension unwise.exe	system internal antivirus updates from hp.exe virus outlook keeps loading old messages
See More

Response Number 6

Name: CaretaD
Date: August 20, 2006 at 19:10:53 Pacific

Reply:

HP_Owner - 06-08-20 19:50:38.37
ComboFix 06.08.18 - Running from: C:\Documents and Settings\HP_Owner\Desktop
((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:
[HKEY_CLASSES_ROOT\CLSID\{B585DF4C-6149-490A-ACF8-F04EAA7099DF}]
@=""
"IDEx"="ADDR"
[HKEY_CLASSES_ROOT\CLSID\{B585DF4C-6149-490A-ACF8-F04EAA7099DF}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{B585DF4C-6149-490A-ACF8-F04EAA7099DF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{B585DF4C-6149-490A-ACF8-F04EAA7099DF}\InprocServer32]
@="C:\\WINDOWS\\system32\\uhpnpmgr.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\CLSID\{FD3AE240-4FC6-44F8-A30C-6C8E102BC2F1}]
@=""
"IDEx"="ADDR"
[HKEY_CLASSES_ROOT\CLSID\{FD3AE240-4FC6-44F8-A30C-6C8E102BC2F1}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{FD3AE240-4FC6-44F8-A30C-6C8E102BC2F1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{FD3AE240-4FC6-44F8-A30C-6C8E102BC2F1}\InprocServer32]
@="C:\\WINDOWS\\system32\\wwhip6.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\CLSID\{D9D7ECE0-0034-4E5A-91BF-A5F8B3C92745}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{D9D7ECE0-0034-4E5A-91BF-A5F8B3C92745}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{D9D7ECE0-0034-4E5A-91BF-A5F8B3C92745}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{D9D7ECE0-0034-4E5A-91BF-A5F8B3C92745}\InprocServer32]
@="C:\\WINDOWS\\system32\\MhPMSP.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\CLSID\{5F77D2AD-F150-450E-A88F-DD63E06AC440}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5F77D2AD-F150-450E-A88F-DD63E06AC440}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5F77D2AD-F150-450E-A88F-DD63E06AC440}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5F77D2AD-F150-450E-A88F-DD63E06AC440}\InprocServer32]
@="C:\\WINDOWS\\system32\\rrutils.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\CLSID\{209E2B40-3AB4-40BD-880B-D457A3A3B569}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{209E2B40-3AB4-40BD-880B-D457A3A3B569}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{209E2B40-3AB4-40BD-880B-D457A3A3B569}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{209E2B40-3AB4-40BD-880B-D457A3A3B569}\InprocServer32]
@="C:\\WINDOWS\\system32\\ssell32.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

FILES REMOVED:
C:\WINDOWS\system32\dnl8013ue.dll
C:\WINDOWS\system32\enrol1931.dll
C:\WINDOWS\system32\eutmgr.dll
C:\WINDOWS\system32\ir6ql5j51.dll
C:\WINDOWS\system32\j8j6li1s18.dll
C:\WINDOWS\system32\m046lahs1d46.dll
C:\WINDOWS\system32\mnvcp50.dll
C:\WINDOWS\system32\r8r6li9s18.dll
C:\WINDOWS\system32\rrutils.dll
C:\WINDOWS\system32\ssell32.dll

Granting sedebugprivilege to Administrators ... successful

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

2006-08-20 17:03 234185 -r--s---- C:\WINDOWS\system32\ssell32.dll
2006-08-19 20:29 53 --a------ C:\WINDOWS\pwbqne.dat
2006-08-19 20:29 234185 -r--s---- C:\WINDOWS\system32\rrutils.dll
2006-08-19 08:12 234185 -r--s---- C:\WINDOWS\system32\eutmgr.dll
2006-08-17 22:55 234272 -r--s---- C:\WINDOWS\system32\mnvcp50.dll
2006-08-15 21:15 159744 --a------ C:\WINDOWS\system32\redist.dll
2006-08-14 04:00 45056 --a------ C:\WINDOWS\system32\ghynf.exe
2006-08-14 04:00 36864 --a------ C:\WINDOWS\system32\n9nyb.exe
2006-08-14 04:00 221184 --a------ C:\WINDOWS\system32\xeymi.dll
2006-08-09 12:44 40448 -r-hs---- C:\WINDOWS\system32\svsnt.exe
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *

06-08-19 20:29 53 pwbqne.dat.qoo
DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\repairs303169590.dll
C:\Documents and Settings\HP_Owner\Application Data\Sskdmns.dll
C:\Documents and Settings\HP_Owner\Application Data\Sskknwrd.dll
C:\Documents and Settings\HP_Owner\Application Data\Sskuknwrd.dll
C:\Documents and Settings\Rachel\Application Data\Sskcwrd.dll
C:\Documents and Settings\Rachel\Application Data\Sskknwrd.dll
C:\Documents and Settings\Rachel\Application Data\Sskuknwrd.dll
C:\Program Files\surfsidekick 3\Ssk.exe
C:\Program Files\surfsidekick 3\SskBho.dll
C:\Program Files\surfsidekick 3\SskCore.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\Duce6.exe
C:\WINDOWS\teller2.chk
C:\warebundlenewer.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\xeymi.dll
C:\Installer3.exe
C:\ucmoreiex.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Deskbar
C:\Program Files\ToolBar888
C:\Program Files\System Files
C:\Program Files\System Icons
C:\Program Files\Common Files\{1CC60643-0B75-1033-0509-050517200001}
C:\WINDOWS\IA
C:\WINDOWS\Duce6.exe
C:\WINDOWS\system32\xeymi.dll

((((((((((((((((((((((((((((((( Files Created from 2006-07-20 to 2006-08-20 ))))))))))))))))))))))))))))))))))

2006-08-20 15:30 28,672 C:\WINDOWS\system32\bez6n4r21.exe
2006-08-19 20:27 663,040 C:\WINDOWS\is-514IU.exe
2006-08-19 20:09 2,292 C:\regfile.pif
2006-08-19 07:51 89,088 C:\WINDOWS\system32\dior4f4ioukqw.exe
2006-08-19 07:47 89,088 C:\WINDOWS\system32\cjnr4r4zekbhm.exe
2006-08-19 07:33 89,088 C:\WINDOWS\system32\mlsdf8hjotzflryfm.exe
2006-08-19 07:27 48,190 C:\WINDOWS\RDFX4.exe
2006-08-19 07:26 89,088 C:\WINDOWS\system32\nlkfev7jpuz.exe
2006-08-18 22:35 89,088 C:\WINDOWS\system32\cjnr4r4kpulrx.exe
2006-08-18 20:52 910,336 C:\vx2cleaner.dll
2006-08-18 20:52 164,864 C:\UNWISE.exe
2006-08-18 20:08 89,088 C:\WINDOWS\system32\cjnr4r4qwbrxekr.exe
2006-08-18 06:42 88,576 C:\WINDOWS\system32\mlsdf8hbglr.exe
2006-08-18 03:10 88,576 C:\WINDOWS\system32\dior4f4iouahnv.exe
2006-08-18 02:58 88,576 C:\WINDOWS\system32\mlsdf8hkafms.exe
2006-08-17 22:55 88,576 C:\WINDOWS\system32\mlsdf8huzfkqwcjqx.exe
2006-08-17 20:37 88,576 C:\WINDOWS\system32\sklrr7ywchxdjqxe.exe
2006-08-17 20:28 88,576 C:\WINDOWS\system32\cjnr4r4wciyekqai.exe
2006-08-17 20:19 88,576 C:\WINDOWS\system32\nlkfev7hpuagmtzho.exe
2006-08-17 19:55 88,576 C:\WINDOWS\system32\cjnr4r4iotyelryfn.exe
2006-08-17 19:39 88,576 C:\WINDOWS\system32\nlkfev7aekq.exe
2006-08-17 19:35 820,224 C:\WINDOWS\is-PR0OM.exe
2006-08-17 19:35 78,488 C:\WINDOWS\system32\XMD5.dll
2006-08-17 19:34 101,888 C:\WINDOWS\system32\vb6stkit.dll
2006-08-17 19:29 106,496 C:\WINDOWS\Duce6.exe
2006-08-17 19:28 214,752 C:\Setup100.exe
2006-08-17 19:28 21,504 C:\WINDOWS\offun.exe
2006-08-17 19:28 186,223 C:\WINDOWS\srvyvwuzyl.exe
2006-08-17 19:27 88,576 C:\WINDOWS\system32\dior4f4ejpuagmtai.exe
2006-08-17 19:27 353,280 C:\803_104.exe
2006-08-15 21:38 88,576 C:\WINDOWS\system32\sklrr7ywbhxdj.exe
2006-08-15 21:15 159,744 C:\WINDOWS\system32\redist.dll
2006-08-15 21:15 126,464 C:\WINDOWS\system32\redistributor.exe
2006-08-15 21:14 27,648 C:\dist13.exe
2006-08-15 20:32 88,576 C:\WINDOWS\system32\nlkfev7tyeuaryf.exe
2006-08-15 19:53 88,576 C:\WINDOWS\system32\mlsdf8hsydj.exe
2006-08-15 07:52 30,208 C:\SS1001newer.exe
2006-08-15 07:51 88,576 C:\WINDOWS\system32\sklrr7youkpv.exe
2006-08-14 15:27 50,912 C:\WINDOWS\iconu.exe
2006-08-14 14:23 88,576 C:\WINDOWS\system32\mlsdf8hcindjqwd.exe
2006-08-14 05:04 61,952 C:\WINDOWS\system32\rcrfcca1.dll
2006-08-14 05:04 29,696 C:\WINDOWS\system32\w9be8644.dll
2006-08-14 05:04 1,167 C:\WINDOWS\system32\rcrfcca1.sys
2006-08-14 04:23 88,576 C:\WINDOWS\system32\dior4f4hnsipvbi.exe
2006-08-14 04:00 57,344 C:\fym9bvo.exe
2006-08-14 04:00 45,056 C:\WINDOWS\system32ghynf.exe
2006-08-14 04:00 45,056 C:\WINDOWS\system32\ghynf.exe
2006-08-14 04:00 36,864 C:\WINDOWS\system32n9nyb.exe
2006-08-14 04:00 36,864 C:\WINDOWS\system32\n9nyb.exe
2006-08-14 04:00 28,672 C:\WINDOWS\system32bez6n4r21.exe
2006-08-14 04:00 221,184 C:\WINDOWS\system32\xeymi.dll
2006-08-14 04:00 159,744 C:\WINDOWS\system32\cvn0.exe
2006-08-14 03:59 286 C:\WINDOWS\autoupdate.bat
2006-08-13 18:18 88,576 C:\WINDOWS\system32\nlkfev7sydtzfmta.exe
2006-08-13 18:18 88,576 C:\WINDOWS\system32\cjnr4r4jpukqw.exe
2006-08-13 16:21 88,576 C:\WINDOWS\system32\sklrr7yuzqvbhyfm.exe
2006-08-11 11:05 155,648 C:\WINDOWS\sys09482739779.exe
2006-08-10 16:58 87,552 C:\WINDOWS\system32\sklrr7yryekqxfmuc.exe
2006-08-10 16:58 83,968 C:\regedit.pif
2006-08-10 11:50 87,552 C:\WINDOWS\system32\sklrr7ychndjp.exe
2006-08-09 23:39 87,552 C:\WINDOWS\system32\sklrr7yflqgnszgn.exe
2006-08-09 21:02 87,552 C:\WINDOWS\system32\mlsdf8hotyzek.exe
2006-08-09 21:02 78,340 C:\ppt.com
2006-08-09 18:42 87,552 C:\WINDOWS\system32\cjnr4r4gmcio.exe
2006-08-09 18:40 87,552 C:\WINDOWS\system32\sklrr7yzejafm.exe
2006-08-09 12:46 87,552 C:\WINDOWS\system32\mlsdf8hioekp.exe
2006-08-09 12:46 87,552 C:\WINDOWS\system32\cjnr4r4zekahmt.exe
2006-08-09 12:45 87,552 C:\WINDOWS\system32\mlsdf8hrwbryekr.exe
2006-08-09 12:44 78,340 C:\svsnt.exe
2006-08-09 12:44 40,448 C:\WINDOWS\system32\svsnt.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-20 19:57 2292 --a------ C:\regfile.pif
2006-08-20 19:52 -------- d-------- C:\Program Files\Common Files
2006-08-20 19:49 1167 --a------ C:\WINDOWS\system32\rcrfcca1.sys
2006-08-20 17:14 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2006-08-20 16:11 -------- d-------- C:\Program Files\whInstall
2006-08-20 16:11 -------- d-------- C:\Program Files\webHancer
2006-08-20 15:30 28672 --a------ C:\WINDOWS\system32\bez6n4r21.exe
2006-08-20 15:25 45056 --a------ C:\WINDOWS\system32ghynf.exe
2006-08-20 15:25 36864 --a------ C:\WINDOWS\system32n9nyb.exe
2006-08-20 15:25 28672 --a------ C:\WINDOWS\system32bez6n4r21.exe
2006-08-19 20:28 -------- d-------- C:\Program Files\SpywareBot
2006-08-19 20:27 663040 --a------ C:\WINDOWS\is-514IU.exe
2006-08-19 07:51 89088 --a------ C:\WINDOWS\system32\dior4f4ioukqw.exe
2006-08-19 07:51 83968 --a------ C:\regedit.pif
2006-08-19 07:47 89088 --a------ C:\WINDOWS\system32\cjnr4r4zekbhm.exe
2006-08-19 07:33 89088 --a------ C:\WINDOWS\system32\mlsdf8hjotzflryfm.exe
2006-08-19 07:30 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-19 07:27 48190 --a------ C:\WINDOWS\RDFX4.exe
2006-08-19 07:26 89088 --a------ C:\WINDOWS\system32\nlkfev7jpuz.exe
2006-08-18 22:35 89088 --a------ C:\WINDOWS\system32\cjnr4r4kpulrx.exe
2006-08-18 20:56 -------- d-------- C:\Program Files\Lavasoft
2006-08-18 20:08 89088 --a------ C:\WINDOWS\system32\cjnr4r4qwbrxekr.exe
2006-08-18 06:42 88576 --a------ C:\WINDOWS\system32\mlsdf8hbglr.exe
2006-08-18 03:10 88576 --a------ C:\WINDOWS\system32\dior4f4iouahnv.exe
2006-08-18 02:58 88576 --a------ C:\WINDOWS\system32\mlsdf8hkafms.exe
2006-08-17 22:55 88576 --a------ C:\WINDOWS\system32\mlsdf8huzfkqwcjqx.exe
2006-08-17 22:50 -------- d-------- C:\Program Files\Common Files\immi
2006-08-17 20:37 88576 --a------ C:\WINDOWS\system32\sklrr7ywchxdjqxe.exe
2006-08-17 20:28 88576 --a------ C:\WINDOWS\system32\cjnr4r4wciyekqai.exe
2006-08-17 20:19 88576 --a------ C:\WINDOWS\system32\nlkfev7hpuagmtzho.exe
2006-08-17 20:13 -------- d-------- C:\Program Files\AdwareAlert
2006-08-17 19:55 88576 --a------ C:\WINDOWS\system32\cjnr4r4iotyelryfn.exe
2006-08-17 19:39 88576 --a------ C:\WINDOWS\system32\nlkfev7aekq.exe
2006-08-17 19:35 820224 --a------ C:\WINDOWS\is-PR0OM.exe
2006-08-17 19:29 106496 --a------ C:\WINDOWS\Duce6.exe
2006-08-17 19:29 -------- d-------- C:\Program Files\SearchHelper
2006-08-17 19:28 214752 --a------ C:\Setup100.exe
2006-08-17 19:28 186223 --a------ C:\WINDOWS\srvyvwuzyl.exe
2006-08-17 19:28 -------- d-------- C:\Program Files\PSLister
2006-08-17 19:27 88576 --a------ C:\WINDOWS\system32\dior4f4ejpuagmtai.exe
2006-08-17 19:27 353280 --a------ C:\803_104.exe
2006-08-15 21:38 88576 --a------ C:\WINDOWS\system32\sklrr7ywbhxdj.exe
2006-08-15 21:15 159744 --a------ C:\WINDOWS\system32\redist.dll
2006-08-15 21:15 126464 --a------ C:\WINDOWS\system32\redistributor.exe
2006-08-15 21:14 27648 --a------ C:\dist13.exe
2006-08-15 20:32 88576 --a------ C:\WINDOWS\system32\nlkfev7tyeuaryf.exe
2006-08-15 19:53 88576 --a------ C:\WINDOWS\system32\mlsdf8hsydj.exe
2006-08-15 19:10 -------- d-------- C:\Program Files\Internet Explorer
2006-08-15 07:52 30208 --a------ C:\SS1001newer.exe
2006-08-15 07:51 88576 --a------ C:\WINDOWS\system32\sklrr7youkpv.exe
2006-08-14 15:27 50912 --a------ C:\WINDOWS\iconu.exe
2006-08-14 14:23 88576 --a------ C:\WINDOWS\system32\mlsdf8hcindjqwd.exe
2006-08-14 05:04 61952 --a------ C:\WINDOWS\system32\rcrfcca1.dll
2006-08-14 05:04 29696 --a------ C:\WINDOWS\system32\w9be8644.dll
2006-08-14 04:23 88576 --a------ C:\WINDOWS\system32\dior4f4hnsipvbi.exe
2006-08-14 04:00 57344 --a------ C:\fym9bvo.exe
2006-08-14 04:00 45056 --a------ C:\WINDOWS\system32\ghynf.exe
2006-08-14 04:00 36864 --a------ C:\WINDOWS\system32\n9nyb.exe
2006-08-14 04:00 221184 --a------ C:\WINDOWS\system32\xeymi.dll
2006-08-13 18:18 88576 --a------ C:\WINDOWS\system32\nlkfev7sydtzfmta.exe
2006-08-13 18:18 88576 --a------ C:\WINDOWS\system32\cjnr4r4jpukqw.exe
2006-08-13 16:21 88576 --a------ C:\WINDOWS\system32\sklrr7yuzqvbhyfm.exe
2006-08-11 11:05 155648 --a------ C:\WINDOWS\sys09482739779.exe
2006-08-10 16:58 87552 --a------ C:\WINDOWS\system32\sklrr7yryekqxfmuc.exe
2006-08-10 11:50 87552 --a------ C:\WINDOWS\system32\sklrr7ychndjp.exe
2006-08-10 11:49 78340 --a------ C:\ppt.com
2006-08-09 23:39 87552 --a------ C:\WINDOWS\system32\sklrr7yflqgnszgn.exe
2006-08-09 21:02 87552 --a------ C:\WINDOWS\system32\mlsdf8hotyzek.exe
2006-08-09 18:42 87552 --a------ C:\WINDOWS\system32\cjnr4r4gmcio.exe
2006-08-09 18:42 78340 --a------ C:\svsnt.exe
2006-08-09 18:40 87552 --a------ C:\WINDOWS\system32\sklrr7yzejafm.exe
2006-08-09 12:46 87552 --a------ C:\WINDOWS\system32\mlsdf8hioekp.exe
2006-08-09 12:46 87552 --a------ C:\WINDOWS\system32\cjnr4r4zekahmt.exe
2006-08-09 12:45 87552 --a------ C:\WINDOWS\system32\mlsdf8hrwbryekr.exe
2006-08-09 12:44 40448 -r-hs---- C:\WINDOWS\system32\svsnt.exe
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 15:49 159744 --a------ C:\WINDOWS\system32\cvn0.exe
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-09 02:27 286 --a------ C:\WINDOWS\autoupdate.bat
2006-06-21 15:53 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-06-21 15:53 -------- d-------- C:\Program Files\Google
2006-06-19 13:38 53248 --a------ C:\WINDOWS\uni_ehhhh.exe
2006-06-19 13:38 49152 --a------ C:\WINDOWS\uninst104.exe
2006-06-07 14:03 2439 --a------ C:\Program Files\wallpap.js
2006-06-07 14:02 2048 --a------ C:\Program Files\wallpap.exe
2006-06-07 12:55 3753 --a------ C:\Program Files\html2.htm
2006-06-07 12:55 3626 --a------ C:\Program Files\html1.htm

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\apdproxy.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"HPHmon06"="C:\\WINDOWS\\system32\\hphmon06.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ad8rIU3s"="C:\\WINDOWS\\system32\\cvn0.exe"
"k6mmN5IOU"="\"C:\\WINDOWS\\system32\\wfxqhv.exe\""
"rcrfcca1"="RUNDLL32.EXE w9be8644.dll,n 002fcc9f000000039be8644"
"yrvszeiA"="C:\\WINDOWS\\yrvszeiA.exe"
"sys09482739779"="C:\\WINDOWS\\sys09482739779.exe"
"adwarealert"="C:\\Program Files\\adwarealert\\AdwareAlert.exe -boot"
"spywarebot"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"
"webHancer Agent"="C:\\Program Files\\webHancer\\Programs\\whagent.exe"
"webHancer Survey Companion"="C:\\Program Files\\webHancer\\Programs\\whsurvey.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PSLister"="\"C:\\Program Files\\PSLister\\PSLister.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoSaveSettings"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e4,00,00,00,00,00,00,00,9c,03,00,00,3e,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{1CC60643-0B75-1033-0509-050517200001}"="\"C:\\Program Files\\Common Files\\{1CC60643-0B75-1033-0509-050517200001}\\Update.exe\" mc-110-12-0000488"
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{1CC60643-0B75-1033-0509-050517200001}"="\"C:\\Program Files\\Common Files\\{1CC60643-0B75-1033-0509-050517200001}\\Update.exe\" mc-110-12-0000488"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"

Completion time: Sun 08/20/2006 19:59:01.28
ComboFix.txt

Logfile of HijackThis v1.99.1
Scan saved at 8:03:49 PM, on 8/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svsnt.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\cvn0.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\sys09482739779.exe
C:\WINDOWS\system32\n9nyb.exe
C:\WINDOWS\system32\ghynf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PSLister\PSLister.exe
C:\Program Files\Sierra\Planner\Plnrnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\adwarealert\AdwareAlert.exe
C:\WINDOWS\Duce6.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\HP\KBD\KBD.exe
C:\WINDOWS\ALCXMNTR.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: SearchHelper - {B6A5B638-6025-4C2C-A899-867B416453D2} - C:\Program Files\SearchHelper\SearchHelper.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing)
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [rcrfcca1] RUNDLL32.exe w9be8644.dll,n 002fcc9f000000039be8644
O4 - HKLM\..\Run: [yrvszeiA] C:\WINDOWS\yrvszeiA.exe
O4 - HKLM\..\Run: [sys09482739779] C:\WINDOWS\sys09482739779.exe
O4 - HKLM\..\Run: [adwarealert] C:\Program Files\adwarealert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123954833640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Print Spooler Service (SpoolSvc212) - Unknown owner - C:\WINDOWS\system32\dior4f4ioukqw.exe
O23 - Service: System Internal AntiVirus (SVSAV) - Unknown owner - C:\WINDOWS\system32\svsnt.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yrvszei.exe (file missing)

Chris

Response Number 7

Name: jabuck
Date: August 20, 2006 at 20:22:03 Pacific

Reply:

Looking better.
Go to start> control panel> add/remove programs and uninstall the following programs if found:
SpywareBot
webHancer
adwarealert
PSLister
Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run Hijack This from safe mode, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [rcrfcca1] RUNDLL32.exe w9be8644.dll,n 002fcc9f000000039be8644
O4 - HKLM\..\Run: [yrvszeiA] C:\WINDOWS\yrvszeiA.exe
O4 - HKLM\..\Run: [sys09482739779] C:\WINDOWS\sys09482739779.exe
O4 - HKLM\..\Run: [adwarealert] C:\Program Files\adwarealert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O23 - Service: Print Spooler Service (SpoolSvc212) - Unknown owner - C:\WINDOWS\system32\dior4f4ioukqw.exe
O23 - Service: System Internal AntiVirus (SVSAV) - Unknown owner - C:\WINDOWS\system32\svsnt.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yrvszei.exe (file missing)
Exit Hijack This but remain in safe mode
Navigate to and delete the following files if found:
C:\WINDOWS\system32\svsnt.exe
C:\WINDOWS\system32\cvn0.exe
C:\WINDOWS\sys09482739779.exe
C:\WINDOWS\system32\n9nyb.exe
C:\WINDOWS\system32\ghynf.exe
C:\Program Files\PSLister\PSLister.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\adwarealert\AdwareAlert.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\ALCXMNTR.exe
C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
C:\WINDOWS\system32\wfxqhv.exe
C:\WINDOWS\system32\w9be8644.dll
C:\WINDOWS\yrvszeiA.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\webHancer\Programs\whsurvey.exe
C:\WINDOWS\system32\xeymi.dll
C:\WINDOWS\system32\dior4f4ioukqw.exe
C:\WINDOWS\yrvszei.exe
Next while still in safe mode delete these folders if found:
C:\Program Files\PSLister
C:\Program Files\SpywareBot
C:\Program Files\adwarealert
C:\Program Files\TheSearchAccelerator
C:\Program Files\webHancer
Next, Go to start> run> copy paste the following command one at the time into the space provided and press "enter".
sc stop (SpoolSvc212)
sc delete (SpoolSvc212)
sc stop (SVSAV)
sc delete (SVSAV)
sc stop Windows Overlay Components
sc delete Windows Overlay Components
Reboot the computer to normal mode.
Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Download and install Ewido Security Suite We will need this later in safe mode
Be sure to update Ewido
Reboot into safe mode.
Run Ewido from safe mode and let it delete all that it finds.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Post a new Hijack This log and a new Combofix scan please.

Response Number 8

Name: CaretaD
Date: August 21, 2006 at 16:34:58 Pacific

Reply:

Thanks again for your help. Here are the two logs you requested:
Logfile of HijackThis v1.99.1
Scan saved at 6:03:38 PM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: SearchHelper - {B6A5B638-6025-4C2C-A899-867B416453D2} - C:\Program Files\SearchHelper\SearchHelper.dll
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123954833640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Print Spooler Service (SpoolSvc212) - Unknown owner - C:\WINDOWS\system32\nlkfev7sxctzf.exe
O23 - Service: System Internal AntiVirus (SVSAV) - Unknown owner - C:\WINDOWS\system32\svsnt.exe
-----------------------
HP_Owner - 06-08-21 18:04:44.43
ComboFix 06.08.18 - Running from: C:\Documents and Settings\HP_Owner\Desktop
((((((((((((((((((((((((((((((( Files Created from 2006-07-21 to 2006-08-21 ))))))))))))))))))))))))))))))))))

2006-08-21 06:43 89,088 C:\WINDOWS\system32\nlkfev7sxctzf.exe
2006-08-20 22:34 89,088 C:\WINDOWS\system32\mlsdf8hrinty.exe
2006-08-20 22:33 83,968 C:\dhcp.com
2006-08-20 15:30 28,672 C:\WINDOWS\system32\bez6n4r21.exe
2006-08-19 20:27 663,040 C:\WINDOWS\is-514IU.exe
2006-08-19 20:09 2,292 C:\regfile.pif
2006-08-19 07:47 89,088 C:\WINDOWS\system32\cjnr4r4zekbhm.exe
2006-08-19 07:33 89,088 C:\WINDOWS\system32\mlsdf8hjotzflryfm.exe
2006-08-19 07:27 48,190 C:\WINDOWS\RDFX4.exe
2006-08-19 07:26 89,088 C:\WINDOWS\system32\nlkfev7jpuz.exe
2006-08-18 22:35 89,088 C:\WINDOWS\system32\cjnr4r4kpulrx.exe
2006-08-18 20:52 910,336 C:\vx2cleaner.dll
2006-08-18 20:52 164,864 C:\UNWISE.exe
2006-08-18 20:08 89,088 C:\WINDOWS\system32\cjnr4r4qwbrxekr.exe
2006-08-18 06:42 88,576 C:\WINDOWS\system32\mlsdf8hbglr.exe
2006-08-18 02:58 88,576 C:\WINDOWS\system32\mlsdf8hkafms.exe
2006-08-17 22:55 88,576 C:\WINDOWS\system32\mlsdf8huzfkqwcjqx.exe
2006-08-17 20:37 88,576 C:\WINDOWS\system32\sklrr7ywchxdjqxe.exe
2006-08-17 20:28 88,576 C:\WINDOWS\system32\cjnr4r4wciyekqai.exe
2006-08-17 20:19 88,576 C:\WINDOWS\system32\nlkfev7hpuagmtzho.exe
2006-08-17 19:55 88,576 C:\WINDOWS\system32\cjnr4r4iotyelryfn.exe
2006-08-17 19:39 88,576 C:\WINDOWS\system32\nlkfev7aekq.exe
2006-08-17 19:35 820,224 C:\WINDOWS\is-PR0OM.exe
2006-08-17 19:28 214,752 C:\Setup100.exe
2006-08-17 19:28 186,223 C:\WINDOWS\srvyvwuzyl.exe
2006-08-15 21:38 88,576 C:\WINDOWS\system32\sklrr7ywbhxdj.exe
2006-08-15 20:32 88,576 C:\WINDOWS\system32\nlkfev7tyeuaryf.exe
2006-08-15 19:53 88,576 C:\WINDOWS\system32\mlsdf8hsydj.exe
2006-08-15 07:51 88,576 C:\WINDOWS\system32\sklrr7youkpv.exe
2006-08-14 14:23 88,576 C:\WINDOWS\system32\mlsdf8hcindjqwd.exe
2006-08-14 05:04 61,952 C:\WINDOWS\system32\rcrfcca1.dll
2006-08-14 05:04 1,167 C:\WINDOWS\system32\rcrfcca1.sys
2006-08-14 04:00 45,056 C:\WINDOWS\system32ghynf.exe
2006-08-14 04:00 45,056 C:\WINDOWS\system32\ghynf.exe
2006-08-14 04:00 28,672 C:\WINDOWS\system32bez6n4r21.exe
2006-08-14 04:00 159,744 C:\WINDOWS\system32\cvn0.exe
2006-08-14 03:59 286 C:\WINDOWS\autoupdate.bat
2006-08-13 18:18 88,576 C:\WINDOWS\system32\nlkfev7sydtzfmta.exe
2006-08-13 18:18 88,576 C:\WINDOWS\system32\cjnr4r4jpukqw.exe
2006-08-13 16:21 88,576 C:\WINDOWS\system32\sklrr7yuzqvbhyfm.exe
2006-08-10 16:58 87,552 C:\WINDOWS\system32\sklrr7yryekqxfmuc.exe
2006-08-10 16:58 83,968 C:\regedit.pif
2006-08-10 11:50 87,552 C:\WINDOWS\system32\sklrr7ychndjp.exe
2006-08-09 23:39 87,552 C:\WINDOWS\system32\sklrr7yflqgnszgn.exe
2006-08-09 21:02 87,552 C:\WINDOWS\system32\mlsdf8hotyzek.exe
2006-08-09 21:02 78,340 C:\ppt.com
2006-08-09 18:42 87,552 C:\WINDOWS\system32\cjnr4r4gmcio.exe
2006-08-09 18:40 87,552 C:\WINDOWS\system32\sklrr7yzejafm.exe
2006-08-09 12:46 87,552 C:\WINDOWS\system32\mlsdf8hioekp.exe
2006-08-09 12:46 87,552 C:\WINDOWS\system32\cjnr4r4zekahmt.exe
2006-08-09 12:45 87,552 C:\WINDOWS\system32\mlsdf8hrwbryekr.exe
2006-08-09 12:44 78,340 C:\svsnt.exe
2006-08-09 12:44 40,448 C:\WINDOWS\system32\svsnt.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-21 17:58 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-21 07:08 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-21 06:43 89088 --a------ C:\WINDOWS\system32\nlkfev7sxctzf.exe
2006-08-21 06:43 83968 --a------ C:\dhcp.com
2006-08-21 06:15 1167 --a------ C:\WINDOWS\system32\rcrfcca1.sys
2006-08-21 06:08 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Webshots
2006-08-20 22:34 89088 --a------ C:\WINDOWS\system32\mlsdf8hrinty.exe
2006-08-20 19:57 2292 --a------ C:\regfile.pif
2006-08-20 19:52 -------- d-------- C:\Program Files\Common Files
2006-08-20 17:14 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2006-08-20 15:30 28672 --a------ C:\WINDOWS\system32\bez6n4r21.exe
2006-08-20 15:25 45056 --a------ C:\WINDOWS\system32ghynf.exe
2006-08-20 15:25 28672 --a------ C:\WINDOWS\system32bez6n4r21.exe
2006-08-19 20:27 663040 --a------ C:\WINDOWS\is-514IU.exe
2006-08-19 07:51 83968 --a------ C:\regedit.pif
2006-08-19 07:47 89088 --a------ C:\WINDOWS\system32\cjnr4r4zekbhm.exe
2006-08-19 07:33 89088 --a------ C:\WINDOWS\system32\mlsdf8hjotzflryfm.exe
2006-08-19 07:27 48190 --a------ C:\WINDOWS\RDFX4.exe
2006-08-19 07:26 89088 --a------ C:\WINDOWS\system32\nlkfev7jpuz.exe
2006-08-18 22:35 89088 --a------ C:\WINDOWS\system32\cjnr4r4kpulrx.exe
2006-08-18 20:56 -------- d-------- C:\Program Files\Lavasoft
2006-08-18 20:08 89088 --a------ C:\WINDOWS\system32\cjnr4r4qwbrxekr.exe
2006-08-18 06:42 88576 --a------ C:\WINDOWS\system32\mlsdf8hbglr.exe
2006-08-18 02:58 88576 --a------ C:\WINDOWS\system32\mlsdf8hkafms.exe
2006-08-17 22:55 88576 --a------ C:\WINDOWS\system32\mlsdf8huzfkqwcjqx.exe
2006-08-17 22:50 -------- d-------- C:\Program Files\Common Files\immi
2006-08-17 20:37 88576 --a------ C:\WINDOWS\system32\sklrr7ywchxdjqxe.exe
2006-08-17 20:28 88576 --a------ C:\WINDOWS\system32\cjnr4r4wciyekqai.exe
2006-08-17 20:19 88576 --a------ C:\WINDOWS\system32\nlkfev7hpuagmtzho.exe
2006-08-17 19:55 88576 --a------ C:\WINDOWS\system32\cjnr4r4iotyelryfn.exe
2006-08-17 19:39 88576 --a------ C:\WINDOWS\system32\nlkfev7aekq.exe
2006-08-17 19:35 820224 --a------ C:\WINDOWS\is-PR0OM.exe
2006-08-17 19:29 -------- d-------- C:\Program Files\SearchHelper
2006-08-17 19:28 214752 --a------ C:\Setup100.exe
2006-08-17 19:28 186223 --a------ C:\WINDOWS\srvyvwuzyl.exe
2006-08-15 21:38 88576 --a------ C:\WINDOWS\system32\sklrr7ywbhxdj.exe
2006-08-15 20:32 88576 --a------ C:\WINDOWS\system32\nlkfev7tyeuaryf.exe
2006-08-15 19:53 88576 --a------ C:\WINDOWS\system32\mlsdf8hsydj.exe
2006-08-15 19:10 -------- d-------- C:\Program Files\Internet Explorer
2006-08-15 07:51 88576 --a------ C:\WINDOWS\system32\sklrr7youkpv.exe
2006-08-14 14:23 88576 --a------ C:\WINDOWS\system32\mlsdf8hcindjqwd.exe
2006-08-14 05:04 61952 --a------ C:\WINDOWS\system32\rcrfcca1.dll
2006-08-14 04:00 45056 --a------ C:\WINDOWS\system32\ghynf.exe
2006-08-13 18:18 88576 --a------ C:\WINDOWS\system32\nlkfev7sydtzfmta.exe
2006-08-13 18:18 88576 --a------ C:\WINDOWS\system32\cjnr4r4jpukqw.exe
2006-08-13 16:21 88576 --a------ C:\WINDOWS\system32\sklrr7yuzqvbhyfm.exe
2006-08-10 16:58 87552 --a------ C:\WINDOWS\system32\sklrr7yryekqxfmuc.exe
2006-08-10 11:50 87552 --a------ C:\WINDOWS\system32\sklrr7ychndjp.exe
2006-08-10 11:49 78340 --a------ C:\ppt.com
2006-08-09 23:39 87552 --a------ C:\WINDOWS\system32\sklrr7yflqgnszgn.exe
2006-08-09 21:02 87552 --a------ C:\WINDOWS\system32\mlsdf8hotyzek.exe
2006-08-09 18:42 87552 --a------ C:\WINDOWS\system32\cjnr4r4gmcio.exe
2006-08-09 18:42 78340 --a------ C:\svsnt.exe
2006-08-09 18:40 87552 --a------ C:\WINDOWS\system32\sklrr7yzejafm.exe
2006-08-09 12:46 87552 --a------ C:\WINDOWS\system32\mlsdf8hioekp.exe
2006-08-09 12:46 87552 --a------ C:\WINDOWS\system32\cjnr4r4zekahmt.exe
2006-08-09 12:45 87552 --a------ C:\WINDOWS\system32\mlsdf8hrwbryekr.exe
2006-08-09 12:44 40448 -r-hs---- C:\WINDOWS\system32\svsnt.exe
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 15:49 159744 --a------ C:\WINDOWS\system32\cvn0.exe
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-09 02:27 286 --a------ C:\WINDOWS\autoupdate.bat
2006-06-21 15:53 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-06-21 15:53 -------- d-------- C:\Program Files\Google
2006-06-19 13:38 53248 --a------ C:\WINDOWS\uni_ehhhh.exe
2006-06-19 13:38 49152 --a------ C:\WINDOWS\uninst104.exe
2006-06-07 12:55 3753 --a------ C:\Program Files\html2.htm
2006-06-07 12:55 3626 --a------ C:\Program Files\html1.htm

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\apdproxy.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"HPHmon06"="C:\\WINDOWS\\system32\\hphmon06.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoSaveSettings"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{1CC60643-0B75-1033-0509-050517200001}"="\"C:\\Program Files\\Common Files\\{1CC60643-0B75-1033-0509-050517200001}\\Update.exe\" mc-110-12-0000488"
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{1CC60643-0B75-1033-0509-050517200001}"="\"C:\\Program Files\\Common Files\\{1CC60643-0B75-1033-0509-050517200001}\\Update.exe\" mc-110-12-0000488"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

Completion time: Mon 08/21/2006 18:06:14.34
ComboFix.txt
ComboFix2.txt

Chris

Response Number 9

Name: Phillyserb
Date: August 21, 2006 at 17:14:01 Pacific

Reply:

http://www.majorgeeks.com/Qoofix_d5175.html

Response Number 10

Name: CaretaD
Date: August 21, 2006 at 19:04:26 Pacific

Reply:

After downloading the Qoofix and running it, it showed that I had no malicious modules found and no Qoologic infected files were found. I also ran my McAfeee Virus Scan and it showed no infected files. Are I OK, do you think? If so, thank you SOOOOO much -- you're a genius.
Chris

Response Number 11

Name: jabuck
Date: August 21, 2006 at 19:45:12 Pacific

Reply:

No you are not ok. Qoologic we killed on the first go around. I am looking at you second scans now you are still infected with the "Aim" virus a rootkit version that is difficult to remove and the SDFix tool normally used to remove it has been temperarily removed from public use making the once automated process manual again.
Of course if you want to used the "drive bys" advice and not finish the removal process please let me know up front and I'll go on to someone else's log.

Response Number 12

Name: jabuck
Date: August 21, 2006 at 20:55:34 Pacific

Reply:

Your computer looks much better and my apoligies if I sounded a little short in my last post. The drive-bys are seldom any help.
I have made contact with the owner of SDFix and he says that it will be back in public use shortly.
So we need delete a few file and fix two 023's and wait a day if that is ok with you.
Reboot the computer into safe mode and make sure you are set up to view hidden files.
Navigate to and delete these files if found:
C:\WINDOWS\system32\nlkfev7sxctzf.exe
C:\WINDOWS\system32\mlsdf8hrinty.exe
C:\WINDOWS\system32\bez6n4r21.exe
C:\WINDOWS\system32\cjnr4r4zekbhm.exe
C:\WINDOWS\system32\mlsdf8hjotzflryfm.exe
C:\WINDOWS\system32\nlkfev7sxctzf.exe
C:\WINDOWS\system32\mlsdf8hrinty.exe
C:\WINDOWS\system32\bez6n4r21.exe
C:\WINDOWS\system32\cjnr4r4zekbhm.exe
C:\WINDOWS\system32\mlsdf8hjotzflryfm.exe
C:\WINDOWS\system32\nlkfev7jpuz.exe
C:\WINDOWS\system32\cjnr4r4kpulrx.exe
C:\WINDOWS\system32\cjnr4r4qwbrxekr.exe
C:\WINDOWS\system32\mlsdf8hbglr.exe
C:\WINDOWS\system32\mlsdf8hkafms.exe
C:\WINDOWS\system32\mlsdf8huzfkqwcjqx.exe
C:\WINDOWS\system32\sklrr7ywchxdjqxe.exe
C:\WINDOWS\system32\cjnr4r4wciyekqai.exe
C:\WINDOWS\system32\nlkfev7hpuagmtzho.exe
C:\WINDOWS\system32\cjnr4r4iotyelryfn.exe
C:\WINDOWS\system32\nlkfev7aekq.exe
C:\WINDOWS\srvyvwuzyl.exe
C:\WINDOWS\system32\sklrr7ywbhxdj.exe
C:\WINDOWS\system32\nlkfev7tyeuaryf.exe
C:\WINDOWS\system32\mlsdf8hsydj.exe
C:\WINDOWS\system32\sklrr7youkpv.exe
C:\WINDOWS\system32\mlsdf8hcindjqwd.exe
C:\WINDOWS\system32\rcrfcca1.dll
C:\WINDOWS\system32\rcrfcca1.sys
C:\WINDOWS\system32ghynf.exe
C:\WINDOWS\system32\ghynf.exe
C:\WINDOWS\system32bez6n4r21.exe
C:\WINDOWS\system32\cvn0.exe
C:\WINDOWS\system32\nlkfev7sydtzfmta.exe
C:\WINDOWS\system32\cjnr4r4jpukqw.exe
C:\WINDOWS\system32\sklrr7yuzqvbhyfm.exe
C:\WINDOWS\system32\sklrr7yryekqxfmuc.exe
C:\WINDOWS\system32\sklrr7ychndjp.exe
C:\WINDOWS\system32\sklrr7yflqgnszgn.exe
C:\WINDOWS\system32\mlsdf8hotyzek.exe
C:\WINDOWS\system32\cjnr4r4gmcio.exe
C:\WINDOWS\system32\sklrr7yzejafm.exe
C:\WINDOWS\system32\mlsdf8hioekp.exe
C:\WINDOWS\system32\cjnr4r4zekahmt.exe
C:\WINDOWS\system32\mlsdf8hrwbryekr.exe
C:\svsnt.exe
C:\WINDOWS\system32\svsnt.exe
Next, Go to start> run> copy paste the following command one at the time into the space provided and press "enter".
sc stop (SpoolSvc212)
sc delete (SpoolSvc212)
sc stop (SVSAV)
sc delete (SVSAV)
Post a new Hijack This log please.

Response Number 13

Name: CaretaD
Date: August 22, 2006 at 08:12:04 Pacific

Reply:

I deleted the files that you requested (at the DOS prompt). However, I can't get back onto the Internet while in Safe Mode, so I rebooted. I got the McAfee alert that showed the Hacker Defender virus alert -- but also Ewido showed that I had some malwares. I had to go to work (where I am now), so I just powered off the PC. When I return home, do you want me to delete those same files again? The file that McAfee's alert message showed was a variation of one of the "C:\WINDOWS\system32\mlsdf8hkafms.exe" files -- it started with mlsdf8 -- (I wrote the exact name down but forgot to bring it to work with me). Anyway, it wasn't one of the ones you had listed, but it was similar. Do you want me to try to re-delete the same files in Safe mode when I return?

Chris

Response Number 14

Name: CaretaD
Date: August 22, 2006 at 08:36:32 Pacific

Reply:

I also received an e-mail from "murr" at this e-mail address: pytazowhytz@gmail.com - saying that you're trying to mess up my computer. So, I thought I'd report that to you.
Chris

Response Number 15

Name: CaretaD
Date: August 22, 2006 at 16:53:32 Pacific

Reply:

New hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 6:52:21 PM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sierra\Planner\Plnrnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\HP\KBD\KBD.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: SearchHelper - {B6A5B638-6025-4C2C-A899-867B416453D2} - C:\Program Files\SearchHelper\SearchHelper.dll
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123954833640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Chris

Response Number 16

Name: jabuck
Date: August 22, 2006 at 20:38:28 Pacific

Reply:

Your log look even better.
Lets give SDFix one more day.
Thank you for the infomation about the email you received.

Response Number 17

Name: jabuck
Date: August 23, 2006 at 19:20:51 Pacific

Reply:

Well, SDFix is still not public although a couple of forums are running it sparingly so lets see if we can finish up manually.
Please post a new combofix log and a new hijack This log.

Response Number 18

Name: CaretaD
Date: August 24, 2006 at 16:34:31 Pacific

Reply:

HP_Owner - 06-08-24 18:30:44.04
ComboFix 06.08.18 - Running from: C:\Documents and Settings\HP_Owner\Desktop
((((((((((((((((((((((((((((((( Files Created from 2006-07-24 to 2006-08-24 ))))))))))))))))))))))))))))))))))

2006-08-20 22:33 83,968 C:\dhcp.com
2006-08-19 20:27 663,040 C:\WINDOWS\is-514IU.exe
2006-08-19 20:09 2,292 C:\regfile.pif
2006-08-19 07:27 48,190 C:\WINDOWS\RDFX4.exe
2006-08-18 20:52 910,336 C:\vx2cleaner.dll
2006-08-18 20:52 164,864 C:\UNWISE.exe
2006-08-17 19:35 820,224 C:\WINDOWS\is-PR0OM.exe
2006-08-17 19:28 214,752 C:\Setup100.exe
2006-08-14 03:59 286 C:\WINDOWS\autoupdate.bat
2006-08-10 16:58 83,968 C:\regedit.pif
2006-08-09 21:02 78,340 C:\ppt.com

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-24 07:56 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-22 07:19 83968 --a------ C:\dhcp.com
2006-08-21 17:58 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-21 06:08 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Webshots
2006-08-20 19:57 2292 --a------ C:\regfile.pif
2006-08-20 19:52 -------- d-------- C:\Program Files\Common Files
2006-08-20 17:14 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2006-08-19 20:27 663040 --a------ C:\WINDOWS\is-514IU.exe
2006-08-19 07:51 83968 --a------ C:\regedit.pif
2006-08-19 07:27 48190 --a------ C:\WINDOWS\RDFX4.exe
2006-08-18 20:56 -------- d-------- C:\Program Files\Lavasoft
2006-08-17 22:50 -------- d-------- C:\Program Files\Common Files\immi
2006-08-17 19:35 820224 --a------ C:\WINDOWS\is-PR0OM.exe
2006-08-17 19:29 -------- d-------- C:\Program Files\SearchHelper
2006-08-17 19:28 214752 --a------ C:\Setup100.exe
2006-08-15 19:10 -------- d-------- C:\Program Files\Internet Explorer
2006-08-10 11:49 78340 --a------ C:\ppt.com
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-09 02:27 286 --a------ C:\WINDOWS\autoupdate.bat
2006-06-07 12:55 3753 --a------ C:\Program Files\html2.htm
2006-06-07 12:55 3626 --a------ C:\Program Files\html1.htm

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\apdproxy.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"HPHmon06"="C:\\WINDOWS\\system32\\hphmon06.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoSaveSettings"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableRegedit"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,30,01,00,00,00,00,00,00,50,03,00,00,3e,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{1CC60643-0B75-1033-0509-050517200001}"="\"C:\\Program Files\\Common Files\\{1CC60643-0B75-1033-0509-050517200001}\\Update.exe\" mc-110-12-0000488"
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{1CC60643-0B75-1033-0509-050517200001}"="\"C:\\Program Files\\Common Files\\{1CC60643-0B75-1033-0509-050517200001}\\Update.exe\" mc-110-12-0000488"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

Completion time: Thu 08/24/2006 18:32:18.51
ComboFix.txt
ComboFix2.txt
ComboFix3.txt
-----------
Logfile of HijackThis v1.99.1
Scan saved at 6:33:41 PM, on 8/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sierra\Planner\Plnrnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\HP\KBD\KBD.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: SearchHelper - {B6A5B638-6025-4C2C-A899-867B416453D2} - C:\Program Files\SearchHelper\SearchHelper.dll
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123954833640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Chris

Response Number 19

Name: jabuck
Date: August 24, 2006 at 18:49:10 Pacific

Reply:

Reboot into safe mode. Make sure you have the computer setup to view hidden files.
Navigate to and delete the following files if found:
C:\dhcp.com
C:\regfile.pif
C:\WINDOWS\is-514IU.exe
C:\WINDOWS\RDFX4.exe
C:\WINDOWS\is-PR0OM.exe
C:\Setup100.exe
C:\ppt.com
C:\WINDOWS\system32\inetcomm.dll
C:\WINDOWS\system32\hlink.dll
C:\WINDOWS\autoupdate.bat
C:\Program Files\html2.htm
C:\Program Files\html1.htm
Run Ewido from safe mode and let it delete all that it finds.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Post a new combofix log please and let us know how you are running.

Response Number 20

Name: CaretaD
Date: August 25, 2006 at 08:18:02 Pacific

Reply:

I did all that you asked. When I rebooted out of Safe mode so that I could get on the Internet, I ran Ewido a second time. It picked up Hijacker.VB, Backdoor.HacDef-fw, Adware.Surfside, and several tracking cookies (e.g., Doubleclick, 2o7). It also ignored something called "Not-A-Virus Protector.Perl.Msdds.b" -- I hadn't seen that one before. I deleted everything else (it would only let me quarantine the Hijacker one). Anyway, I am posting the Combofix log. The PC is running much better.
HP_Owner - 06-08-25 6:11:37.71
ComboFix 06.08.18 - Running from: C:\Documents and Settings\HP_Owner\Desktop
((((((((((((((((((((((((((((((( Files Created from 2006-07-25 to 2006-08-25 ))))))))))))))))))))))))))))))))))

2006-08-20 22:33 83,968 C:\dhcp.com
2006-08-19 07:27 48,190 C:\WINDOWS\RDFX4.exe
2006-08-18 20:52 910,336 C:\vx2cleaner.dll
2006-08-18 20:52 164,864 C:\UNWISE.exe
2006-08-10 16:58 83,968 C:\regedit.pif

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-24 07:56 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-22 07:19 83968 --a------ C:\dhcp.com
2006-08-21 17:58 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-21 06:08 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Webshots
2006-08-20 19:52 -------- d-------- C:\Program Files\Common Files
2006-08-20 17:14 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2006-08-19 07:51 83968 --a------ C:\regedit.pif
2006-08-19 07:27 48190 --a------ C:\WINDOWS\RDFX4.exe
2006-08-18 20:56 -------- d-------- C:\Program Files\Lavasoft
2006-08-17 22:50 -------- d-------- C:\Program Files\Common Files\immi
2006-08-17 19:29 -------- d-------- C:\Program Files\SearchHelper
2006-08-15 19:10 -------- d-------- C:\Program Files\Internet Explorer

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\apdproxy.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"HPHmon06"="C:\\WINDOWS\\system32\\hphmon06.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoSaveSettings"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableRegedit"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{1CC60643-0B75-1033-0509-050517200001}"="\"C:\\Program Files\\Common Files\\{1CC60643-0B75-1033-0509-050517200001}\\Update.exe\" mc-110-12-0000488"
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{1CC60643-0B75-1033-0509-050517200001}"="\"C:\\Program Files\\Common Files\\{1CC60643-0B75-1033-0509-050517200001}\\Update.exe\" mc-110-12-0000488"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

Completion time: Fri 08/25/2006 6:13:08.39
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

Chris

Response Number 21

Name: jabuck
Date: August 25, 2006 at 14:37:25 Pacific

Reply:

Please navigate to the following file and let me know if it exist, but don't try to delete it yet.
C:\WINDOWS\system32\timedrv26.sys

Response Number 22

Name: CaretaD
Date: August 27, 2006 at 07:27:25 Pacific

Reply:

It does not exist.
Chris

Response Number 23

Name: jabuck
Date: August 27, 2006 at 08:26:03 Pacific

Reply:

Was hoping that file was the culprit as sdfix is still not public. We may can find the rootkit with some other tools.
Please download and save F-Secure Blacklight to your desktop.
Click "I accept" at the download page and Click "no " for viewing unsecure info.
Click the top download button.
Once you get it downloaded:
Click Scan -> Next.
After the scan you'll see a list of all items found. Please click Next and then Exit. Do NOT choose rename for any items yet! I need to see the log first, because legitimate items can also be present there...
A log will be created on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx are numbers)
Please post the contents of the log in your next reply.
Then run this tool:
Please download GMER from here:
Gmer.exe
Unzip it to your desktop and start gmer.exe.
Click the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
Click Scan.
Once done, click the Copy button.
This will copy the results to the clipboard. Paste the results in your next reply.
If you're having problems with running gmer.exe, try it in Safe Mode.
This tool works in Safe Mode… other rootkit revealers don't.

Response Number 24

Name: jabuck
Date: August 27, 2006 at 20:38:13 Pacific

Reply:

I don't see a problem with the files found. Lets try it a different way.
Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip
1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Files to delete:
C:\dhcp.com
C:\regedit.pif
C:\WINDOWS\RDFX4.exe
C:\Documents and Settings\Rachel\Local Settings\Temp\IadHide5.dll

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply
Navigate to and delete the contents of these folders:
C:\Documents and Settings\Rachel\Local Settings\Temporary Internet Files
C:\Documents and Settings\Rachel\Local Settings\Temp
Post a new combofix log.

Sponsored Link

Ads by Google

avg 7.1

Help with the Trojan.Drop...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Numerous Viruses - keep loading aft

Really Bad Virus!

Summary

www.computing.net/answers/security/really-bad-virus/24644.html

svchost.exe virus

Summary

www.computing.net/answers/security/svchostexe-virus/10276.html

Viruses -- win32/PePatch

Summary

www.computing.net/answers/security/viruses-win32pepatch/19996.html

From the Geek Dictionary
Processor - Not to be confused with a Word Processor. A processor is the rough eq...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 3 Days.
Discuss in The Lounge
Poll History

Recent Posts
Video Confrence

boot up issues, heat sink

( .vbs ) WinOS-Info - help ( if elseif )

Can't install Catalyst 9.11 Drivers

SQL String ComboBoxVariable

All Awaiting Reply

Tom's News
New York Testing Console-Based Alert System

Google Uses Ad to Explain Offensive First Lady Pic

U.S. Air Force Buying 2,200 PlayStation 3s

LittleBigPlanet Playing Part in Obama's STEM Plan

Facebook Worm Sends Users to Porn

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE