Pos Tmp files and Red X on Drive

Original Message

Name: caleene
Date: March 7, 2008 at 11:20:42 Pacific
Subject: Pos Tmp files and Red X on Drive
OS: WinXP 2002 Service P
CPU/Ram: 2.8GHz/504MB Ram
Model/Manufacturer: HP Pavilion A404X

Comment:

HELP!!! I just can't seem to get rid of all these pos files, and the computer runs so slow. I've really messed up somehow. Please help me.

Report Offensive Message For Removal

Response Number 1

Name: jabuck
Date: March 8, 2008 at 17:59:12 Pacific
Subject: Pos Tmp files and Red X on Drive

Reply: (edit)

Go to the this link:
Disable Realtime Protection
Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.
Please download Atribune's VundoFix.exe from the following site to your desktop:
Vundofix.exe

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click "yes".
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click "ok".
Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

Report Offensive Follow Up For Removal

Response Number 2

Name: caleene
Date: March 9, 2008 at 10:44:53 Pacific
Subject: Pos Tmp files and Red X on Drive

Reply: (edit)

Thank you so much for your help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:02 PM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\aguwhanh.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr .exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\hphmon05 .exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim .exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://frontier.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [9c746694] rundll32.exe "C:\WINDOWS\system32\rtodtowv.dll",b
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [BM9f475508] Rundll32.exe "C:\WINDOWS\system32\hgclnhnf.dll",s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\aguwhanh.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 7263 bytes
ComboFix 08-03-07.3 - Owner 2008-03-07 13:16:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.148 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\79MK8ME2\ComboFix[1].exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data.\chwlyhqz.dll
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner\Application Data\DriveCleaner Freeware
C:\Documents and Settings\Owner\Application Data\DriveCleaner Freeware\Logs\update.log
C:\Documents and Settings\Owner\Application Data\SCURIT~1
C:\hp\bin\AUTOTKIT.EXE
C:\hp\KBD\KBD.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ErrorSmart\ErrorSmart.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TANGOM~1.EXE
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoManager.exe
C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SymNetDrv\SNDMon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\temp\tn3
C:\WINDOWS\BM9f475508.xml
C:\WINDOWS\IA
C:\WINDOWS\mgrs.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\system32\ahssrtol.dll
C:\WINDOWS\system32\avamlnib.dll
C:\WINDOWS\system32\binlmava.ini
C:\WINDOWS\system32\bmfqhdec.dll
C:\WINDOWS\system32\bunprjjk.dll
C:\WINDOWS\system32\cafjkwmm.ini
C:\WINDOWS\system32\cedhqfmb.ini
C:\WINDOWS\system32\cekxfngn.dll
C:\WINDOWS\system32\ckqwijte.ini
C:\WINDOWS\system32\cohildqe.ini
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\cvvhtagu.dll
C:\WINDOWS\system32\diqneyjn.dll
C:\WINDOWS\system32\dmcynxkm.dll
C:\WINDOWS\system32\dnanqkcd.dll
C:\WINDOWS\system32\drivers\dmloadd.sys
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\eicndqjg.dll
C:\WINDOWS\system32\ewvketbq.dll
C:\WINDOWS\system32\eykmrgpe.dll
C:\WINDOWS\system32\fbdstgpr.dll
C:\WINDOWS\system32\fccyxwv.dll
C:\WINDOWS\system32\fnxnhvvo.dll
C:\WINDOWS\system32\fsrkriyn.dll
C:\WINDOWS\system32\gbdbpbma.ini
C:\WINDOWS\system32\gdjndhiv.ini
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\geede.exe
C:\WINDOWS\system32\ggjjnsfs.dll
C:\WINDOWS\system32\glbxxuhf.dll
C:\WINDOWS\system32\gxdknrdi.ini
C:\WINDOWS\system32\hgclnhnf.dll
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hkuevujf.dll
C:\WINDOWS\system32\hlhgvlhd.dll
C:\WINDOWS\system32\hnjxltfv.dll
C:\WINDOWS\system32\hoigpgtq.ini
C:\WINDOWS\system32\horvjhtu.ini
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\hpomdlgl.dll
C:\WINDOWS\system32\idcksdjg.dll
C:\WINDOWS\system32\idrnkdxg.dll
C:\WINDOWS\system32\ifsrjebw.dll
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ikwtwtqv.ini
C:\WINDOWS\system32\inqfggwq.dll
C:\WINDOWS\system32\instsrv.exe
C:\WINDOWS\system32\ixelctud.ini
C:\WINDOWS\system32\jcwuigjd.ini
C:\WINDOWS\system32\jtkssgkh.ini
C:\WINDOWS\system32\kdowrkkv.dll
C:\WINDOWS\system32\kfmapsgk.ini
C:\WINDOWS\system32\khfefdc.dll
C:\WINDOWS\system32\kmcjkodr.dll
C:\WINDOWS\system32\ksjcqoqu.dll
C:\WINDOWS\system32\ktwdkivu.dll
C:\WINDOWS\system32\ldpixxca.dll
C:\WINDOWS\system32\lvodfetn.ini
C:\WINDOWS\system32\mmwkjfac.dll
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\npkevkuk.dll
C:\WINDOWS\system32\ntefdovl.dll
C:\WINDOWS\system32\nvkgqrxs.ini
C:\WINDOWS\system32\nwqlmesx.dll
C:\WINDOWS\system32\odumfirp.dll
C:\WINDOWS\system32\ogkfmvkf.dll
C:\WINDOWS\system32\ohkwlbuf.dll
C:\WINDOWS\system32\opnnnnk.dll
C:\WINDOWS\system32\oqcttwjj.ini
C:\WINDOWS\system32\orexreet.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pnteascw.dll
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\pvhqhqbt.dll
C:\WINDOWS\system32\qbtekvwe.ini
C:\WINDOWS\system32\qisjebff.dll
C:\WINDOWS\system32\qqfoqoks.ini
C:\WINDOWS\system32\qvocrwnk.dll
C:\WINDOWS\system32\rdokjcmk.ini
C:\WINDOWS\system32\rtodtowv.dll
C:\WINDOWS\system32\rxrdpivw.dll
C:\WINDOWS\system32\scnrnvco.ini
C:\WINDOWS\system32\sxrqgkvn.dll
C:\WINDOWS\system32\t8
C:\WINDOWS\system32\ttalefvj.dll
C:\WINDOWS\system32\uhjjcboc.dll
C:\WINDOWS\system32\ustwfybv.ini
C:\WINDOWS\system32\uvikdwtk.ini
C:\WINDOWS\system32\vbyfwtsu.dll
C:\WINDOWS\system32\vjedecyc.dll
C:\WINDOWS\system32\vmjlhshf.dll
C:\WINDOWS\system32\vobimjtk.dll
C:\WINDOWS\system32\vocskaip.dll
C:\WINDOWS\system32\vtadkihk.dll
C:\WINDOWS\system32\vwotdotr.ini
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\system32\wwwcvfbm.ini
C:\WINDOWS\system32\xgongyit.ini
C:\WINDOWS\system32\xilwihon.dll
C:\WINDOWS\system32\ycgxfaqx.dll
C:\WINDOWS\system32\z4
D:\Autorun.inf
[code]
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TANGOM~1 .EXE ---^> C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoManager.exe
[/code]
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DMLOADD
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\dmloadd
-------\DomainService

((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.
2008-03-07 11:30 . 2008-03-07 12:48 <DIR> d-------- C:\VundoFix Backups
2008-03-03 11:18 . 2008-03-03 11:49 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-03-02 13:55 . 2008-03-02 13:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-01 10:55 . 2008-03-01 13:52 2,216,252 ---hs---- C:\WINDOWS\system32\fxipvpfx.ini
2008-02-29 13:14 . 2008-03-07 03:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ErrorSmart
2008-02-29 13:12 . 2008-03-07 13:26 <DIR> d-------- C:\Program Files\ErrorSmart
2008-02-29 13:08 . 2008-02-29 13:09 2,825,712 --a------ C:\temp\setupxv.exe
2008-02-29 10:49 . 2008-02-29 16:01 2,231,554 ---hs---- C:\WINDOWS\system32\kpgntccu.ini
2008-02-15 13:54 . 2008-02-15 14:00 <DIR> d-------- C:\Program Files\Windows Live Safety Center
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 21:27 --------- d-----w C:\Program Files\Windows Defender
2008-03-07 21:27 --------- d-----w C:\Program Files\SymNetDrv
2008-03-07 21:27 --------- d-----w C:\Program Files\QuickTime
2008-03-07 21:26 --------- d-----w C:\Program Files\Multimedia Card Reader
2008-03-07 21:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-07 21:26 --------- d-----w C:\Program Files\AIM
2008-03-03 20:54 --------- d-----w C:\Program Files\Viewpoint
2008-02-08 22:32 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-21 20:52 375,808 ----a-w C:\WINDOWS\mrofinu572.exe
2008-01-19 19:47 --------- d-----w C:\Program Files\AutoUpdate
2008-01-17 19:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Anti-Virus-Pro.com
2008-01-14 21:54 --------- d-----w C:\Program Files\Symantec
2008-01-13 20:55 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Viewpoint
2008-01-13 20:35 167,545 ----a-w C:\WINDOWS\system32\drivers\core.cache.dsk
2007-07-28 09:06 135 ----a-w C:\Program Files\page.html
2006-12-03 01:05 2,522 ----a-w C:\Program Files\func.js
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2004-10-01 22:54 227,190,984 -c--a-w C:\Program Files\OfficeSTD.exe
.
[code]
----a-w            53,248 2008-03-03 19:19:16  C:\hp\bin\AUTOTKIT .EXE
----a-w            61,440 2008-03-03 19:49:35  C:\hp\KBD\KBD .EXE
----a-w            67,112 2008-03-07 21:01:34  C:\Program Files\AIM\aim .exe
----a-w           185,784 2008-03-03 19:49:25  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w           110,592 2008-03-03 19:49:30  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w            71,280 2008-03-03 19:19:05  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w        18,244,856 2008-03-03 19:23:31  C:\Program Files\ErrorSmart\ErrorSmart .exe
----a-w         2,170,880 2008-03-07 21:02:03  C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoManager .exe
----a-w            24,576 2008-03-03 19:19:44  C:\Program Files\HP\Digital Imaging\bin\backupnotify .exe
----a-w            90,112 2008-03-03 19:19:09  C:\Program Files\HP\Digital Imaging\Unload\hpqcmon .exe
----a-w         1,694,208 2008-02-29 19:50:04  C:\Program Files\Messenger\msmsgs .exe
----a-w           139,264 2008-03-03 19:49:26  C:\Program Files\Multimedia Card Reader\shwicon2k .exe
----a-w            53,248 2008-03-03 19:49:26  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
----a-w            77,824 2008-03-01 20:20:20  C:\Program Files\QuickTime\qttask                            .exe
----a-w            77,824 2008-03-03 19:49:31  C:\Program Files\QuickTime\qttask  .exe
----a-w            95,960 2008-03-03 19:49:31  C:\Program Files\SymNetDrv\SNDMon .exe
----a-w           111,816 2008-03-07 21:01:00  C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr .exe
----a-w           866,584 2008-02-29 19:44:23  C:\Program Files\Windows Defender\MSASCui .exe
----a-w           158,208 2008-03-02 21:09:13  C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w           212,992 2008-03-03 19:49:31  C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w            52,736 2008-01-13 21:32:54  C:\WINDOWS\system\hpsysdrv .exe
----a-w            15,360 2008-03-07 21:00:55  C:\WINDOWS\system32\ctfmon .exe
----a-w           118,784 2008-03-03 19:18:49  C:\WINDOWS\system32\hkcmd .exe
----a-w           483,328 2008-03-07 21:01:24  C:\WINDOWS\system32\hphmon05 .exe
----a-w           155,648 2008-03-03 19:49:43  C:\WINDOWS\system32\igfxtray .exe
----a-w            81,920 2008-03-03 19:49:23  C:\WINDOWS\system32\ps2 .exe
----a-w           172,032 2008-01-14 21:56:47  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08 .exe
[/code]

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [ ]
"TangoManager"="C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE" [2008-03-07 13:01 2170880]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2002-02-15 10:51 24638 C:\WINDOWS\system32\PCANotify.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp officejet 4100 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp officejet 4100 series.lnk
backup=C:\WINDOWS\pss\hp officejet 4100 series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a--c--- 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoaderAproposClient]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
C:\hp\bin\AUTOTKIT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM9f475508]
C:\WINDOWS\system32\qisjebff.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CQAv]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CQAvùõš/‚²‘ÆßfÏNb‰C:]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CQAvùõš/‚²‘ÆßfÏNb‰C:\Program Files]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CQAvùõš/‚²‘ÆßfÏNb‰C:\Program Files\ISTsvc]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CQAvùõš/‚²‘ÆßfÏNb‰C:\Program Files\ISTsvc\istsvc.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Egqru]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorSmart]
C:\Program Files\ErrorSmart\ErrorSmart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hBu3RRc8i]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\geede.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--a--c--- 2003-07-14 16:52 40960 C:\WINDOWS\ltmsg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-08-19 01:56 852038 C:\WINDOWS\system32\nview.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ojwkqtkg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-03 11:49 77824 C:\Program Files\QuickTime\qttask .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ws5T35Q]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"C:\\Program Files\\AIM\\aim .exe"=
"C:\WINDOWS\system32\aguwhanh.exe"= C:\WINDOWS\system32\agu
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
R3 ENDETECT;ENDETECT;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\ENDETECT.SYS [2003-08-05 12:56]
R3 L2XPSR;L2XPSR;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\L2XPSR.SYS [2003-08-05 12:54]
R3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\lne100v5.sys [2001-04-01 11:01]
R3 NTSTPL4;NTSTPL4;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL4.SYS [2003-08-05 12:56]
R3 TAPBIND;TAPBIND;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TAPBIND1.SYS [2003-08-05 12:56]
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2003-07-30 01:15]
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2003-07-30 01:15]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 21:59]
S3 NTSTPL1;NTSTPL1;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL1.SYS [2003-08-05 12:56]
S3 NTSTPL2;NTSTPL2;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL2.SYS [2003-08-05 12:56]
S3 NTSTPL3;NTSTPL3;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL3.SYS [2003-08-05 12:56]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 11:30:08 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart .ex
- C:\Program Files\ErrorSmart
"2004-08-02 17:58:23 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 4100 series#1083520646.job"
- C:\Program Files\HP\Digital Imaging\Bin\hpqfrucl.exe:-I
"2008-03-07 20:46:05 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 4100 series#1083786321.job"
- C:\Program Files\HP\Digital Imaging\Bin\hpqfrucl.exe:-I
"2008-03-07 21:34:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-03-07 18:35:59 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
- c:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-03-01 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-03-07 21:33:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 13:32:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

Report Offensive Follow Up For Removal

Response Number 3

Name: jabuck
Date: March 10, 2008 at 15:16:46 Pacific
Subject: Pos Tmp files and Red X on Drive

Reply: (edit)

Go to start> control panel> administrative tools> services> scroll down to "DomainService " and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply> ok.
Exit administrative tools.
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RenV::
----a-w 53,248 2008-03-03 19:19:16 C:\hp\bin\AUTOTKIT .EXE
----a-w 61,440 2008-03-03 19:49:35 C:\hp\KBD\KBD .EXE
----a-w 67,112 2008-03-07 21:01:34 C:\Program Files\AIM\aim .exe
----a-w 185,784 2008-03-03 19:49:25 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 110,592 2008-03-03 19:49:30 C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w 71,280 2008-03-03 19:19:05 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 18,244,856 2008-03-03 19:23:31 C:\Program Files\ErrorSmart\ErrorSmart .exe
----a-w 2,170,880 2008-03-07 21:02:03 C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoManager .exe
----a-w 24,576 2008-03-03 19:19:44 C:\Program Files\HP\Digital Imaging\bin\backupnotify .exe
----a-w 90,112 2008-03-03 19:19:09 C:\Program Files\HP\Digital Imaging\Unload\hpqcmon .exe
----a-w 1,694,208 2008-02-29 19:50:04 C:\Program Files\Messenger\msmsgs .exe
----a-w 139,264 2008-03-03 19:49:26 C:\Program Files\Multimedia Card Reader\shwicon2k .exe
----a-w 53,248 2008-03-03 19:49:26 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
----a-w 77,824 2008-03-01 20:20:20 C:\Program Files\QuickTime\qttask .exe
----a-w 77,824 2008-03-03 19:49:31 C:\Program Files\QuickTime\qttask .exe
----a-w 95,960 2008-03-03 19:49:31 C:\Program Files\SymNetDrv\SNDMon .exe
----a-w 111,816 2008-03-07 21:01:00 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr .exe
----a-w 866,584 2008-02-29 19:44:23 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 158,208 2008-03-02 21:09:13 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w 212,992 2008-03-03 19:49:31 C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w 52,736 2008-01-13 21:32:54 C:\WINDOWS\system\hpsysdrv .exe
----a-w 15,360 2008-03-07 21:00:55 C:\WINDOWS\system32\ctfmon .exe
----a-w 118,784 2008-03-03 19:18:49 C:\WINDOWS\system32\hkcmd .exe
----a-w 483,328 2008-03-07 21:01:24 C:\WINDOWS\system32\hphmon05 .exe
----a-w 155,648 2008-03-03 19:49:43 C:\WINDOWS\system32\igfxtray .exe
----a-w 81,920 2008-03-03 19:49:23 C:\WINDOWS\system32\ps2 .exe
----a-w 172,032 2008-01-14 21:56:47 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08 .exe
File::
C:\WINDOWS\system32\fxipvpfx.ini
C:\temp\setupxv.exe
C:\WINDOWS\system32\kpgntccu.ini

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoaderAproposClient]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM9f475508]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CQAv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CQAvùõš/‚²‘ÆßfÏNb‰C:]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CQAvùõš/‚²‘ÆßfÏNb‰C:\Program Files]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CQAvùõš/‚²‘ÆßfÏNb‰C:\Program Files\ISTsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CQAvùõš/‚²‘ÆßfÏNb‰C:\Program Files\ISTsvc\istsvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hBu3RRc8i]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ojwkqtkg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ws5T35Q]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Combofix log and a new Hijack This log please.

Report Offensive Follow Up For Removal

Response Number 4

Name: caleene
Date: March 11, 2008 at 10:13:09 Pacific
Subject: Pos Tmp files and Red X on Drive

Reply: (edit)

Jabuck, This may sound stupid but I scrolled down to find "Domain Service" and could not find it. I don't want to click on the wrong item and mess things up even worse.
Also, "File" is not at the top below the X's, "Ren V" is.
Sorry

Report Offensive Follow Up For Removal

Response Number 5

Name: caleene
Date: March 11, 2008 at 11:03:34 Pacific
Subject: Pos Tmp files and Red X on Drive

Reply: (edit)

Think I finally got it:
ComboFix 08-03-07.3 - Owner 2008-03-11 10:43:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.158 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\temp\setupxv.exe
C:\WINDOWS\system32\fxipvpfx.ini
C:\WINDOWS\system32\kpgntccu.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner\err.log
C:\temp\setupxv.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\aguwhanh.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\fxipvpfx.ini
C:\WINDOWS\system32\jhxviwdq.exe
C:\WINDOWS\system32\kpgntccu.ini
C:\WINDOWS\system32\okphmmmg.exe
C:\WINDOWS\system32\rbbrsmgd.exe
C:\WINDOWS\system32\roryragi.exe
C:\WINDOWS\system32\thpnsqua.exe
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data.\chwlyhqz.dll
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner\Application Data\DriveCleaner Freeware
C:\Documents and Settings\Owner\Application Data\DriveCleaner Freeware\Logs\update.log
C:\Documents and Settings\Owner\Application Data\SCURIT~1
C:\hp\bin\AUTOTKIT.EXE
C:\hp\KBD\KBD.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ErrorSmart\ErrorSmart.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TANGOM~1.EXE
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoManager.exe
C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SymNetDrv\SNDMon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\temp\tn3
C:\WINDOWS\BM9f475508.xml
C:\WINDOWS\IA
C:\WINDOWS\mgrs.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\system32\ahssrtol.dll
C:\WINDOWS\system32\avamlnib.dll
C:\WINDOWS\system32\binlmava.ini
C:\WINDOWS\system32\bmfqhdec.dll
C:\WINDOWS\system32\bunprjjk.dll
C:\WINDOWS\system32\cafjkwmm.ini
C:\WINDOWS\system32\cedhqfmb.ini
C:\WINDOWS\system32\cekxfngn.dll
C:\WINDOWS\system32\ckqwijte.ini
C:\WINDOWS\system32\cohildqe.ini
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\cvvhtagu.dll
C:\WINDOWS\system32\diqneyjn.dll
C:\WINDOWS\system32\dmcynxkm.dll
C:\WINDOWS\system32\dnanqkcd.dll
C:\WINDOWS\system32\drivers\dmloadd.sys
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\eicndqjg.dll
C:\WINDOWS\system32\ewvketbq.dll
C:\WINDOWS\system32\eykmrgpe.dll
C:\WINDOWS\system32\fbdstgpr.dll
C:\WINDOWS\system32\fccyxwv.dll
C:\WINDOWS\system32\fnxnhvvo.dll
C:\WINDOWS\system32\fsrkriyn.dll
C:\WINDOWS\system32\gbdbpbma.ini
C:\WINDOWS\system32\gdjndhiv.ini
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\geede.exe
C:\WINDOWS\system32\ggjjnsfs.dll
C:\WINDOWS\system32\glbxxuhf.dll
C:\WINDOWS\system32\gxdknrdi.ini
C:\WINDOWS\system32\hgclnhnf.dll
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hkuevujf.dll
C:\WINDOWS\system32\hlhgvlhd.dll
C:\WINDOWS\system32\hnjxltfv.dll
C:\WINDOWS\system32\hoigpgtq.ini
C:\WINDOWS\system32\horvjhtu.ini
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\hpomdlgl.dll
C:\WINDOWS\system32\idcksdjg.dll
C:\WINDOWS\system32\idrnkdxg.dll
C:\WINDOWS\system32\ifsrjebw.dll
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ikwtwtqv.ini
C:\WINDOWS\system32\inqfggwq.dll
C:\WINDOWS\system32\instsrv.exe
C:\WINDOWS\system32\ixelctud.ini
C:\WINDOWS\system32\jcwuigjd.ini
C:\WINDOWS\system32\jtkssgkh.ini
C:\WINDOWS\system32\kdowrkkv.dll
C:\WINDOWS\system32\kfmapsgk.ini
C:\WINDOWS\system32\khfefdc.dll
C:\WINDOWS\system32\kmcjkodr.dll
C:\WINDOWS\system32\ksjcqoqu.dll
C:\WINDOWS\system32\ktwdkivu.dll
C:\WINDOWS\system32\ldpixxca.dll
C:\WINDOWS\system32\lvodfetn.ini
C:\WINDOWS\system32\mmwkjfac.dll
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\npkevkuk.dll
C:\WINDOWS\system32\ntefdovl.dll
C:\WINDOWS\system32\nvkgqrxs.ini
C:\WINDOWS\system32\nwqlmesx.dll
C:\WINDOWS\system32\odumfirp.dll
C:\WINDOWS\system32\ogkfmvkf.dll
C:\WINDOWS\system32\ohkwlbuf.dll
C:\WINDOWS\system32\opnnnnk.dll
C:\WINDOWS\system32\oqcttwjj.ini
C:\WINDOWS\system32\orexreet.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pnteascw.dll
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\pvhqhqbt.dll
C:\WINDOWS\system32\qbtekvwe.ini
C:\WINDOWS\system32\qisjebff.dll
C:\WINDOWS\system32\qqfoqoks.ini
C:\WINDOWS\system32\qvocrwnk.dll
C:\WINDOWS\system32\rdokjcmk.ini
C:\WINDOWS\system32\rtodtowv.dll
C:\WINDOWS\system32\rxrdpivw.dll
C:\WINDOWS\system32\scnrnvco.ini
C:\WINDOWS\system32\sxrqgkvn.dll
C:\WINDOWS\system32\t8
C:\WINDOWS\system32\ttalefvj.dll
C:\WINDOWS\system32\uhjjcboc.dll
C:\WINDOWS\system32\ustwfybv.ini
C:\WINDOWS\system32\uvikdwtk.ini
C:\WINDOWS\system32\vbyfwtsu.dll
C:\WINDOWS\system32\vjedecyc.dll
C:\WINDOWS\system32\vmjlhshf.dll
C:\WINDOWS\system32\vobimjtk.dll
C:\WINDOWS\system32\vocskaip.dll
C:\WINDOWS\system32\vtadkihk.dll
C:\WINDOWS\system32\vwotdotr.ini
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\system32\wwwcvfbm.ini
C:\WINDOWS\system32\xgongyit.ini
C:\WINDOWS\system32\xilwihon.dll
C:\WINDOWS\system32\ycgxfaqx.dll
C:\WINDOWS\system32\z4
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DMLOADD
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\dmloadd
-------\DomainService

((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.
2008-03-07 14:13 . 2008-03-07 14:40 <DIR> d-------- C:\ComboFix[1]
2008-03-07 12:30 . 2008-03-07 13:48 <DIR> d-------- C:\VundoFix Backups
2008-03-03 12:18 . 2008-03-03 12:49 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-03-02 14:55 . 2008-03-02 14:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-02 14:09 . 2008-03-02 14:09 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-02-29 14:14 . 2008-03-07 04:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ErrorSmart
2008-02-29 14:12 . 2008-03-11 10:42 <DIR> d-------- C:\Program Files\ErrorSmart
2008-02-15 14:54 . 2008-02-15 15:00 <DIR> d-------- C:\Program Files\Windows Live Safety Center
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 17:42 --------- d-----w C:\Program Files\Windows Defender
2008-03-11 17:42 --------- d-----w C:\Program Files\SymNetDrv
2008-03-11 17:42 --------- d-----w C:\Program Files\Multimedia Card Reader
2008-03-11 17:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-11 17:42 --------- d-----w C:\Program Files\AIM
2008-03-07 21:27 --------- d-----w C:\Program Files\QuickTime
2008-03-03 20:54 --------- d-----w C:\Program Files\Viewpoint
2008-02-08 22:32 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-19 19:47 --------- d-----w C:\Program Files\AutoUpdate
2008-01-17 19:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Anti-Virus-Pro.com
2008-01-14 21:54 --------- d-----w C:\Program Files\Symantec
2008-01-13 20:55 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Viewpoint
2007-07-28 09:06 135 ----a-w C:\Program Files\page.html
2006-12-03 01:05 2,522 ----a-w C:\Program Files\func.js
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2004-10-01 22:54 227,190,984 -c--a-w C:\Program Files\OfficeSTD.exe
.
[code]
----a-w            77,824 2008-03-01 20:20:20  C:\Program Files\QuickTime\qttask                            .exe
----a-w            77,824 2008-03-03 19:49:31  C:\Program Files\QuickTime\qttask  .exe
[/code]

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2008-03-07 14:01 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2008-03-07 14:01 483328]
"TangoManager"="C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE" [2008-03-07 14:02 2170880]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2002-02-15 11:51 24638 C:\WINDOWS\system32\PCANotify.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp officejet 4100 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp officejet 4100 series.lnk
backup=C:\WINDOWS\pss\hp officejet 4100 series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a--c--- 2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
--a------ 2008-03-03 12:19 53248 C:\hp\bin\AUTOTKIT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
--a------ 2008-03-03 12:19 24576 c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2008-03-03 12:19 90112 c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-03-03 12:19 71280 c:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CQAv]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Egqru]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorSmart]
--a------ 2008-03-03 12:23 18244856 C:\Program Files\ErrorSmart\ErrorSmart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2008-03-03 12:49 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2008-03-03 12:49 61440 C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--a--c--- 2003-07-14 17:52 40960 C:\WINDOWS\ltmsg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2008-03-03 12:49 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-08-19 02:56 852038 C:\WINDOWS\system32\nview.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2008-03-03 12:49 81920 C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-03 12:49 77824 C:\Program Files\QuickTime\qttask .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2008-03-03 12:49 212992 C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a------ 2008-03-03 12:49 139264 C:\Program Files\Multimedia Card Reader\shwicon2k.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2008-03-03 12:49 95960 C:\PROGRA~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-03 12:49 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2008-03-03 12:49 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
R3 ENDETECT;ENDETECT;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\ENDETECT.SYS [2003-08-05 13:56]
R3 L2XPSR;L2XPSR;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\L2XPSR.SYS [2003-08-05 13:54]
R3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\lne100v5.sys [2001-04-01 12:01]
R3 NTSTPL4;NTSTPL4;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL4.SYS [2003-08-05 13:56]
R3 TAPBIND;TAPBIND;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TAPBIND1.SYS [2003-08-05 13:56]
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2003-07-30 02:15]
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2003-07-30 02:15]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 NTSTPL1;NTSTPL1;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL1.SYS [2003-08-05 13:56]
S3 NTSTPL2;NTSTPL2;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL2.SYS [2003-08-05 13:56]
S3 NTSTPL3;NTSTPL3;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL3.SYS [2003-08-05 13:56]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-11 10:30:00 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart .ex
- C:\Program Files\ErrorSmart
"2004-08-02 17:58:23 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 4100 series#1083520646.job"
- C:\Program Files\HP\Digital Imaging\Bin\hpqfrucl.exe:-I
"2008-03-10 19:46:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 4100 series#1083786321.job"
- C:\Program Files\HP\Digital Imaging\Bin\hpqfrucl.exe:-I
"2008-03-11 17:50:41 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-03-11 16:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
- c:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-03-08 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-03-11 17:43:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 10:48:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
r Running Proce
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
.
**************************************************************************
.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:31 AM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://frontier.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 7045 bytes
Completion time: 2008-03-11 10:52:42 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-03-11 17:52:36
.
2008-03-07 19:14:15 --- E O F ---

Report Offensive Follow Up For Removal


Red X on Drive C pos.tmp files and red x on my c:/ POS.tmp file and red X on C-dive POS.TMP files and Red X on c: dri POS Files and Red X on C: drive	lots of pos##.tmp file Red X on H.D pos.tmp and red x on harddrive Red x on C + pos files Red X /Pos tmp files/ SQL Server pos.tmp files, red X, kernel errors

Response Number 6

Name: jabuck
Date: March 11, 2008 at 17:31:41 Pacific
Subject: Pos Tmp files and Red X on Drive

Reply: (edit)

Run Hijack This> click the "open misc. tools section" button> click the "open uninstall manager" button> click "save list..."> click save> post the list that is produced.

Report Offensive Follow Up For Removal

Response Number 7

Name: caleene
Date: March 11, 2008 at 20:40:54 Pacific
Subject: Pos Tmp files and Red X on Drive

Reply: (edit)

Adobe Flash Player ActiveX
Adobe Reader 7.0
AIM Toolbar
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Instant Messenger
ArcSoft ShowBiz 2
CC_ccStart
ccCommon
ErrorSmart
FrontierNet DSL Attendant
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
hp deskjet 5600
HP Deskjet Preloaded Printer Drivers
HP Instant Support
hp officejet 4100 series
hp officejet 4100 series
HP Organize
HP Photo & Imaging 3.1
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp officejet 4100 series
HP Photo and Imaging 2.0 - Photosmart Cameras
HP Software Update
HPIZ311
Intel(R) Extreme Graphics Driver
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.2
KBD
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft Works 7.0
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Multimedia Card Reader
MUSICMATCH® Jukebox
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton WMI Update
NVIDIA GART Driver
PC-Doctor for Windows
PENTAX USB DISK Device
Photosmart 140,240,7200,7600,7700,7900 Series
Polar Bowler from Hewlett-Packard Desktops (remove only)
Polaroid PDC 640 Camera Driver 1.0.0.1.2E
PS2
Quicken 2004
QuickTime
RealPlayer
RecordNow!
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB911280)
Sonic Update Manager
Symantec pcAnywhere
SymNet
toolkit
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Updates from HP
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar (Remove Only)
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885250
Windows XP Service Pack 2

Report Offensive Follow Up For Removal

Response Number 8

Name: jabuck
Date: March 12, 2008 at 15:34:38 Pacific
Subject: Pos Tmp files and Red X on Drive

Reply: (edit)

Your java is out of date and can be exploited.
Download the latest version of java from this link Java
Click on the JDK 6 Update 5 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jdk-6u5-windows-i586-p.exe
to install the newest version.
Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...
Go to start> control panel> add/remove programs and uninstall "Quicktime" it is corrupt.
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\Documents and Settings\Owner\Application Data\Anti-Virus-Pro.com
C:\Program Files\ISTsvc\istsvc.exe
Folder::
C:\VundoFix Backups
C:\Program Files\ISTsvc

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CQAv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Egqru]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download CCleaner from the following link:
http://filehippo.com/download_ccleaner/
After you download it to your desktop and begin installing it only allow the "install icon on desktop" to install . Then run it, use only as suggested, it's powerful use only the prechecked items.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
Post a new Combofix log.

Report Offensive Follow Up For Removal

Response Number 9

Name: caleene
Date: March 13, 2008 at 14:42:17 Pacific
Subject: Pos Tmp files and Red X on Drive

Reply: (edit)

ComboFix 08-03-07.3 - Owner 2008-03-13 14:33:58.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.
2008-03-13 10:57 . 2008-03-13 10:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 10:57 . 2008-03-13 10:57 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-13 10:57 . 2008-03-13 10:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-13 10:54 . 2008-03-13 10:54 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-13 10:52 . 2008-03-13 10:52 <DIR> d-------- C:\Program Files\CCleaner
2008-03-13 10:22 . 2008-03-13 10:22 <DIR> d-------- C:\Program Files\Sun
2008-03-13 10:22 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-13 10:18 . 2008-03-13 10:18 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-11 11:49 . 2008-03-13 11:16 41,012 --a------ C:\VETlog.dmp
2008-03-07 14:13 . 2008-03-07 14:40 <DIR> d-------- C:\ComboFix[1]
2008-03-03 12:18 . 2008-03-03 12:49 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-03-02 14:55 . 2008-03-02 14:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-02 14:09 . 2008-03-02 14:09 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-02-29 14:14 . 2008-03-07 04:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ErrorSmart
2008-02-29 14:12 . 2008-03-11 10:42 <DIR> d-------- C:\Program Files\ErrorSmart
2008-02-15 14:54 . 2008-02-15 15:00 <DIR> d-------- C:\Program Files\Windows Live Safety Center
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 17:31 --------- d-----w C:\Program Files\QuickTime
2008-03-13 17:22 --------- d-----w C:\Program Files\Java
2008-03-11 17:42 --------- d-----w C:\Program Files\Windows Defender
2008-03-11 17:42 --------- d-----w C:\Program Files\SymNetDrv
2008-03-11 17:42 --------- d-----w C:\Program Files\Multimedia Card Reader
2008-03-11 17:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-11 17:42 --------- d-----w C:\Program Files\AIM
2008-03-07 21:01 483,328 ----a-w C:\WINDOWS\system32\hphmon05.exe
2008-03-03 20:54 --------- d-----w C:\Program Files\Viewpoint
2008-03-03 19:49 81,920 ----a-w C:\WINDOWS\system32\ps2.exe
2008-03-03 19:18 118,784 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-03-02 21:09 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
2008-03-02 21:07 498,688 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe.tmp
2008-02-08 22:32 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-04 18:53 93,248 ----a-w C:\WINDOWS\system32\qivatypw.dll
2008-02-02 19:03 96,832 ----a-w C:\WINDOWS\system32\rulyvyys.dll
2008-02-01 19:02 92,224 ----a-w C:\WINDOWS\system32\ambpbdbg.dll
2008-01-29 10:25 69,696 ----a-w C:\WINDOWS\system32\etyorkmm.dll
2008-01-19 19:47 --------- d-----w C:\Program Files\AutoUpdate
2008-01-17 19:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Anti-Virus-Pro.com
2008-01-14 21:54 --------- d-----w C:\Program Files\Symantec
2008-01-13 20:55 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Viewpoint
2007-07-28 09:06 135 ----a-w C:\Program Files\page.html
2006-12-03 01:05 2,522 ----a-w C:\Program Files\func.js
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2004-10-01 22:54 227,190,984 -c--a-w C:\Program Files\OfficeSTD.exe
.
[code]
----a-w            77,824 2008-03-01 20:20:20  C:\Program Files\QuickTime\qttask                            .exe
----a-w            77,824 2008-03-03 19:49:31  C:\Program Files\QuickTime\qttask  .exe
[/code]

((((((((((((((((((((((((((((( snapshot@2008-03-11_10.52.11.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2003-10-11 03:09:08 24,670 -c--a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 08:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2003-10-11 03:09:08 28,768 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 08:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 09:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 19:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 22:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 22:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-11-30 21:59:46 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-11 17:50:29 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-30 21:59:46 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-11 17:50:29 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2008-03-07 14:01 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2008-03-07 14:01 483328]
"TangoManager"="C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE" [2008-03-07 14:02 2170880]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2002-02-15 11:51 24638 C:\WINDOWS\system32\PCANotify.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp officejet 4100 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp officejet 4100 series.lnk
backup=C:\WINDOWS\pss\hp officejet 4100 series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
--a------ 2008-03-03 12:19 53248 C:\hp\bin\AUTOTKIT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
--a------ 2008-03-03 12:19 24576 c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2008-03-03 12:19 90112 c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-03-03 12:19 71280 c:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorSmart]
--a------ 2008-03-03 12:23 18244856 C:\Program Files\ErrorSmart\ErrorSmart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2008-03-03 12:49 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2008-03-03 12:49 61440 C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--a--c--- 2003-07-14 17:52 40960 C:\WINDOWS\ltmsg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2008-03-03 12:49 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-08-19 02:56 852038 C:\WINDOWS\system32\nview.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2008-03-03 12:49 81920 C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-03 12:49 77824 C:\Program Files\QuickTime\qttask .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2008-03-03 12:49 212992 C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a------ 2008-03-03 12:49 139264 C:\Program Files\Multimedia Card Reader\shwicon2k.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2008-03-03 12:49 95960 C:\PROGRA~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-03 12:49 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2008-03-03 12:49 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
R3 ENDETECT;ENDETECT;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\ENDETECT.SYS [2003-08-05 13:56]
R3 L2XPSR;L2XPSR;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\L2XPSR.SYS [2003-08-05 13:54]
R3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\lne100v5.sys [2001-04-01 12:01]
R3 NTSTPL4;NTSTPL4;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL4.SYS [2003-08-05 13:56]
R3 TAPBIND;TAPBIND;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TAPBIND1.SYS [2003-08-05 13:56]
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2003-07-30 02:15]
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2003-07-30 02:15]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 NTSTPL1;NTSTPL1;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL1.SYS [2003-08-05 13:56]
S3 NTSTPL2;NTSTPL2;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL2.SYS [2003-08-05 13:56]
S3 NTSTPL3;NTSTPL3;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL3.SYS [2003-08-05 13:56]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-11 10:30:00 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart .ex
- C:\Program Files\ErrorSmart
"2004-08-02 17:58:23 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 4100 series#1083520646.job"
- C:\Program Files\HP\Digital Imaging\Bin\hpqfrucl.exe:-I
"2008-03-10 19:46:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 4100 series#1083786321.job"
- C:\Program Files\HP\Digital Imaging\Bin\hpqfrucl.exe:-I
"2008-03-13 17:17:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-03-11 16:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
- c:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-03-08 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-03-11 17:43:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 14:38:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-13 14:39:32
ComboFix-quarantined-files.txt 2008-03-13 21:39:16
ComboFix2.txt 2008-03-13 17:41:40
ComboFix3.txt 2008-03-11 17:52:43
.
2008-03-07 19:14:15 --- E O F ---
---------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 13, 2008 2:32:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/03/2008
Kaspersky Anti-Virus database records: 627867
---------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
K:\
L:\
M:\
N:\
Scan Statistics:
Total number of scanned objects: 87362
Number of viruses found: 21
Number of infected objects: 144
Number of suspicious objects: 0
Duration of the scan process: 02:38:17
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01182008-111254.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-13_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Aim\gpdetnbw\RIOCREW\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Aim\gpdetnbw\RIOCREW\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-16c26e6c-1f55cf47.zip/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-16c26e6c-1f55cf47.zip/Installer.class Infected: Trojan-Downloader.Java.Agent.a skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-16c26e6c-1f55cf47.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008031320080314\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\228F3BC6.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\228F3BC6.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\228F3BC6.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\228F3BC6.zip ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\228F3BC6.zip CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\34AE5999 Infected: Trojan.Win32.Small.cy skipped
C:\Program Files\Norton AntiVirus\Quarantine\35D85BF5 Infected: Trojan.Win32.Small.cy skipped
C:\Program Files\page.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Program Files\Windows Media Player\profsy.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\chwlyhqz.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.wk skipped
C:\QooBox\Quarantine\C\hp\bin\AUTOTKIT.EXE.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\hp\KBD\KBD.EXE.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\AIM\aim.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Real\Update_OB\realsched.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Sonic\Update Manager\sgtray.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Symantec Shared\ccApp.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\ErrorSmart\ErrorSmart.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TANGOM~1.EXE.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\HP\Digital Imaging\bin\backupnotify.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\Messenger\msmsgs.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\Multimedia Card Reader\shwicon2k.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\SymNetDrv\SNDMon.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\Program Files\Windows Defender\MSASCui.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\VundoFix Backups\cdcxufrk.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\khfefdc.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ujrisxoc.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quara