TheTechGuide Forum

General Category => Tech Clinic => Topic started by: newt3 on July 27, 2007, 10:39:26 AM

Title: Clickspring removal-- what's the best method?
Post by: newt3 on July 27, 2007, 10:39:26 AM

Hi Everyone.  I'm new to this board, which I discovered in what seems like my endless search to rid my pc of the dreaded Clickspring adware.  I know I have it.  I've run McAfee, Ad-Aware, and Spybot in attempts to rid my pc of this damned, dreaded, illegal, piece of crap; and no matter how much stuff is cleaned from my machine, it always reappears like a cockroach of the apocalypse.  All my online searches, including scanning this board, seem to lead to different approaches for different people in removing this bug, and I can't seem to find the right way to get it off my machine.  I am pleading with the experts and kind people of this forum to help save my sanity and last few remaining hairs on my balding head to help/teach/enlighten me on the best way to remove this from my pc.  
Help meeeeeeee...........

Title: Clickspring removal-- what's the best method?
Post by: pyrokitty on July 27, 2007, 10:44:04 AM

I had that in my computer a few years back and I had to actually had to go to a repair store or wherever u bought it and ask them. Their awnser will be you have to get a whole new computerld advise you to just dont worry about the repair store and go straight for the computer isle. Because they charge you i think 150$ just too look at the computer thats what i did and i had to start mowing lawns

Title: Clickspring removal-- what's the best method?
Post by: guestolo on July 27, 2007, 06:14:42 PM

Hi   newt3  
Can you do the following please

Download Hijackthis 2.0.2 from my signature below
SAVE it to your desktop

Double click on HJTInstall.exe to run it
Choose Install

Hijackthis v2.0.2 will open

Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum...Don't try and fix anything yet----It is all important!

Title: Clickspring removal-- what's the best method?
Post by: newt3 on July 28, 2007, 11:12:17 AM

[quote name=\'guestolo\' post=\'364518\' date=\'Jul 27 2007, 06:14 PM\']Hi newt3
Can you do the following please

Download Hijackthis 2.0.2 from my signature below
SAVE it to your desktop

Double click on HJTInstall.exe to run it
Choose Install

Hijackthis v2.0.2 will open

Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum...Don't try and fix anything yet----It is all important![/quote]

Title: Clickspring removal-- what's the best method?
Post by: newt3 on July 29, 2007, 12:59:19 PM

this is a test b/c every time i try to post the logifle, both Firefox and IE fail to load and I get error messages.  What the heck is going on ???

newt3

Title: Clickspring removal-- what's the best method?
Post by: guestolo on July 29, 2007, 10:05:21 PM

I'm not sure if I understand?
How are you posting to the forum?

Are you using a different computer?

Title: Clickspring removal-- what's the best method?
Post by: newt3 on July 30, 2007, 09:08:18 AM

[quote name=\'guestolo\' post=\'365711\' date=\'Jul 29 2007, 10:05 PM\']I'm not sure if I understand?
How are you posting to the forum?

Are you using a different computer?[/quote]

No. Same machine.  I'm running HJT, then getting the log file in a text document.  I'm highlighting the entire document, then copying it to the clipboard.  I'm then coming here, hitting reply to your post, then pasting the file to the reply.  When I hit  the "Add Reply" button, I get an error message and there's no post.  This happens in both Firefox and IE.  Ov vey.  
Is the post too long with the log file in there?  Should I break it up into separate posts?

newt3

Title: Clickspring removal-- what's the best method?
Post by: guestolo on July 30, 2007, 05:37:49 PM

First, when you reply back to the forum, don't use the reply button just below my post

Use the Add Reply button at the bottom>>>(http://i184.photobucket.com/albums/x99/guestolo/t_reply.gif)
That should help a bit

When the hijackthis log opens, click EDIT>>SELECT ALL>>EDIT>>COPY

Then Paste the log in the reply box and then choose Add Reply
See if that helps

If not, try multiple posts, but I need to see the log

Title: Clickspring removal-- what's the best method?
Post by: newt3 on July 30, 2007, 09:25:49 PM

Here we go.  Looks like it's gonna take multiple posts...

EDIT>>I've added both replies to this reply box (guestolo)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:33 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Iomega\Network Hard Drive\LDServ.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\AwdImportData\MSSQL$AWDLOCALDB\Binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\s?curity\d?dplay.exe
C:\Program Files\Iomega\Network Hard Drive\Admin.exe
C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
C:\WINDOWS\system32\cravlwxh.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
   
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ (http://\"http://www.dellnet.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/ (http://\"http://www.dellnet.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\oqymnfoh.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\RACLE~1\svchost.exe" -vt ndrv
O4 - HKCU\..\Run: [Fanmz] C:\WINDOWS\s?curity\d?dplay.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O4 - Global Startup: Network Hard Drive Administrator.lnk = C:\Program Files\Iomega\Network Hard Drive\Admin.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZS\")
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) -

Title: Clickspring removal-- what's the best method?
Post by: newt3 on July 30, 2007, 09:28:05 PM

<Removed>
Added info to last reply box

Title: Clickspring removal-- what's the best method?
Post by: guestolo on July 30, 2007, 11:00:04 PM

Let's try the following
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.>>C:\Combofix.txt
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post it's log please, I need to see it all

In addition, I will need to see the Whole log from Hijackthis too, you may have not posted the very bottom
Regardless, do a fresh scan and repost it all

Title: Clickspring removal-- what's the best method?
Post by: newt3 on July 31, 2007, 07:54:40 AM

Man you're quick!  I tried for about an hour to post the remaining part of the logfile, but kept getting the same "
Method Not Implemented
 POST to /forum/index.php not supported." error.  UGH!!!!  So I gave up until today to come back to it.  What does that mean?  This is driving me insane.

Title: Clickspring removal-- what's the best method?
Post by: guestolo on July 31, 2007, 08:01:09 AM

Don't worry about the old Hijackthis log
I need to see a fresh one anyways, I'm not sure what's going on in your end

Try this, do a fresh scan and save logfile with Hijackthis
Save the new log to desktop
Right click on it and rename
hijackthis.log to hijackthis.txt

Try and upload it
Click on ADD REPLY
At the bottom of the reply box, click Browse....
Browse to the log and double click on it to select it then click the UPLOAD button
Do the same for C:\Combofix.txt

After you upload them don't forget to click the drop down arrow next to Manage Current Attachments and add them to the post

Title: Clickspring removal-- what's the best method?
Post by: newt3 on July 31, 2007, 12:22:07 PM

Here's the combofix log...

ComboFix 07-07-30.2 - "Matthew" 2007-07-31  9:25:38.1 [GMT -5:00] - NTFS
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((((((((((((((((((((((   V Log   )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\fkdnvaxn.dll
C:\WINDOWS\system32\ruivvabt.dll
C:\WINDOWS\system32\cravlwxh.exe
C:\WINDOWS\system32\gcqnpuee.exe
C:\WINDOWS\system32\lujfcssq.exe
C:\WINDOWS\system32\mfercqaq.exe
C:\WINDOWS\system32\pxgwalah.exe
C:\WINDOWS\system32\ttjtpgsq.exe
C:\WINDOWS\system32\vktibvth.exe
C:\WINDOWS\system32\wdltjryn.exe
C:\WINDOWS\system32\weouccky.exe
C:\WINDOWS\system32\fkdnvaxn.dll
C:\WINDOWS\SYSTEM32\ccfhk.bak1
C:\WINDOWS\SYSTEM32\ccfhk.bak2
C:\WINDOWS\SYSTEM32\ccfhk.ini
C:\WINDOWS\SYSTEM32\ccfhk.ini2
C:\WINDOWS\SYSTEM32\ccfhk.tmp
C:\WINDOWS\SYSTEM32\ccfhk.bak1
C:\WINDOWS\SYSTEM32\ccfhk.bak2
C:\WINDOWS\SYSTEM32\ccfhk.ini
C:\WINDOWS\SYSTEM32\ccfhk.ini2
C:\WINDOWS\SYSTEM32\ccfhk.tmp
C:\WINDOWS\SYSTEM32\ccfhk.bak1
C:\WINDOWS\SYSTEM32\ccfhk.bak2
C:\WINDOWS\SYSTEM32\ccfhk.ini
C:\WINDOWS\SYSTEM32\ccfhk.ini2
C:\WINDOWS\SYSTEM32\ccfhk.tmp
C:\WINDOWS\system32\khfcc.dll


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\racle~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\temp\tn3
C:\WINDOWS\acdt-pid67n.exe
C:\WINDOWS\install.exe
C:\WINDOWS\scurit~1
C:\WINDOWS\scurit~1\d?dplay.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\drivers\Browse.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\dadtray.exe
C:\WINDOWS\system32\drivers\OnScDisp.exe
C:\WINDOWS\system32\gxcyxunk.exe
C:\WINDOWS\system32\haflwksg.exe
C:\WINDOWS\system32\L1
C:\WINDOWS\system32\L11
C:\WINDOWS\system32\L3
C:\WINDOWS\system32\L3\wr716.exe
C:\WINDOWS\system32\L5
C:\WINDOWS\system32\L7
C:\WINDOWS\system32\letwmseb.exe
C:\WINDOWS\system32\lhdamfec.exe
C:\WINDOWS\system32\lvsbrqkw.exe
C:\WINDOWS\system32\lxcosarc.exe
C:\WINDOWS\system32\middxmmc.exe
C:\WINDOWS\system32\oouvfsv.dll
C:\WINDOWS\system32\pdinflun.exe
C:\WINDOWS\system32\quxeergl.exe
C:\WINDOWS\system32\rowbfmld.exe
C:\WINDOWS\system32\scnuxcrh.exe
C:\WINDOWS\system32\temmmxsv.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wnsintsv.exe
C:\WINDOWS\wr.txt


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core


(((((((((((((((((((((((((   Files Created from 2007-06-28 to 2007-07-31  )))))))))))))))))))))))))))))))


2007-07-31 09:21    51,200    --a------    C:\WINDOWS\nircmd.exe
2007-07-31 09:08    125,504    --a------    C:\WINDOWS\SYSTEM32\vswwacgu.dll
2007-07-31 08:34    125,504    --a------    C:\WINDOWS\SYSTEM32\dyggtxki.dll
2007-07-26 14:48    76,560    --a------    C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-07-26 14:48    <DIR>    d--------    C:\Program Files\Trend Micro
2007-07-26 14:38    <DIR>    d--------    C:\DOCUME~1\Matthew\APPLIC~1\Viewpoint
2007-07-25 13:03    126,016    --a------    C:\WINDOWS\SYSTEM32\cbytkmgq.dll
2007-07-25 12:45    143,360    --a------    C:\WINDOWS\SYSTEM32\dunzip32.dll
2007-07-25 12:36    79,304    --a------    C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-07-25 12:36    40,488    --a------    C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-07-25 12:36    35,240    --a------    C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-07-25 12:36    33,800    --a------    C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-07-25 12:36    201,288    --a------    C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-07-25 12:35    113,952    --a------    C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2007-07-25 12:27    <DIR>    d--------    C:\Program Files\McAfee
2007-07-25 12:26    <DIR>    d--------    C:\Program Files\Common Files\McAfee
2007-07-25 11:11    <DIR>    d--------    C:\DOCUME~1\Matthew\APPLIC~1\McAfee
2007-07-25 11:11    <DIR>    d--------    C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-25 10:47    126,016    --a------    C:\WINDOWS\SYSTEM32\vdsloxkk.dll
2007-07-23 22:59    <DIR>    d--------    C:\Program Files\Enigma Software Group
2007-07-23 00:11    465,209    --a------    C:\temp\bY001.exe
2007-07-23 00:11    <DIR>    d--------    C:\tempc2
2007-07-23 00:10    <DIR>    d--------    C:\temp\brr
2007-06-05 13:25    <DIR>    d--------    C:\Program Files\iPod
2007-06-05 13:24    <DIR>    d--------    C:\Program Files\iTunes
2007-06-04 14:35    <DIR>    d--------    C:\DOCUME~1\Matthew\APPLIC~1\eFax Messenger
2007-06-04 14:17    <DIR>    d--------    C:\DOCUME~1\ALLUSE~1\APPLIC~1\eFax Messenger 4.3 Output
2007-06-04 14:15    <DIR>    d--------    C:\Program Files\eFax Messenger 4.3
2007-06-04 14:15    <DIR>    d--------    C:\DOCUME~1\ALLUSE~1\APPLIC~1\eFax Messenger 4.3 Setup
2007-06-03 20:18    5,632    --a------    C:\WINDOWS\SYSTEM32\ptpusb.dll
2007-06-03 20:18    159,232    --a------    C:\WINDOWS\SYSTEM32\ptpusd.dll


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-28 11:57    ---------    d--------    C:\Program Files\Trillian
2007-07-25 12:53    ---------    d--------    C:\Program Files\McAfee.com
2007-07-25 11:53    ---------    d--h-----    C:\Program Files\InstallShield Installation Information
2007-07-25 11:53    ---------    d--------    C:\Program Files\WinMX
2007-07-25 11:53    ---------    d--------    C:\Program Files\Symantec
2007-07-25 11:53    ---------    d--------    C:\Program Files\Common Files\Symantec Shared
2007-07-25 11:45    ---------    d--------    C:\Program Files\Lavasoft
2007-07-23 01:16    ---------    d--------    C:\Program Files\Online Services
2007-07-13 13:17    ---------    d--------    C:\Program Files\Picasa2
2007-06-13 11:42    ---------    d--------    C:\Program Files\eFax Messenger Plus
2007-06-12 02:52    ---------    d--------    C:\Program Files\Cryptainer PE
2007-06-05 13:19    ---------    d--------    C:\Program Files\Apple Software Update
2007-05-16 10:12    683520    --a------    C:\WINDOWS\system32\inetcomm.dll
2007-04-08 22:21    109984    --a--c---    C:\DOCUME~1\Matthew\APPLIC~1\GDIPFONTCACHEV1.DAT


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{840DACDF-C007-4EDE-82D7-11A0B3CBADC3}]
2001-12-31 19:00    131072    --a------    C:\WINDOWS\SYSTEM32\jdqiumwu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"WG511WLU"="C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe" [2004-01-16 16:16]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-17 18:21]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-17 18:20]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 18:15]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-07-13 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2005-11-07 15:49]
"Iomega Automatic Backup"="C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-10-15 09:32]
"Ncao"="C:\PROGRA~1\COMMON~1\RACLE~1\svchost.exe" []
"Fanmz"="C:\WINDOWS\s?curity\d?dplay.exe" []

C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-30 20:02:02]
Trend Micro Anti-Spyware.lnk - C:\Program Files\Trend Micro\Tmasy\Tmasy.exe [2007-07-26 14:48:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-30 20:02:02]
Network Hard Drive Administrator.lnk - C:\Program Files\Iomega\Network Hard Drive\Admin.exe [2003-12-10 16:23:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2002-02-15 09:51 24638 C:\WINDOWS\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuttrq]
wvuttrq.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk
backup=C:\WINDOWS\pss\Camio Viewer 2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.3.lnk
backup=C:\WINDOWS\pss\eFax 4.3.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax.com Tray Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax.com Tray Menu.lnk
backup=C:\WINDOWS\pss\eFax.com Tray Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk
backup=C:\WINDOWS\pss\Live Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk
backup=C:\WINDOWS\pss\SideACT!.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^QuickLink.lnk]
path=C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\QuickLink.lnk
backup=C:\WINDOWS\pss\QuickLink.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^Web Chrono Desktop.lnk]
path=C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\Web Chrono Desktop.lnk
backup=C:\WINDOWS\pss\Web Chrono Desktop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
C:\WINDOWS\Belt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bklwf]
C:\WINDOWS\bklwf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.3]
"C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Automatic Backup]
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Automatic Backup 1.0.1]
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Automatic Backup Pro]
"C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe" -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
"C:\Program Files\Microsoft Money\System\Activation.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
c:\windows\system32\msbb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop-Up Stopper]
"C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
"C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
C:\WINDOWS\System32\SahAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartupDelayer]
"C:\Program Files\r2 studios\Startup Delayer\Startup Launcher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp3\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
C:\PROGRA~1\Zinio\ZDLM.exe /hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 Gernuwa;Gernuwa;C:\WINDOWS\system32\drivers\Gernuwa.sys
R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys
R0 iomdisk;Iomega Devices Disk Filter Services;C:\WINDOWS\system32\DRIVERS\iomdisk.sys
R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\system32\DRIVERS\sonyhcb.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
R1 MPFP;MPFP;C:\WINDOWS\system32\Drivers\Mpfp.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\system32\drivers\pwd_2K.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 CdaC15BA;CdaC15BA;\??\C:\WINDOWS\System32\drivers\CdaC15BA.SYS
R2 LanScsiHelper;LANSCSI Helper Service;C:\Program Files\Iomega\Network Hard Drive\LDServ.exe
R2 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys
R2 MSSQL$AWDLOCALDB;MSSQL$AWDLOCALDB;C:\Program Files\AwdImportData\MSSQL$AWDLOCALDB\Binn\sqlservr.exe -sAWDLOCALDB
R2 ssoftnt4;ssoftnt4;\??\C:\WINDOWS\system32\Drivers\ssoftnt4.sys
R2 tcaicchg;tcaicchg;\??\C:\WINDOWS\System32\tcaicchg.sys
R2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys
R3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\System32\AWINDIS5.SYS
R3 EL556;3Com 10/100 Mini PCI Ethernet Adapter NDIS 5.0 Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys
R3 el575nd5;FE575C-3Com 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys
R3 lanscsibus;LANSCSI Bus Driver for Network Hard Drive;C:\WINDOWS\system32\DRIVERS\lanscsibus.sys
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198xdl.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys
S2 0009611185851002mcinstcleanup;McAfee Application Installer Cleanup (0009611185851002);C:\WINDOWS\TEMP00961~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
S3 awhost32;pcAnywhere Host Service;C:\Program Files\Symantec\pcAnywhere\awhost32.exe
S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 Dot4;MS IEEE-1284.4 Driver;C:\WINDOWS\system32\DRIVERS\Dot4.sys
S3 Dot4Print;Print Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 EL556ND5;3Com 10/100 Mini PCI Ethernet Adapter NDIS5 Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys
S3 lanscsiminiport;LANSCSI Miniport Driver for Network Hard Drive;C:\WINDOWS\system32\DRIVERS\lanscsiminiport.sys
S3 OASIS;OASIS;C:\WINDOWS\system32\drivers\oasisusb.sys
S3 SDDMI2;SDDMI2;\??\C:\WINDOWS\system32\DDMI2.sys
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\system32\snmptrap.exe
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\system32\DRIVERS\sonyhcs.sys
S3 SQLAgent$AWDLOCALDB;SQLAgent$AWDLOCALDB;C:\Program Files\AwdImportData\MSSQL$AWDLOCALDB\Binn\sqlagent.EXE -i AWDLOCALDB
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\Matthew\LOCALS~1\Temp\tni4D8.tmp
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys
S4 IISADMIN;IIS Admin;C:\WINDOWS\System32\inetsrv\inetinfo.exe


Contents of the 'Scheduled Tasks' folder
2007-07-27 22:15:06 C:\WINDOWS\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
2007-07-24 18:05:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2002-04-16 13:34:48 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
2007-07-25 17:31:52 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-07-25 17:31:50 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-07-31 10:14:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000248
"TracesSuccessful"=dword:00000026

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-31 10:20:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-31 10:18

    --- E O F ---

Title: Clickspring removal-- what's the best method?
Post by: newt3 on July 31, 2007, 12:26:59 PM

Here's the new HJT logfile...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:47 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Iomega\Network Hard Drive\LDServ.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\AwdImportData\MSSQL$AWDLOCALDB\Binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Iomega\Network Hard Drive\Admin.exe
C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Title: Clickspring removal-- what's the best method?
Post by: newt3 on July 31, 2007, 12:28:58 PM

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/ (http://\"http://www.dellnet.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: TChkBHO Class - {840DACDF-C007-4EDE-82D7-11A0B3CBADC3} - C:\WINDOWS\SYSTEM32\jdqiumwu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\RACLE~1\svchost.exe" -vt ndrv
O4 - HKCU\..\Run: [Fanmz] C:\WINDOWS\s?curity\d?dplay.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O4 - Global Startup: Network Hard Drive Administrator.lnk = C:\Program Files\Iomega\Network Hard Drive\Admin.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZS\")
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Title: Clickspring removal-- what's the best method?
Post by: newt3 on July 31, 2007, 12:37:04 PM

I couldn't get the last part of the logfile to post, so I'm uploading the entire logfile.  Sorry for the convoluted postings.


[attachment=3515:hijackthis3.txt]

Title: Clickspring removal-- what's the best method?
Post by: guestolo on July 31, 2007, 10:56:45 PM

I'm having the same problem as you posting to some threads
getting the same error message

Let me see if this gets resolved soon, or I'll try and start another thread for you
I may not have a chance tonight, but I will be back tomorrow to carry on

In the meantime, can you do the following
>>HOPEFULLY I can post this all  /tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />

Download: CCleaner v1.40.520 - Slim from this link and install it
http://www.ccleaner.com/download/builds.aspx (http://\"http://www.ccleaner.com/download/builds.aspx\")
Do Not run it yet

Download Dr.Web CureIt to the desktop from this link
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe (http://\"ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe\")
Do Not run it yet

Print the rest of these instructions or save them too a text file on desktop

Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: TChkBHO Class - {840DACDF-C007-4EDE-82D7-11A0B3CBADC3} - C:\WINDOWS\SYSTEM32\jdqiumwu.dll

O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\RACLE~1\svchost.exe" -vt ndrv
O4 - HKCU\..\Run: [Fanmz] C:\WINDOWS\s?curity\d?dplay.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZS\")

O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)

O20 - Winlogon Notify: wvuttrq - wvuttrq.dll (file missing)


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

In safe mode do the following
Run CCleaner
Next: click Options click the Advanced button
Uncheck: "Only delete files in Windows temp folders older than 48 hrs."
NEXT: Click the Cleaner
Then click Run Cleaner (bottom right)
OK the prompt, when finished scanning, just exit the program

Remain in safe mode
Double click to run Dr.Web-cureit.exe from desktop

• Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
• Back at the main window, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found: (http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif)
  
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  (http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif)
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.

Reboot back to Normal windows

Post back the following

1. Post a fresh hijackthis log
2. Post the report from Dr.Web

Hopefully the problems on the board are corrected after you do the following
If not, we'll see if starting a new topic will help

Title: Clickspring removal-- what's the best method?
Post by: newt3 on August 01, 2007, 01:42:26 PM

Followed your instructions.  Here's the new HJT logfile and Dr. Web report.  Sorry I had to upload the HJT document, but I keep getting the same error message about "methond not implemented."  when I try to cut and paste the results into a post.  ugh.  Below is the Dr. Web report.
[attachment=3520:hijackthis4.txt]


       script[1].js;C:\Documents   and Settings\Rebecca\Local Settings\Temporary Internet   Files\Content.IE5\CDAHK56D;Win32.HLLM.Graz;Deleted.;       backup-20070801-102107-103.dll;C:\Program   Files\Trend Micro\HijackThis\backups;Adware.WildMedia;Incurable.Moved.;       DDPLAY~1.VIR;C:\QooBox\Quarantine\C\WINDOWS\SCURIT~1;Adware.ClickSpring;Incurable.Moved.;       cravlwxh.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.26570;Deleted.;       fkdnvaxn.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       gcqnpuee.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.26570;Deleted.;       gxcyxunk.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       haflwksg.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       khfcc.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       letwmseb.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       lhdamfec.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       lujfcssq.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.26570;Deleted.;       lvsbrqkw.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       lxcosarc.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       mfercqaq.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Click.2799;Deleted.;       middxmmc.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       oouvfsv.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Adware.ClickSpring;Incurable.Moved.;       pdinflun.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       pxgwalah.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.26570;Deleted.;       quxeergl.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       rowbfmld.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       ruivvabt.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       scnuxcrh.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       temmmxsv.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       ttjtpgsq.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.26570;Deleted.;       vktibvth.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.26570;Deleted.;       wdltjryn.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.26570;Deleted.;       weouccky.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Click.2799;Deleted.;       wr716.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\L3;Trojan.DownLoader.26881;Deleted.;       cbytkmgq.dll;C:\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       dyggtxki.dll;C:\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       vdsloxkk.dll;C:\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;       vswwacgu.dll;C:\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;

Title: Clickspring removal-- what's the best method?
Post by: guestolo on August 01, 2007, 10:34:23 PM

Hi again Newt
It's only a couple threads I'm having problems with, and yours is one of them unfortuneately  /ohmy.gif\' class=\'bbc_emoticon\' alt=\':o\' />
Let's try and work thru the problems of the board

Dr. Web cleared some more files for us
Can you run Combofix again please, post the log from it
C:\Combofix.txt
Just to see what remains

Let me know how things are running also

Title: Clickspring removal-- what's the best method?
Post by: newt3 on August 02, 2007, 08:18:51 AM

questsolo,
  Here's the ComboFix log.  As for performance...  I don't want to jinx it, but things seem like they're back to normal.  Woo hoo!  I haven't had any unwanted pop ups and speed seems like it's back to original levels.  You are the MAN/WOMAN!  How come the big companies like McAfee and Norton can't fix things like you guys?  

newt

ComboFix 07-07-30.2 - "Matthew" 2007-08-02  8:42:43.2 [GMT -5:00] - NTFS
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.True


(((((((((((((((((((((((((   Files Created from 2007-07-02 to 2007-08-02  )))))))))))))))))))))))))))))))


2007-08-01 10:32   <DIR>   d--------   C:\DOCUME~1\Matthew\DoctorWeb
2007-08-01 10:29   <DIR>   d--------   C:\Program Files\CCleaner
2007-07-31 09:21   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-07-26 14:48   76,560   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-07-26 14:48   <DIR>   d--------   C:\Program Files\Trend Micro
2007-07-26 14:38   <DIR>   d--------   C:\DOCUME~1\Matthew\APPLIC~1\Viewpoint
2007-07-25 12:45   143,360   --a------   C:\WINDOWS\SYSTEM32\dunzip32.dll
2007-07-25 12:36   79,304   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-07-25 12:36   40,488   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-07-25 12:36   35,240   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-07-25 12:36   33,800   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-07-25 12:36   201,288   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-07-25 12:35   113,952   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2007-07-25 12:27   <DIR>   d--------   C:\Program Files\McAfee
2007-07-25 12:26   <DIR>   d--------   C:\Program Files\Common Files\McAfee
2007-07-25 11:11   <DIR>   d--------   C:\DOCUME~1\Matthew\APPLIC~1\McAfee
2007-07-25 11:11   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-23 22:59   <DIR>   d--------   C:\Program Files\Enigma Software Group
2007-07-23 00:11   465,209   --a------   C:\temp\bY001.exe
2007-07-23 00:11   <DIR>   d--------   C:\tempc2
2007-07-23 00:10   <DIR>   d--------   C:\temp\brr


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-28 11:57   ---------   d--------   C:\Program Files\Trillian
2007-07-25 12:53   ---------   d--------   C:\Program Files\McAfee.com
2007-07-25 11:53   ---------   d--h-----   C:\Program Files\InstallShield Installation Information
2007-07-25 11:53   ---------   d--------   C:\Program Files\WinMX
2007-07-25 11:53   ---------   d--------   C:\Program Files\Symantec
2007-07-25 11:53   ---------   d--------   C:\Program Files\Common Files\Symantec Shared
2007-07-25 11:45   ---------   d--------   C:\Program Files\Lavasoft
2007-07-23 01:16   ---------   d--------   C:\Program Files\Online Services
2007-07-13 13:17   ---------   d--------   C:\Program Files\Picasa2
2007-06-13 11:42   ---------   d--------   C:\Program Files\eFax Messenger Plus
2007-06-12 02:52   ---------   d--------   C:\Program Files\Cryptainer PE
2007-06-05 13:25   ---------   d--------   C:\Program Files\iTunes
2007-06-05 13:25   ---------   d--------   C:\Program Files\iPod
2007-06-05 13:19   ---------   d--------   C:\Program Files\Apple Software Update
2007-06-04 14:35   ---------   d--------   C:\DOCUME~1\Matthew\APPLIC~1\eFax Messenger
2007-06-04 14:15   ---------   d--------   C:\Program Files\eFax Messenger 4.3
2007-05-16 10:12   683520   --a------   C:\WINDOWS\system32\inetcomm.dll
2007-04-08 22:21   109984   --a--c---   C:\DOCUME~1\Matthew\APPLIC~1\GDIPFONTCACHEV1.DAT


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"WG511WLU"="C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe" [2004-01-16 16:16]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-17 18:21]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-17 18:20]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 18:15]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-07-13 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2005-11-07 15:49]
"Iomega Automatic Backup"="C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-10-15 09:32]

C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-30 20:02:02]
Trend Micro Anti-Spyware.lnk - C:\Program Files\Trend Micro\Tmasy\Tmasy.exe [2007-07-26 14:48:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-30 20:02:02]
Network Hard Drive Administrator.lnk - C:\Program Files\Iomega\Network Hard Drive\Admin.exe [2003-12-10 16:23:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2002-02-15 09:51 24638 C:\WINDOWS\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk
backup=C:\WINDOWS\pss\Camio Viewer 2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.3.lnk
backup=C:\WINDOWS\pss\eFax 4.3.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax.com Tray Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax.com Tray Menu.lnk
backup=C:\WINDOWS\pss\eFax.com Tray Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk
backup=C:\WINDOWS\pss\Live Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk
backup=C:\WINDOWS\pss\SideACT!.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^QuickLink.lnk]
path=C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\QuickLink.lnk
backup=C:\WINDOWS\pss\QuickLink.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^Web Chrono Desktop.lnk]
path=C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\Web Chrono Desktop.lnk
backup=C:\WINDOWS\pss\Web Chrono Desktop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
C:\WINDOWS\Belt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bklwf]
C:\WINDOWS\bklwf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.3]
"C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Automatic Backup]
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Automatic Backup 1.0.1]
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Automatic Backup Pro]
"C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe" -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
"C:\Program Files\Microsoft Money\System\Activation.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
c:\windows\system32\msbb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop-Up Stopper]
"C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
"C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
C:\WINDOWS\System32\SahAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartupDelayer]
"C:\Program Files\r2 studios\Startup Delayer\Startup Launcher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp3\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
C:\PROGRA~1\Zinio\ZDLM.exe /hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 Gernuwa;Gernuwa;C:\WINDOWS\system32\drivers\Gernuwa.sys
R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys
R0 iomdisk;Iomega Devices Disk Filter Services;C:\WINDOWS\system32\DRIVERS\iomdisk.sys
R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\system32\DRIVERS\sonyhcb.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
R1 MPFP;MPFP;C:\WINDOWS\system32\Drivers\Mpfp.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\system32\drivers\pwd_2K.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 CdaC15BA;CdaC15BA;\??\C:\WINDOWS\System32\drivers\CdaC15BA.SYS
R2 LanScsiHelper;LANSCSI Helper Service;C:\Program Files\Iomega\Network Hard Drive\LDServ.exe
R2 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys
R2 MSSQL$AWDLOCALDB;MSSQL$AWDLOCALDB;C:\Program Files\AwdImportData\MSSQL$AWDLOCALDB\Binn\sqlservr.exe -sAWDLOCALDB
R2 ssoftnt4;ssoftnt4;\??\C:\WINDOWS\system32\Drivers\ssoftnt4.sys
R2 tcaicchg;tcaicchg;\??\C:\WINDOWS\System32\tcaicchg.sys
R2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys
R3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\System32\AWINDIS5.SYS
R3 Dot4;MS IEEE-1284.4 Driver;C:\WINDOWS\system32\DRIVERS\Dot4.sys
R3 Dot4Print;Print Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
R3 EL556;3Com 10/100 Mini PCI Ethernet Adapter NDIS 5.0 Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys
R3 el575nd5;FE575C-3Com 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys
R3 lanscsibus;LANSCSI Bus Driver for Network Hard Drive;C:\WINDOWS\system32\DRIVERS\lanscsibus.sys
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198xdl.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys
S2 0104361185974316mcinstcleanup;McAfee Application Installer Cleanup (0104361185974316);C:\WINDOWS\TEMP10436~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
S3 awhost32;pcAnywhere Host Service;C:\Program Files\Symantec\pcAnywhere\awhost32.exe
S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 EL556ND5;3Com 10/100 Mini PCI Ethernet Adapter NDIS5 Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys
S3 lanscsiminiport;LANSCSI Miniport Driver for Network Hard Drive;C:\WINDOWS\system32\DRIVERS\lanscsiminiport.sys
S3 OASIS;OASIS;C:\WINDOWS\system32\drivers\oasisusb.sys
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys
S3 SDDMI2;SDDMI2;\??\C:\WINDOWS\system32\DDMI2.sys
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\system32\snmptrap.exe
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\system32\DRIVERS\sonyhcs.sys
S3 SQLAgent$AWDLOCALDB;SQLAgent$AWDLOCALDB;C:\Program Files\AwdImportData\MSSQL$AWDLOCALDB\Binn\sqlagent.EXE -i AWDLOCALDB
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\Matthew\LOCALS~1\Temp\tni4D8.tmp
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys
S4 IISADMIN;IIS Admin;C:\WINDOWS\System32\inetsrv\inetinfo.exe


Contents of the 'Scheduled Tasks' folder
2007-07-27 22:15:06 C:\WINDOWS\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
2007-07-31 18:05:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2002-04-16 13:34:48 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
2007-07-25 17:31:52 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-07-25 17:31:50 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-08-02 08:53:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-02  8:58:22
C:\ComboFix-quarantined-files.txt ... 2007-08-02 08:56
C:\ComboFix2.txt ... 2007-07-31 10:20

   --- E O F ---

Title: Clickspring removal-- what's the best method?
Post by: guestolo on August 02, 2007, 06:58:55 PM

If MyWebSearch is in your Add/remove programs
Uninstall it

Let's try one last shot with Combofix please
But do the following

Open notepad and copy/paste the text in the quotebox below into it:
Don't use anything else than notepad or the script will not work

Quote

File::
C:\WINDOWS\Belt.exe
C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
C:\WINDOWS\bklwf.exe
C:\windows\system32\msbb.exe
C:\WINDOWS\System32\SahAgent.exe

Folder::
C:\tempc2
C:\temp
C:\Documents and Settings\Matthew\DoctorWeb
C:\Program Files\MyWebSearch

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bklwf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]

Save this file with the name of
CFScript
(http://img.photobucket.com/albums/v666/sUBs/CFScript.gif)

Take note the pic above
Drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

And one last hijackthis log please

Title: Clickspring removal-- what's the best method?
Post by: newt3 on August 02, 2007, 09:59:34 PM

questolo,
 MyWebSearch wasn't in my Add/Remove list.  Here are the results from the ComboFix and HJT processes...
[attachment=3537:hijackthis5.txt]



ComboFix 07-07-30.2 - "Matthew" 2007-08-02 21:54:39.3 [GMT -5:00] - NTFS
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.True
Command switches used ::  C:\Documents and Settings\Matthew\Desktop\CFScript.txt


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Matthew\DoctorWeb
C:\Documents and Settings\Matthew\DoctorWeb\CureIt.log
C:\temp
C:\tempc2\tmpFF.log
C:\temp\adobe photoshop 7.0 serial.txt
C:\temp\bY001.exe
C:\temp\commission11-12-04.pdf
C:\temp\commission13-JAN-05.pdf
C:\temp\commission14-dec-04.pdf
C:\temp\commission28-oct-04.pdf
C:\temp\commission29-dec-04.pdf
C:\temp\commission29-nov-04.pdf
C:\temp\commissiontest003002.pdf
C:\temp\commissiontest003002.txt
C:\temp\commissiontest003002.xml
C:\temp\commissiontest01-12-04--X.bmp
C:\temp\commissiontest01-12-04--X.txt
C:\temp\commissiontest01-12-04--X2.txt
C:\temp\commissiontest01-12-04--X3.txt
C:\temp\commissiontest01-12-04.bmp
C:\temp\commissiontest01-12-04.txt
C:\temp\commissiontest01-12-04.xml
C:\temp\commtest.txt
C:\temp\downloadingcomm.doc
C:\temp\Photoshop\_INST32I.EX_
C:\temp\Photoshop\_ISDel.exe
C:\temp\Photoshop\_Setup.dll
C:\temp\Photoshop\_sys1.cab
C:\temp\Photoshop\_sys1.hdr
C:\temp\Photoshop\_user1.cab
C:\temp\Photoshop\_user1.hdr
C:\temp\Photoshop\Abcpy.ini
C:\temp\Photoshop\DATA.TAG
C:\temp\Photoshop\data1.cab
C:\temp\Photoshop\data1.hdr
C:\temp\Photoshop\lang.dat
C:\temp\Photoshop\layout.bin
C:\temp\Photoshop\os.dat
C:\temp\Photoshop\Photoshop 7.0 ReadMe.wri
C:\temp\Photoshop\Setup.bmp
C:\temp\Photoshop\Setup.exe
C:\temp\Photoshop\SETUP.INI
C:\temp\Photoshop\setup.ins
C:\temp\Photoshop\setup.lid


(((((((((((((((((((((((((   Files Created from 2007-07-03 to 2007-08-03  )))))))))))))))))))))))))))))))


2007-08-01 10:29    <DIR>    d--------    C:\Program Files\CCleaner
2007-07-31 09:21    51,200    --a------    C:\WINDOWS\nircmd.exe
2007-07-26 14:48    76,560    --a------    C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-07-26 14:48    <DIR>    d--------    C:\Program Files\Trend Micro
2007-07-26 14:38    <DIR>    d--------    C:\DOCUME~1\Matthew\APPLIC~1\Viewpoint
2007-07-25 12:45    143,360    --a------    C:\WINDOWS\SYSTEM32\dunzip32.dll
2007-07-25 12:36    79,304    --a------    C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-07-25 12:36    40,488    --a------    C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-07-25 12:36    35,240    --a------    C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-07-25 12:36    33,800    --a------    C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-07-25 12:36    201,288    --a------    C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-07-25 12:35    113,952    --a------    C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2007-07-25 12:27    <DIR>    d--------    C:\Program Files\McAfee
2007-07-25 12:26    <DIR>    d--------    C:\Program Files\Common Files\McAfee
2007-07-25 11:11    <DIR>    d--------    C:\DOCUME~1\Matthew\APPLIC~1\McAfee
2007-07-25 11:11    <DIR>    d--------    C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-23 22:59    <DIR>    d--------    C:\Program Files\Enigma Software Group


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-02 22:10    ---------    d--------    C:\Program Files\Trillian
2007-07-25 12:53    ---------    d--------    C:\Program Files\McAfee.com
2007-07-25 11:53    ---------    d--h-----    C:\Program Files\InstallShield Installation Information
2007-07-25 11:53    ---------    d--------    C:\Program Files\WinMX
2007-07-25 11:53    ---------    d--------    C:\Program Files\Symantec
2007-07-25 11:53    ---------    d--------    C:\Program Files\Common Files\Symantec Shared
2007-07-25 11:45    ---------    d--------    C:\Program Files\Lavasoft
2007-07-23 01:16    ---------    d--------    C:\Program Files\Online Services
2007-07-13 13:17    ---------    d--------    C:\Program Files\Picasa2
2007-06-13 11:42    ---------    d--------    C:\Program Files\eFax Messenger Plus
2007-06-12 02:52    ---------    d--------    C:\Program Files\Cryptainer PE
2007-06-05 13:25    ---------    d--------    C:\Program Files\iTunes
2007-06-05 13:25    ---------    d--------    C:\Program Files\iPod
2007-06-05 13:19    ---------    d--------    C:\Program Files\Apple Software Update
2007-06-04 14:35    ---------    d--------    C:\DOCUME~1\Matthew\APPLIC~1\eFax Messenger
2007-06-04 14:15    ---------    d--------    C:\Program Files\eFax Messenger 4.3
2007-05-16 10:12    683520    --a------    C:\WINDOWS\system32\inetcomm.dll
2007-04-08 22:21    109984    --a--c---    C:\DOCUME~1\Matthew\APPLIC~1\GDIPFONTCACHEV1.DAT


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"WG511WLU"="C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe" [2004-01-16 16:16]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-17 18:21]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-17 18:20]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 18:15]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-07-13 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2005-11-07 15:49]
"Iomega Automatic Backup"="C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-10-15 09:32]

C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-30 20:02:02]
Trend Micro Anti-Spyware.lnk - C:\Program Files\Trend Micro\Tmasy\Tmasy.exe [2007-07-26 14:48:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-30 20:02:02]
Network Hard Drive Administrator.lnk - C:\Program Files\Iomega\Network Hard Drive\Admin.exe [2003-12-10 16:23:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2002-02-15 09:51 24638 C:\WINDOWS\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk
backup=C:\WINDOWS\pss\Camio Viewer 2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.3.lnk
backup=C:\WINDOWS\pss\eFax 4.3.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax.com Tray Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax.com Tray Menu.lnk
backup=C:\WINDOWS\pss\eFax.com Tray Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk
backup=C:\WINDOWS\pss\Live Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk
backup=C:\WINDOWS\pss\SideACT!.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^QuickLink.lnk]
path=C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\QuickLink.lnk
backup=C:\WINDOWS\pss\QuickLink.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^Web Chrono Desktop.lnk]
path=C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\Web Chrono Desktop.lnk
backup=C:\WINDOWS\pss\Web Chrono Desktop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.3]
"C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Automatic Backup]
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Automatic Backup 1.0.1]
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Automatic Backup Pro]
"C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe" -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
"C:\Program Files\Microsoft Money\System\Activation.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop-Up Stopper]
"C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
"C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartupDelayer]
"C:\Program Files\r2 studios\Startup Delayer\Startup Launcher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp3\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
C:\PROGRA~1\Zinio\ZDLM.exe /hide

R0 Gernuwa;Gernuwa;C:\WINDOWS\system32\drivers\Gernuwa.sys
R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys
R0 iomdisk;Iomega Devices Disk Filter Services;C:\WINDOWS\system32\DRIVERS\iomdisk.sys
R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\system32\DRIVERS\sonyhcb.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
R1 MPFP;MPFP;C:\WINDOWS\system32\Drivers\Mpfp.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\system32\drivers\pwd_2K.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 CdaC15BA;CdaC15BA;\??\C:\WINDOWS\System32\drivers\CdaC15BA.SYS
R2 LanScsiHelper;LANSCSI Helper Service;C:\Program Files\Iomega\Network Hard Drive\LDServ.exe
R2 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys
R2 MSSQL$AWDLOCALDB;MSSQL$AWDLOCALDB;C:\Program Files\AwdImportData\MSSQL$AWDLOCALDB\Binn\sqlservr.exe -sAWDLOCALDB
R2 ssoftnt4;ssoftnt4;\??\C:\WINDOWS\system32\Drivers\ssoftnt4.sys
R2 tcaicchg;tcaicchg;\??\C:\WINDOWS\System32\tcaicchg.sys
R2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys
R3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\System32\AWINDIS5.SYS
R3 Dot4;MS IEEE-1284.4 Driver;C:\WINDOWS\system32\DRIVERS\Dot4.sys
R3 Dot4Print;Print Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
R3 EL556;3Com 10/100 Mini PCI Ethernet Adapter NDIS 5.0 Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys
R3 el575nd5;FE575C-3Com 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys
R3 lanscsibus;LANSCSI Bus Driver for Network Hard Drive;C:\WINDOWS\system32\DRIVERS\lanscsibus.sys
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198xdl.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys
S2 0104361185974316mcinstcleanup;McAfee Application Installer Cleanup (0104361185974316);C:\WINDOWS\TEMP10436~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
S3 awhost32;pcAnywhere Host Service;C:\Program Files\Symantec\pcAnywhere\awhost32.exe
S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 EL556ND5;3Com 10/100 Mini PCI Ethernet Adapter NDIS5 Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys
S3 lanscsiminiport;LANSCSI Miniport Driver for Network Hard Drive;C:\WINDOWS\system32\DRIVERS\lanscsiminiport.sys
S3 OASIS;OASIS;C:\WINDOWS\system32\drivers\oasisusb.sys
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys
S3 SDDMI2;SDDMI2;\??\C:\WINDOWS\system32\DDMI2.sys
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\system32\snmptrap.exe
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\system32\DRIVERS\sonyhcs.sys
S3 SQLAgent$AWDLOCALDB;SQLAgent$AWDLOCALDB;C:\Program Files\AwdImportData\MSSQL$AWDLOCALDB\Binn\sqlagent.EXE -i AWDLOCALDB
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\Matthew\LOCALS~1\Temp\tni4D8.tmp
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys
S4 IISADMIN;IIS Admin;C:\WINDOWS\System32\inetsrv\inetinfo.exe


Contents of the 'Scheduled Tasks' folder
2007-07-27 22:15:06 C:\WINDOWS\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
2007-07-31 18:05:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2002-04-16 13:34:48 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
2007-07-25 17:31:52 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-07-25 17:31:50 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-08-02 22:14:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-02 22:24:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-02 22:23
C:\ComboFix2.txt ... 2007-08-02 08:58
C:\ComboFix3.txt ... 2007-07-31 10:20

    --- E O F ---
[attachment=3537:hijackthis5.txt]

Title: Clickspring removal-- what's the best method?
Post by: guestolo on August 03, 2007, 12:12:54 PM

It appears you use to have Symantec's(Norton's)

You should be able to safely disable this service in your hijackthis log
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

It should have no effect on Norton Ghost
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

SymWMI Service

Right click on it and choose "Properties".
Beside "Startup Type" in the dropdown menu select "Disabled".
On the "General" tab under "Service Status", if selectable, click the "Stop" button to stop the service.
Click Apply then OK.
Exit

Combofix quarantined some files related to Photoshop
I'm unsure of what means you acquired these, possibly illegally downloaded??
I'm not going to preach to you about it
Just  be Very careful with what you download, many illegal downloads carry malware
It is in a temp directory, are you having any problems with Photoshop?
Do you have it installed?

If everything is running ok, we'll do some final steps, just let me know the above please

Title: Clickspring removal-- what's the best method?
Post by: newt3 on August 03, 2007, 01:40:49 PM

I used to use Norton but now use McAfee since my ISP gives it to me for free.  I thought I removed it when I switched over.
As for Photoshop, it is installed but I didn't download it off the internet.  I actually haven't used it in a while and really don't use it much at all since I'm not that much of an artist.  The few times I have used it, I can't remember any problems using it.
Everything else you outlined I've done.

Title: Clickspring removal-- what's the best method?
Post by: guestolo on August 03, 2007, 02:07:06 PM

Do you have the latest version of Spybot installed?
Open Spybot, select
HELP>>ABOUT
Can you supply Spybot version and detection update date please

Title: Clickspring removal-- what's the best method?
Post by: newt3 on August 03, 2007, 03:39:43 PM

I had removed it after it didn't help with this problem initially.
However, I just downloaded it again.  It's version 1.4, with a detection update date of 8-1-2007.

Title: Clickspring removal-- what's the best method?
Post by: guestolo on August 03, 2007, 03:47:12 PM

[quote name=\'newt3\' post=\'368025\' date=\'Aug 3 2007, 01:39 PM\']I had removed it after it didn't help with this problem initially.
However, I just downloaded it again.  It's version 1.4, with a detection update date of 8-1-2007.[/quote]
Thanks for reminding me to check for updates with Spybot, I was about 5 days behind  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

If everything is running better
I suggest that you still do the following

Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Select>>Create a New restore point
Give it a name and click Create
Windows will prompt when it was created successfully
When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning


I would add a bit more protection to this computer
Install
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

Hold onto Spybot
Utilize the Immunization feature in Spybot 1.4
After every update
Click the "Immunize" button>>OK the prompt>>Immunize again at the top green cross

If there are other user profiles on the computer, have them login and
click the "enable all protections" with Spywareblaster under the Protection tab
and Immunize with Spybot after every update

Let's remove some files/folders that we used/produced
Download this tool:
[color=\"blue\"]OTMoveIt[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe\") by OldTimer:

• Save it to your desktop.
  
• Please double-click OTMoveIt.exe to run it.
  Click the Cleanup! button
  A list will be downloaded>>Allow it Internet access if prompted by your Firewall
  Select Yes at the prompt
  Wait for the confirmation box to open to reboot the computer
  Select Yes to reboot Now
  

After reboot you can empty your recycle bin

If all is well, I'll lock this topic
Check back in and let me know please

Title: Clickspring removal-- what's the best method?
Post by: newt3 on August 13, 2007, 09:30:42 PM

[quote name=\'guestolo\' post=\'368029\' date=\'Aug 3 2007, 03:47 PM\']Thanks for reminding me to check for updates with Spybot, I was about 5 days behind  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

If everything is running better
I suggest that you still do the following

Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Select>>Create a New restore point
Give it a name and click Create
Windows will prompt when it was created successfully
When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning


I would add a bit more protection to this computer
Install
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

Hold onto Spybot
Utilize the Immunization feature in Spybot 1.4
After every update
Click the "Immunize" button>>OK the prompt>>Immunize again at the top green cross

If there are other user profiles on the computer, have them login and
click the "enable all protections" with Spywareblaster under the Protection tab
and Immunize with Spybot after every update

Let's remove some files/folders that we used/produced
Download this tool:
[color=\"blue\"]OTMoveIt[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe\") by OldTimer:

• Save it to your desktop.
  
• Please double-click OTMoveIt.exe to run it.
  Click the Cleanup! button
  A list will be downloaded>>Allow it Internet access if prompted by your Firewall
  Select Yes at the prompt
  Wait for the confirmation box to open to reboot the computer
  Select Yes to reboot Now
  

After reboot you can empty your recycle bin

If all is well, I'll lock this topic
Check back in and let me know please[/quote]


Hey questolo,
  Sorry for taking so long to respond.  Anyway, looks like you're the man!  I've followed your plan, and so far, no problems.   Thanks  man.  Woo hoo!!!

Title: Clickspring removal-- what's the best method?
Post by: guestolo on August 21, 2007, 09:06:18 PM

Glad to help
I'll lock this topic as your problems appear resolved
Take care newt3  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />