Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Solution Center

Free IT eBook

Howtos

Site Search

Message Find

RSS Feeds

Install Guides

Data Recovery

About

Home
Reply to Message Icon Go to Main Page Icon

Runng slow and red X on h.d.

Original Message
Name: Splatter
Date: February 23, 2008 at 08:42:10 Pacific
Subject: Runng slow and red X on h.d.
OS: Xp Pro sp2
CPU/Ram: 64x2 5600+ 2.8GHz, 2gb pa
Comment:
Working on my sisters computer, I noticed the h.d. icon was replaced with big red X and lots of pos.tmp files was found. Was wondering if you could help me fix it?



Report Offensive Message For Removal


Response Number 1
Name: jabuck
Date: February 23, 2008 at 08:44:59 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
Go to the this link:

Disable Realtime Protection

Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.

Please download Atribune's VundoFix.exe from the following site to your desktop:

Vundofix.exe

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click "yes".

Once you click yes, your desktop will go blank as it starts removing
Vundo.

When completed, it will prompt that it will reboot your computer,
click "ok".

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.


Report Offensive Follow Up For Removal

Response Number 2
Name: Splatter
Date: February 23, 2008 at 09:31:06 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
hijackthis-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:13 AM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL
O2 - BHO: {927d8aac-e766-159b-3324-3baa1cec6224} - {4226cec1-aab3-4233-b951-667ecaa8d729} - C:\WINDOWS\system32\ekwlklnx.dll (file missing)
O2 - BHO: (no name) - {51528F4D-F083-4D1A-8BB5-2A8ACE6E6B6C} - C:\WINDOWS\system32\mllmn.dll (file missing)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\fccaabc.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM_IAN] C:\Program Files\AdvancedCleaner Free\ian_monitor.exe
O4 - HKLM\..\Run: [74d31d7c] rundll32.exe "C:\WINDOWS\system32\wgkgqnuo.dll",b
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba...
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySp...
O20 - Winlogon Notify: fccaabc - C:\WINDOWS\
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Service\Software Jukebox v2.0 File.exe

--
End of file - 6254 bytes


Report Offensive Follow Up For Removal

Response Number 3
Name: Splatter
Date: February 23, 2008 at 09:32:12 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
ComboFix-

ComboFix 08-02-23.2 - HP_Owner 2008-02-23 11:14:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.109 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\HP_Owner\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\HP_Owner\Application Data\WinAntiVirus Pro 2006\Logs\update.log
C:\Documents and Settings\HP_Owner\Application Data\WinAntiVirus Pro 2006\Logs\wa6Support.log
C:\Documents and Settings\HP_Owner\Application Data\WinAntiVirus Pro 2006\Logs\winav.log
C:\Documents and Settings\HP_Owner\Application Data\WinAntiVirus Pro 2006\PGE.dat
C:\Documents and Settings\HP_Owner\err.log
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\companion wizard\compwiz.exe
C:\Program Files\Common Files\companion wizard\log.txt
C:\Program Files\Common Files\companion wizard\WapCHK.dll
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\15AC63A2.urr
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\2.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\3.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\3.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\3.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\3.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\3.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\3.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\3.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\3.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\3.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\3.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\3.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\3.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\3.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\3.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\3.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\3.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\3.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\3.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\3.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\3.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\3.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\3.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\3.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\3.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\3.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\3.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\3.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\3.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0071A0D
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]10EFD69
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]155EDDF.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]17986CA
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]1AEF08E
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]34DAD2A.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]34DB23A.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]34DBAE5.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]34DC229.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]4991C83.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]499258C.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]5779C2B.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]6B548E0.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]6B55024.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]ABE0C54
C:\Program Files\MyWebSearch\bar\Cache\16EEEAC5.bin
C:\Program Files\MyWebSearch\bar\Cache\16EEF526.bin
C:\Program Files\MyWebSearch\bar\Cache\16EF0284.bin
C:\Program Files\MyWebSearch\bar\Cache\2CF2CB42
C:\Program Files\MyWebSearch\bar\Cache\4442655F
C:\Program Files\MyWebSearch\bar\Cache\511384C7
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\prevcfg.htm
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
C:\Program Files\newdotnet
C:\Program Files\newdotnet\readme.html
C:\Program Files\newdotnet\uninstall.exe
C:\WA6P
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\afrhucgj.ini
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\fgetqoeb.ini
C:\WINDOWS\system32\gqkojcfs.ini
C:\WINDOWS\system32\ieixapqp.ini
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\nmllm.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qundhudb.ini
C:\WINDOWS\system32\sntsmacm.ini
C:\WINDOWS\system32\stera.job
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\vmrbkvat.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FOPN
-------\LEGACY_NNSERV
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK
-------\FOPN
-------\vspf
-------\vspf_hk


((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-23 10:51 . 2008-02-23 11:07 <DIR> d-------- C:\VundoFix Backups
2008-02-22 21:46 . 2008-02-22 21:46 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-22 21:46 . 2008-02-22 21:46 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-22 21:44 . 2008-02-22 21:44 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-22 21:44 . 2008-02-23 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 21:44 . 2008-02-23 11:19 3,607,328 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-22 21:44 . 2008-02-23 11:18 49,364 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-22 21:44 . 2008-02-23 11:19 6,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-22 21:44 . 2008-02-23 11:18 1,628 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-22 21:32 . 2008-02-22 21:32 <DIR> d-------- C:\kav
2008-02-21 15:32 . 2008-02-21 15:32 70,820 --a------ C:\WINDOWS\BM77e02ee0.xml
2008-02-21 15:32 . 2008-02-22 21:55 22 --a------ C:\WINDOWS\pskt.ini
2008-02-16 19:39 . 2008-02-23 11:19 181 --a------ C:\WINDOWS\system\hpsysdrv.DAT
2008-02-16 12:46 . 2008-02-16 12:46 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2008-02-16 12:43 . 2008-02-16 12:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
2008-02-14 16:06 . 2008-02-16 11:00 <DIR> d-------- C:\Program Files\MalwareAlarm
2008-02-08 18:37 . 2008-02-08 18:37 219,664 --a------ C:\WINDOWS\system32\klogon.dll
2008-02-08 18:35 . 2008-02-08 18:35 23,604 --a------ C:\WINDOWS\system32\drivers\klopp.dat
2008-02-02 12:59 . 2008-02-02 12:59 16,384 --a------ C:\WINDOWS\~DF3457.tmp
2008-02-01 09:44 . 2008-02-01 09:44 0 --a------ C:\WINDOWS\iPlayer.INI
2008-02-01 09:43 . 2008-02-01 09:44 <DIR> d-------- C:\Program Files\InterActual

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 02:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-23 01:43 --------- d-----w C:\Program Files\Symantec
2008-02-21 22:07 --------- d-----w C:\Program Files\eGames
2008-02-21 21:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-21 21:59 --------- d-----w C:\Program Files\Common Files\NewSoft
2008-02-21 21:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-21 21:49 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2008-02-16 21:07 --------- d-----w C:\Program Files\Common Files\Real
2008-02-14 22:25 --------- d-----w C:\Program Files\Selectsoft
2008-02-02 18:59 16,384 ----a-w C:\WINDOWS\~DF3457.tmp
2008-01-30 23:31 --------- d-----w C:\Program Files\MySpace
2008-01-06 22:00 --------- d-----w C:\Program Files\Insaniquarium Deluxe
2008-01-06 21:59 737,280 -c--a-w C:\WINDOWS\iun6002.exe
2007-03-26 20:42 24,192 -c--a-w C:\Documents and Settings\HP_Owner\usbsermptxp.sys
2007-03-26 20:42 22,768 -c--a-w C:\Documents and Settings\HP_Owner\usbsermpt.sys
2006-11-06 21:59 0 -c--a-w C:\Program Files\Common Files\err.log
2005-09-26 19:47 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4226cec1-aab3-4233-b951-667ecaa8d729}]
C:\WINDOWS\system32\ekwlklnx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51528F4D-F083-4D1A-8BB5-2A8ACE6E6B6C}]
C:\WINDOWS\system32\mllmn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 19:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 19:42 659456]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43 233472]
"SiSPower"="SiSPower.dll" [2004-09-24 10:49 49152 C:\WINDOWS\system32\SiSPower.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 18:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 14:41 196608]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 21:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-23 16:45 155648]
"SM_IAN"="C:\Program Files\AdvancedCleaner Free\ian_monitor.exe" [ ]
"74d31d7c"="C:\WINDOWS\system32\wgkgqnuo.dll" [ ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 19:47 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 06:31:38 241664]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-10-21 20:25:38 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccaabc]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photags AutoDetect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photags AutoDetect.lnk
backup=C:\WINDOWS\pss\Photags AutoDetect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-12-16 12:57 94208 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DC6_check]
C:\Program Files\Common Files\dc6_startupmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ERS_check]
C:\Program Files\Common Files\ers_startupmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-08-20 23:55 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-04-13 08:07 69632 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-14 22:54 253952 c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSGRAPH01]
c:\program files\common files\system\7mi3qd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-02-23 16:45 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smart Start UP]
C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-10-21 18:27 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire 4.2.6 Pro\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Documents and Settings\\HP_Owner\\My Documents\\iTunes.exe"=
"C:\\Program Files\\WinAntiVirus Pro 2006\\Updater.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S2 Ca536av;FashionCam Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 12:47]
S3 USBCamera;FashionCam Digital Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 11:19:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
r Running Proce
.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-02-23 11:22:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-23 17:22:09
.
2008-02-15 09:02:00 --- E O F ---


Report Offensive Follow Up For Removal

Response Number 4
Name: jabuck
Date: February 23, 2008 at 10:03:45 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
Please go to Virus Total and upload the following file for analysis:

C:\WINDOWS\BM77e02ee0.xml

Post the results in your reply.

Go to start> control panel> add/remove programs> and uninstall this "rogue" program:

AdvancedCleaner Free

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\wgkgqnuo.dll
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\ekwlklnx.dll
C:\Program Files\AdvancedCleaner Free\ian_monitor.exe
C:\Windows\xpupdate.exe

Driver::
74d31d7c
fccaabc

Folder::
C:\Program Files\AdvancedCleaner Free

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4226cec1-aab3-4233-b951-667ecaa8d729}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51528F4D-F083-4D1A-8BB5-2A8ACE6E6B6C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"74d31d7c"=-
"SM_IAN"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccaabc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Post a new Combofix log.


Report Offensive Follow Up For Removal

Response Number 5
Name: Splatter
Date: February 23, 2008 at 10:15:44 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
For virus total

BM77e02ee0.xml received on 02.23.2008 19:06:47 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.2.22.0 2008.02.22 -
AntiVir 7.6.0.67 2008.02.22 -
Authentium 4.93.8 2008.02.23 -
Avast 4.7.1098.0 2008.02.22 -
AVG 7.5.0.516 2008.02.22 -
BitDefender 7.2 2008.02.23 -
CAT-QuickHeal 9.50 2008.02.22 -
ClamAV 0.92.1 2008.02.23 -
DrWeb 4.44.0.09170 2008.02.23 -
eSafe 7.0.15.0 2008.02.21 -
eTrust-Vet 31.3.5557 2008.02.23 -
Ewido 4.0 2008.02.23 -
FileAdvisor 1 2008.02.23 -
Fortinet 3.14.0.0 2008.02.23 -
F-Prot 4.4.2.54 2008.02.22 -
F-Secure 6.70.13260.0 2008.02.22 -
Ikarus T3.1.1.20 2008.02.23 -
Kaspersky 7.0.0.125 2008.02.23 -
McAfee 5236 2008.02.22 -
Microsoft 1.3204 2008.02.23 -
NOD32v2 2898 2008.02.23 -
Norman 5.80.02 2008.02.22 -
Panda 9.0.0.4 2008.02.23 -
Prevx1 V2 2008.02.23 -
Rising 20.32.52.00 2008.02.23 -
Sophos 4.26.0 2008.02.23 -
Sunbelt 3.0.893.0 2008.02.23 -
Symantec 10 2008.02.23 -
TheHacker 6.2.9.228 2008.02.23 -
VBA32 3.12.6.1 2008.02.21 -
VirusBuster 4.3.26:9 2008.02.23 -
Webwasher-Gateway 6.6.2 2008.02.23 -

Additional information
File size: 70820 bytes
MD5: 5e4edc00a2c6557e72fc44dfaf3435af
SHA1: 8a41e165d163444912919e7e78a38369d57527d3
PEiD: -


Report Offensive Follow Up For Removal


Response Number 6
Name: Splatter
Date: February 23, 2008 at 10:24:19 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
ComboFix-

ComboFix 08-02-23.2 - HP_Owner 2008-02-23 12:19:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.120 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\AdvancedCleaner Free\ian_monitor.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ekwlklnx.dll
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\wgkgqnuo.dll
C:\Windows\xpupdate.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-23 10:51 . 2008-02-23 11:07 <DIR> d-------- C:\VundoFix Backups
2008-02-22 21:46 . 2008-02-22 21:46 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-22 21:46 . 2008-02-22 21:46 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-22 21:44 . 2008-02-22 21:44 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-22 21:44 . 2008-02-23 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 21:44 . 2008-02-23 12:21 3,648,544 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-22 21:44 . 2008-02-23 11:25 49,508 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-22 21:44 . 2008-02-23 12:21 9,248 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-22 21:44 . 2008-02-23 11:25 1,748 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-22 21:32 . 2008-02-22 21:32 <DIR> d-------- C:\kav
2008-02-21 15:32 . 2008-02-21 15:32 70,820 --a------ C:\WINDOWS\BM77e02ee0.xml
2008-02-16 19:39 . 2008-02-23 11:26 181 --a------ C:\WINDOWS\system\hpsysdrv.DAT
2008-02-16 12:46 . 2008-02-16 12:46 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2008-02-16 12:43 . 2008-02-16 12:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
2008-02-14 16:06 . 2008-02-16 11:00 <DIR> d-------- C:\Program Files\MalwareAlarm
2008-02-08 18:37 . 2008-02-08 18:37 219,664 --a------ C:\WINDOWS\system32\klogon.dll
2008-02-08 18:35 . 2008-02-08 18:35 23,604 --a------ C:\WINDOWS\system32\drivers\klopp.dat
2008-02-02 12:59 . 2008-02-02 12:59 16,384 --a------ C:\WINDOWS\~DF3457.tmp
2008-02-01 09:44 . 2008-02-01 09:44 0 --a------ C:\WINDOWS\iPlayer.INI
2008-02-01 09:43 . 2008-02-01 09:44 <DIR> d-------- C:\Program Files\InterActual

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 02:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-23 01:43 --------- d-----w C:\Program Files\Symantec
2008-02-21 22:07 --------- d-----w C:\Program Files\eGames
2008-02-21 21:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-21 21:59 --------- d-----w C:\Program Files\Common Files\NewSoft
2008-02-21 21:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-21 21:49 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2008-02-16 21:07 --------- d-----w C:\Program Files\Common Files\Real
2008-02-14 22:25 --------- d-----w C:\Program Files\Selectsoft
2008-02-02 18:59 16,384 ----a-w C:\WINDOWS\~DF3457.tmp
2008-01-30 23:31 --------- d-----w C:\Program Files\MySpace
2008-01-06 22:00 --------- d-----w C:\Program Files\Insaniquarium Deluxe
2008-01-06 21:59 737,280 -c--a-w C:\WINDOWS\iun6002.exe
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-03-26 20:42 24,192 -c--a-w C:\Documents and Settings\HP_Owner\usbsermptxp.sys
2007-03-26 20:42 22,768 -c--a-w C:\Documents and Settings\HP_Owner\usbsermpt.sys
2006-11-06 21:59 0 -c--a-w C:\Program Files\Common Files\err.log
2005-09-26 19:47 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 19:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 19:42 659456]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43 233472]
"SiSPower"="SiSPower.dll" [2004-09-24 10:49 49152 C:\WINDOWS\system32\SiSPower.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 18:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 14:41 196608]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 21:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-23 16:45 155648]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 19:47 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 06:31:38 241664]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-10-21 20:25:38 45056]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photags AutoDetect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photags AutoDetect.lnk
backup=C:\WINDOWS\pss\Photags AutoDetect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-12-16 12:57 94208 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DC6_check]
C:\Program Files\Common Files\dc6_startupmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ERS_check]
C:\Program Files\Common Files\ers_startupmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-08-20 23:55 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-04-13 08:07 69632 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-14 22:54 253952 c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSGRAPH01]
c:\program files\common files\system\7mi3qd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-02-23 16:45 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smart Start UP]
C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-10-21 18:27 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire 4.2.6 Pro\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Documents and Settings\\HP_Owner\\My Documents\\iTunes.exe"=
"C:\\Program Files\\WinAntiVirus Pro 2006\\Updater.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S2 Ca536av;FashionCam Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 12:47]
S3 USBCamera;FashionCam Digital Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 12:21:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-23 12:22:25
ComboFix-quarantined-files.txt 2008-02-23 18:22:19
ComboFix2.txt 2008-02-23 17:22:17
.
2008-02-15 09:02:00 --- E O F ---


Report Offensive Follow Up For Removal

Response Number 7
Name: jabuck
Date: February 23, 2008 at 10:31:14 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
Open Notepad and copy/paste everything between the X"s into it and make sure "Registry::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\WinAntiVirus Pro 2006\\Updater.exe"=-

Folder::
C:\Qooboox

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
ATF Cleaner

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Post a new Combofix log and a new Hijack This log please..


Report Offensive Follow Up For Removal

Response Number 8
Name: Splatter
Date: February 23, 2008 at 13:03:30 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
KScan-

---------------------
KASPERSKY ONLINE SCANNER REPORT
2008-02-23 15:01
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/02/2008
Kaspersky Anti-Virus database records: 577001
---------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 74615
Number of viruses found: 17
Number of infected objects: 36
Number of suspicious objects: 0
Duration of the scan process: 01:18:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8d65b1f830a114ab330887cff9f40022_197da348-eb77-48a0-a19f-0cbde57390da Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8d65b1f830a114ab330887cff9f40022_831719f0-7d9b-4bf4-955a-12077a29a817 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d953eda3e26304d35e06e3f99844845b_831719f0-7d9b-4bf4-955a-12077a29a817 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\L0000012.FCS Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\storydb.idx Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Companion Wizard\compwiz.exe.vir Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Companion Wizard\WapCHK.dll.vir Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\M3HTML.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.f skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.p skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ab skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSOESTB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3DTACTL.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.al skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3HISTSW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3HTTPCT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3PSSAVR.SCR.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3RESTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3SCHMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3SHLLVW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.al skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3HTML.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.f skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3IDLE.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3OUTLCN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3PLUGIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3SKIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.al skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\MWSOESTB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ai skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP748\change.log Object is locked skipped
C:\VundoFix Backups\bawbbjis.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped
C:\VundoFix Backups\ekwlklnx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped
C:\VundoFix Backups\wgkgqnuo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ixe skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP748\change.log Object is locked skipped

Scan process completed.



Report Offensive Follow Up For Removal

Response Number 9
Name: Splatter
Date: February 23, 2008 at 13:11:41 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
ComboFix-

ComboFix 08-02-23.2 - HP_Owner 2008-02-23 15:05:21.4 - NTFSx86
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-23 12:45 . 2008-02-23 12:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-23 12:45 . 2008-02-23 12:45 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-23 10:51 . 2008-02-23 11:07 <DIR> d-------- C:\VundoFix Backups
2008-02-22 21:46 . 2008-02-22 21:46 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-22 21:46 . 2008-02-22 21:46 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-22 21:44 . 2008-02-22 21:44 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-22 21:44 . 2008-02-23 12:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 21:44 . 2008-02-23 15:08 3,840,288 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-22 21:44 . 2008-02-23 11:25 49,508 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-22 21:44 . 2008-02-23 15:08 24,096 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-22 21:44 . 2008-02-23 11:25 1,748 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-22 21:32 . 2008-02-22 21:32 <DIR> d-------- C:\kav
2008-02-21 15:32 . 2008-02-21 15:32 70,820 --a------ C:\WINDOWS\BM77e02ee0.xml
2008-02-16 19:39 . 2008-02-23 11:26 181 --a------ C:\WINDOWS\system\hpsysdrv.DAT
2008-02-16 12:46 . 2008-02-16 12:46 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2008-02-16 12:43 . 2008-02-16 12:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
2008-02-14 16:06 . 2008-02-16 11:00 <DIR> d-------- C:\Program Files\MalwareAlarm
2008-02-08 18:37 . 2008-02-08 18:37 219,664 --a------ C:\WINDOWS\system32\klogon.dll
2008-02-08 18:35 . 2008-02-08 18:35 23,604 --a------ C:\WINDOWS\system32\drivers\klopp.dat
2008-02-02 12:59 . 2008-02-02 12:59 16,384 --a------ C:\WINDOWS\~DF3457.tmp
2008-02-01 09:44 . 2008-02-01 09:44 0 --a------ C:\WINDOWS\iPlayer.INI
2008-02-01 09:43 . 2008-02-01 09:44 <DIR> d-------- C:\Program Files\InterActual

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 18:29 --------- d-----w C:\Program Files\eGames
2008-02-23 18:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 02:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-23 01:43 --------- d-----w C:\Program Files\Symantec
2008-02-21 21:59 --------- d-----w C:\Program Files\Common Files\NewSoft
2008-02-21 21:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-21 21:49 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2008-02-16 21:07 --------- d-----w C:\Program Files\Common Files\Real
2008-02-14 22:25 --------- d-----w C:\Program Files\Selectsoft
2008-02-02 18:59 16,384 ----a-w C:\WINDOWS\~DF3457.tmp
2008-01-30 23:31 --------- d-----w C:\Program Files\MySpace
2008-01-06 22:00 --------- d-----w C:\Program Files\Insaniquarium Deluxe
2008-01-06 21:59 737,280 -c--a-w C:\WINDOWS\iun6002.exe
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-03-26 20:42 24,192 -c--a-w C:\Documents and Settings\HP_Owner\usbsermptxp.sys
2007-03-26 20:42 22,768 -c--a-w C:\Documents and Settings\HP_Owner\usbsermpt.sys
2006-11-06 21:59 0 -c--a-w C:\Program Files\Common Files\err.log
2005-09-26 19:47 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 19:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 19:42 659456]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43 233472]
"SiSPower"="SiSPower.dll" [2004-09-24 10:49 49152 C:\WINDOWS\system32\SiSPower.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 18:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 14:41 196608]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 21:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-23 16:45 155648]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 19:47 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 06:31:38 241664]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-10-21 20:25:38 45056]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photags AutoDetect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photags AutoDetect.lnk
backup=C:\WINDOWS\pss\Photags AutoDetect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-12-16 12:57 94208 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DC6_check]
C:\Program Files\Common Files\dc6_startupmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ERS_check]
C:\Program Files\Common Files\ers_startupmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-08-20 23:55 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-04-13 08:07 69632 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-14 22:54 253952 c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSGRAPH01]
c:\program files\common files\system\7mi3qd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-02-23 16:45 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smart Start UP]
C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-10-21 18:27 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire 4.2.6 Pro\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Documents and Settings\\HP_Owner\\My Documents\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S2 Ca536av;FashionCam Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 12:47]
S3 USBCamera;FashionCam Digital Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 15:08:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-23 15:09:22
ComboFix-quarantined-files.txt 2008-02-23 21:09:11
ComboFix2.txt 2008-02-23 18:40:53
ComboFix3.txt 2008-02-23 18:22:26
ComboFix4.txt 2008-02-23 17:22:17
.
2008-02-15 09:02:00 --- E O F ---


Report Offensive Follow Up For Removal

Response Number 10
Name: Splatter
Date: February 23, 2008 at 13:13:42 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
HiJackThis-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:12, on 2008-02-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\HP_Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba...
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/pa...
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySp...
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Service\Software Jukebox v2.0 File.exe

--
End of file - 5331 bytes


Report Offensive Follow Up For Removal

Response Number 11
Name: jabuck
Date: February 23, 2008 at 13:43:24 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
Open Notepad and copy/paste everything between the X"s into it and make sure "Folder::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Folder::
C:\QooBox
C:\VundoFix Backups

registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Go to start> run> type in combofix /u (note the space after combofix) the press ok.

Your java is out of date and can be exploited.
Download the latest version of java from this link Java
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version.

This should fix the red X.

Go to start> run> type in notepad > ok. Copy paste the following into notepad making [autorun] the very top line:

[autorun]

ICON=C:\WINDOWS\SYSTEM\SHELL32.DLL,8

Click "save as"> then using the drop down arrow on the far right of the "save in" window select Local Disk C: to be displayed in the "save in" window.

Next type "C:\autorun.inf" (you must use the quotes) in the file name window> click save.

Restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.


Report Offensive Follow Up For Removal

Response Number 12
Name: jabuck
Date: February 23, 2008 at 13:46:37 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
I missed this.

Go to start> control panel> add/remove programs and uninstall "Malware Alarm" it is a rogue program .


Report Offensive Follow Up For Removal

Response Number 13
Name: Splatter
Date: February 23, 2008 at 14:05:18 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
I cant seem to find Malware Alarm in the add and remove programs.

Report Offensive Follow Up For Removal

Response Number 14
Name: jabuck
Date: February 23, 2008 at 14:31:37 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
Navigate to and delete this folder:

C:\Program Files\MalwareAlarm

Let us know how the computer is operating.


Report Offensive Follow Up For Removal

Response Number 15
Name: Splatter
Date: February 23, 2008 at 14:39:34 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
Ok, I will go delete the folder. The computer is running great, just installed the java. Thanks for all your help wouldnt have been able to do it with out you. Glad I came across this sight in my searches. I apreciate the help

Report Offensive Follow Up For Removal

Response Number 16
Name: jabuck
Date: February 23, 2008 at 14:44:32 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
Glad we could help.

Report Offensive Follow Up For Removal

Response Number 17
Name: Splatter
Date: February 23, 2008 at 14:50:27 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
Well looks I got one last question. How do I get the time set back to 12 hour instead of 24 hour clock?

Report Offensive Follow Up For Removal

Response Number 18
Name: jabuck
Date: February 23, 2008 at 14:57:06 Pacific
Subject: Runng slow and red X on h.d.
Reply: (edit)
Go to start> control panel> regional and language options> customize> time> click the drop down arrow to the far right of "time format" > select h:mm:ss tt apply>ok.

Go to start> run> type in combofix /u (note the space after combofix) press ok. This will remove combofix from your system. And you can uninstall/delete any of the other programs we used to clean the computer.


Report Offensive Follow Up For Removal



Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: Runng slow and red X on h.d.

Comments:
         

 
  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 


Data Recovery Software



acer 312T BIOS problem

K7 Turbo possible max fsb?

Pc anywher problem

WinFLP & OE/Outlook2003

Computer resets after a few minutes

The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net, LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE

All content ©1996-2007 Computing.Net, LLC