TheTechGuide Forum
General Category => Tech Clinic => Topic started by: StephenK on January 01, 2008, 02:23:11 PM
-
Well Im running an HP notebook model dv5215us and I've been having some problems lately. It's been loading and functioning very slow at times and sometimes its worse but it's always slow now. Here is my Hijackthis log. Please help!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:10 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR (http://\"http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR (http://\"http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 (http://\"http://go.microsoft.com/fwlink/?linkid=677\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR (http://\"http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: RS2 Toolbar - {ea1194ad-f64b-4fe2-bead-5881d52f2754} - C:\Program Files\RS2\tbRS2.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {149D5630-08D5-4230-B613-9F0464325B14} - C:\WINDOWS\system32\mllml.dll (file missing)
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C2E5187F9EAF75760EA83FA5EF80752B94E2DD7B5974442F3DC1 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: CleanMyPC Popup Blocker - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\wvlgycty.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: RS2 Toolbar - {ea1194ad-f64b-4fe2-bead-5881d52f2754} - C:\Program Files\RS2\tbRS2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: RS2 Toolbar - {ea1194ad-f64b-4fe2-bead-5881d52f2754} - C:\Program Files\RS2\tbRS2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [ishost.exe] ishost.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx (http://\"http://favorites.live.com/quickadd.aspx\")
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.jcash.biz/l/cb0eeb4cfe61748c96...c5b50e8d_13.exe (http://\"http://code.jcash.biz/l/cb0eeb4cfe61748c964a1c41c5b50e8d_13.exe\")
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB (http://\"http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab (http://\"http://download.movienetworks.com/install/US/altpmtscab.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab (http://\"http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab (http://\"http://www.acclaim.com/cabs/acclaim_v4.cab\")
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/53/install/gtdownls.cab (http://\"http://www.linksysfix.com/netcheck/53/install/gtdownls.cab\")
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab (http://\"http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab\")
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematyc...inematycoon.cab (http://\"http://www.shockwave.com/content/cinematycoon/sis/cinematycoon.cab\")
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...100/mcfscan.cab (http://\"http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5100/mcfscan.cab\")
O20 - Winlogon Notify: mllml - C:\WINDOWS\system32\mllml.dll (file missing)
O20 - Winlogon Notify: winjrs32 - winjrs32.dll (file missing)
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
--
End of file - 12978 bytes
-
Ive the the SmitFraudFix and Combofix reports if needed. Here they are.
SmitFraudFix v2.274
Scan done at 14:46:05.98, Wed 01/02/2008
Run from C:\Documents and Settings\Stephen Kelly\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\28463\QMYF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Stephen Kelly
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Stephen Kelly\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\STEPHE~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix.exe by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
DNS Server Search Order: 68.87.74.162
DNS Server Search Order: 68.87.68.162
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EA634AD7-86BA-4B57-A8BD-71E09577023D}: DhcpNameServer=68.87.74.162 68.87.68.162
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EA634AD7-86BA-4B57-A8BD-71E09577023D}: DhcpNameServer=68.87.74.162 68.87.68.162
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.74.162 68.87.68.162
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.74.162 68.87.68.162
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
ComboFix 08-01-02.1 - Stephen Kelly 2008-01-01 14:34:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.537 [GMT -5:00]
Running from: C:\Documents and Settings\Stephen Kelly\Local Settings\Temporary Internet Files\Content.IE5\9M6YS4OK\ComboFix[1].exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Stephen Kelly\Application Data\searchtoolbarcorp
C:\Documents and Settings\Stephen Kelly\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\Documents and Settings\Stephen Kelly\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\Program Files\Common Files\{76733~1
C:\WINDOWS\system32\components
C:\WINDOWS\system32\components\flx0.dll
C:\WINDOWS\system32\components\flx1.dll
C:\WINDOWS\system32\components\flx10.dll
C:\WINDOWS\system32\components\flx11.dll
C:\WINDOWS\system32\components\flx12.dll
C:\WINDOWS\system32\components\flx13.dll
C:\WINDOWS\system32\components\flx14.dll
C:\WINDOWS\system32\components\flx15.dll
C:\WINDOWS\system32\components\flx16.dll
C:\WINDOWS\system32\components\flx17.dll
C:\WINDOWS\system32\components\flx18.dll
C:\WINDOWS\system32\components\flx19.dll
C:\WINDOWS\system32\components\flx2.dll
C:\WINDOWS\system32\components\flx20.dll
C:\WINDOWS\system32\components\flx21.dll
C:\WINDOWS\system32\components\flx22.dll
C:\WINDOWS\system32\components\flx23.dll
C:\WINDOWS\system32\components\flx24.dll
C:\WINDOWS\system32\components\flx25.dll
C:\WINDOWS\system32\components\flx26.dll
C:\WINDOWS\system32\components\flx27.dll
C:\WINDOWS\system32\components\flx28.dll
C:\WINDOWS\system32\components\flx29.dll
C:\WINDOWS\system32\components\flx3.dll
C:\WINDOWS\system32\components\flx30.dll
C:\WINDOWS\system32\components\flx31.dll
C:\WINDOWS\system32\components\flx32.dll
C:\WINDOWS\system32\components\flx33.dll
C:\WINDOWS\system32\components\flx34.dll
C:\WINDOWS\system32\components\flx35.dll
C:\WINDOWS\system32\components\flx36.dll
C:\WINDOWS\system32\components\flx37.dll
C:\WINDOWS\system32\components\flx38.dll
C:\WINDOWS\system32\components\flx39.dll
C:\WINDOWS\system32\components\flx4.dll
C:\WINDOWS\system32\components\flx40.dll
C:\WINDOWS\system32\components\flx41.dll
C:\WINDOWS\system32\components\flx42.dll
C:\WINDOWS\system32\components\flx43.dll
C:\WINDOWS\system32\components\flx44.dll
C:\WINDOWS\system32\components\flx45.dll
C:\WINDOWS\system32\components\flx46.dll
C:\WINDOWS\system32\components\flx47.dll
C:\WINDOWS\system32\components\flx48.dll
C:\WINDOWS\system32\components\flx49.dll
C:\WINDOWS\system32\components\flx5.dll
C:\WINDOWS\system32\components\flx50.dll
C:\WINDOWS\system32\components\flx51.dll
C:\WINDOWS\system32\components\flx52.dll
C:\WINDOWS\system32\components\flx53.dll
C:\WINDOWS\system32\components\flx54.dll
C:\WINDOWS\system32\components\flx55.dll
C:\WINDOWS\system32\components\flx56.dll
C:\WINDOWS\system32\components\flx57.dll
C:\WINDOWS\system32\components\flx58.dll
C:\WINDOWS\system32\components\flx59.dll
C:\WINDOWS\system32\components\flx6.dll
C:\WINDOWS\system32\components\flx60.dll
C:\WINDOWS\system32\components\flx61.dll
C:\WINDOWS\system32\components\flx62.dll
C:\WINDOWS\system32\components\flx63.dll
C:\WINDOWS\system32\components\flx64.dll
C:\WINDOWS\system32\components\flx65.dll
C:\WINDOWS\system32\components\flx66.dll
C:\WINDOWS\system32\components\flx67.dll
C:\WINDOWS\system32\components\flx68.dll
C:\WINDOWS\system32\components\flx69.dll
C:\WINDOWS\system32\components\flx7.dll
C:\WINDOWS\system32\components\flx70.dll
C:\WINDOWS\system32\components\flx71.dll
C:\WINDOWS\system32\components\flx72.dll
C:\WINDOWS\system32\components\flx73.dll
C:\WINDOWS\system32\components\flx74.dll
C:\WINDOWS\system32\components\flx75.dll
C:\WINDOWS\system32\components\flx76.dll
C:\WINDOWS\system32\components\flx77.dll
C:\WINDOWS\system32\components\flx78.dll
C:\WINDOWS\system32\components\flx79.dll
C:\WINDOWS\system32\components\flx8.dll
C:\WINDOWS\system32\components\flx80.dll
C:\WINDOWS\system32\components\flx81.dll
C:\WINDOWS\system32\components\flx82.dll
C:\WINDOWS\system32\components\flx83.dll
C:\WINDOWS\system32\components\flx84.dll
C:\WINDOWS\system32\components\flx9.dll
C:\WINDOWS\system32\mcrh.tmp
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.
2008-01-01 14:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 14:19 . 2008-01-01 14:19 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-18 19:47 . 2007-12-18 19:47 <DIR> d-------- C:\Program Files\Pivot Stickfigure Animator
2007-12-02 21:06 . 2007-12-02 21:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-02 21:06 . 2007-12-02 21:06 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-21 15:10 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-04 21:30 --------- d-----w C:\Program Files\Warcraft III
2007-11-30 21:10 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-30 21:09 --------- d-----w C:\Program Files\Windows Live Favorites
2007-11-18 04:24 --------- d-----w C:\Documents and Settings\Stephen Kelly\Application Data\Ventrilo
2007-11-18 04:22 --------- d-----w C:\Program Files\Ventrilo
2007-11-18 04:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-17 01:16 --------- d-----w C:\Documents and Settings\Stephen Kelly\Application Data\SiteAdvisor
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 00:56 126,976 ----a-w C:\WINDOWS\War3Unin.exe
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2005-09-24 07:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-10-05 01:03 958,846 --sha-w C:\WINDOWS\system32\lmllm.bak2
2006-10-06 12:57 5,860 --sha-w C:\WINDOWS\system32\lmllm.ini2
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{149D5630-08D5-4230-B613-9F0464325B14}]
C:\WINDOWS\system32\mllml.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56F1D444-11BF-4879-A12B-79CF0177F038}]
c:\program files\zango\zangohook.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{821F87FF-8245-4972-9E28-732E92EC2F51}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{EA1194AD-F64B-4FE2-BEAD-5881D52F2754}
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{04164EC4-1E48-4279-818E-3721931E7636}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
[HKEY_CLASSES_ROOT\clsid\{821f87ff-8245-4972-9e28-732e92ec2f51}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{821F87FF-8245-4972-9E28-732E92EC2F51}"= C:\Program Files\VSToolbar\VSToolBar.dll [ ]
[HKEY_CLASSES_ROOT\clsid\{821f87ff-8245-4972-9e28-732e92ec2f51}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 10:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 00:25 68856]
"License Manager"="C:\Program Files\License_Manager\license_manager.exe" [ ]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-24 14:16 118784]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17 50736]
"Registry Cleaner Scheduler"="C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" [2007-08-23 04:51 450816]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-26 13:08 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"QMYF Agent"="C:\WINDOWS\system32\28463\QMYF.exe" [2007-08-07 17:11 483328]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-13 13:05 36640]
C:\Documents and Settings\Stephen Kelly\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2005-10-19 20:51:51]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllml]
C:\WINDOWS\system32\mllml.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjrs32]
winjrs32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-11-10 23:05 344064 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2005-08-01 16:26 233534 --a------ C:\Program Files\HPQ\Default Settings\cpqset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-10 10:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 23:56 64512 --a------ C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1153937209\EE\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-11 22:12 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-12-13 15:45 507904 --a------ C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2005-12-12 13:39 94208 --a------ C:\Program Files\HP\QuickPlay\QPService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
2005-10-11 12:23 1187840 --------- C:\Windows\SMINST\RecGuard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2006-02-09 11:52 643072 --------- C:\Windows\CREATOR\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 15:03 36975 --a------ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-06-19 15:50 729178 --a------ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 04:06]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\STEPHE~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10]
*Newly Created Service* - PROCEXP90
*Newly Created Service* - SITEADVISOR_SERVICE
.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 14:51:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-01-02 14:40:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
.
Completion time: 2008-01-02 14:41:12
ComboFix-quarantined-files.txt 2008-01-02 19:40:58
.
2007-12-13 21:52:40 --- E O F ---
-
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe\") and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
It's default location is C:\Combofix.txt
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Post that log please
-
That log is on the bottom but I'll repost it here.
ComboFix 08-01-02.1 - Stephen Kelly 2008-01-01 14:34:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.537 [GMT -5:00]
Running from: C:\Documents and Settings\Stephen Kelly\Local Settings\Temporary Internet Files\Content.IE5\9M6YS4OK\ComboFix[1].exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Stephen Kelly\Application Data\searchtoolbarcorp
C:\Documents and Settings\Stephen Kelly\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\Documents and Settings\Stephen Kelly\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\Program Files\Common Files\{76733~1
C:\WINDOWS\system32\components
C:\WINDOWS\system32\components\flx0.dll
C:\WINDOWS\system32\components\flx1.dll
C:\WINDOWS\system32\components\flx10.dll
C:\WINDOWS\system32\components\flx11.dll
C:\WINDOWS\system32\components\flx12.dll
C:\WINDOWS\system32\components\flx13.dll
C:\WINDOWS\system32\components\flx14.dll
C:\WINDOWS\system32\components\flx15.dll
C:\WINDOWS\system32\components\flx16.dll
C:\WINDOWS\system32\components\flx17.dll
C:\WINDOWS\system32\components\flx18.dll
C:\WINDOWS\system32\components\flx19.dll
C:\WINDOWS\system32\components\flx2.dll
C:\WINDOWS\system32\components\flx20.dll
C:\WINDOWS\system32\components\flx21.dll
C:\WINDOWS\system32\components\flx22.dll
C:\WINDOWS\system32\components\flx23.dll
C:\WINDOWS\system32\components\flx24.dll
C:\WINDOWS\system32\components\flx25.dll
C:\WINDOWS\system32\components\flx26.dll
C:\WINDOWS\system32\components\flx27.dll
C:\WINDOWS\system32\components\flx28.dll
C:\WINDOWS\system32\components\flx29.dll
C:\WINDOWS\system32\components\flx3.dll
C:\WINDOWS\system32\components\flx30.dll
C:\WINDOWS\system32\components\flx31.dll
C:\WINDOWS\system32\components\flx32.dll
C:\WINDOWS\system32\components\flx33.dll
C:\WINDOWS\system32\components\flx34.dll
C:\WINDOWS\system32\components\flx35.dll
C:\WINDOWS\system32\components\flx36.dll
C:\WINDOWS\system32\components\flx37.dll
C:\WINDOWS\system32\components\flx38.dll
C:\WINDOWS\system32\components\flx39.dll
C:\WINDOWS\system32\components\flx4.dll
C:\WINDOWS\system32\components\flx40.dll
C:\WINDOWS\system32\components\flx41.dll
C:\WINDOWS\system32\components\flx42.dll
C:\WINDOWS\system32\components\flx43.dll
C:\WINDOWS\system32\components\flx44.dll
C:\WINDOWS\system32\components\flx45.dll
C:\WINDOWS\system32\components\flx46.dll
C:\WINDOWS\system32\components\flx47.dll
C:\WINDOWS\system32\components\flx48.dll
C:\WINDOWS\system32\components\flx49.dll
C:\WINDOWS\system32\components\flx5.dll
C:\WINDOWS\system32\components\flx50.dll
C:\WINDOWS\system32\components\flx51.dll
C:\WINDOWS\system32\components\flx52.dll
C:\WINDOWS\system32\components\flx53.dll
C:\WINDOWS\system32\components\flx54.dll
C:\WINDOWS\system32\components\flx55.dll
C:\WINDOWS\system32\components\flx56.dll
C:\WINDOWS\system32\components\flx57.dll
C:\WINDOWS\system32\components\flx58.dll
C:\WINDOWS\system32\components\flx59.dll
C:\WINDOWS\system32\components\flx6.dll
C:\WINDOWS\system32\components\flx60.dll
C:\WINDOWS\system32\components\flx61.dll
C:\WINDOWS\system32\components\flx62.dll
C:\WINDOWS\system32\components\flx63.dll
C:\WINDOWS\system32\components\flx64.dll
C:\WINDOWS\system32\components\flx65.dll
C:\WINDOWS\system32\components\flx66.dll
C:\WINDOWS\system32\components\flx67.dll
C:\WINDOWS\system32\components\flx68.dll
C:\WINDOWS\system32\components\flx69.dll
C:\WINDOWS\system32\components\flx7.dll
C:\WINDOWS\system32\components\flx70.dll
C:\WINDOWS\system32\components\flx71.dll
C:\WINDOWS\system32\components\flx72.dll
C:\WINDOWS\system32\components\flx73.dll
C:\WINDOWS\system32\components\flx74.dll
C:\WINDOWS\system32\components\flx75.dll
C:\WINDOWS\system32\components\flx76.dll
C:\WINDOWS\system32\components\flx77.dll
C:\WINDOWS\system32\components\flx78.dll
C:\WINDOWS\system32\components\flx79.dll
C:\WINDOWS\system32\components\flx8.dll
C:\WINDOWS\system32\components\flx80.dll
C:\WINDOWS\system32\components\flx81.dll
C:\WINDOWS\system32\components\flx82.dll
C:\WINDOWS\system32\components\flx83.dll
C:\WINDOWS\system32\components\flx84.dll
C:\WINDOWS\system32\components\flx9.dll
C:\WINDOWS\system32\mcrh.tmp
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.
2008-01-01 14:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 14:19 . 2008-01-01 14:19 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-18 19:47 . 2007-12-18 19:47 <DIR> d-------- C:\Program Files\Pivot Stickfigure Animator
2007-12-02 21:06 . 2007-12-02 21:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-02 21:06 . 2007-12-02 21:06 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-21 15:10 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-04 21:30 --------- d-----w C:\Program Files\Warcraft III
2007-11-30 21:10 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-30 21:09 --------- d-----w C:\Program Files\Windows Live Favorites
2007-11-18 04:24 --------- d-----w C:\Documents and Settings\Stephen Kelly\Application Data\Ventrilo
2007-11-18 04:22 --------- d-----w C:\Program Files\Ventrilo
2007-11-18 04:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-17 01:16 --------- d-----w C:\Documents and Settings\Stephen Kelly\Application Data\SiteAdvisor
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 00:56 126,976 ----a-w C:\WINDOWS\War3Unin.exe
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2005-09-24 07:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-10-05 01:03 958,846 --sha-w C:\WINDOWS\system32\lmllm.bak2
2006-10-06 12:57 5,860 --sha-w C:\WINDOWS\system32\lmllm.ini2
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{149D5630-08D5-4230-B613-9F0464325B14}]
C:\WINDOWS\system32\mllml.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56F1D444-11BF-4879-A12B-79CF0177F038}]
c:\program files\zango\zangohook.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{821F87FF-8245-4972-9E28-732E92EC2F51}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{EA1194AD-F64B-4FE2-BEAD-5881D52F2754}
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{04164EC4-1E48-4279-818E-3721931E7636}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
[HKEY_CLASSES_ROOT\clsid\{821f87ff-8245-4972-9e28-732e92ec2f51}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{821F87FF-8245-4972-9E28-732E92EC2F51}"= C:\Program Files\VSToolbar\VSToolBar.dll [ ]
[HKEY_CLASSES_ROOT\clsid\{821f87ff-8245-4972-9e28-732e92ec2f51}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 10:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 00:25 68856]
"License Manager"="C:\Program Files\License_Manager\license_manager.exe" [ ]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-24 14:16 118784]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17 50736]
"Registry Cleaner Scheduler"="C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" [2007-08-23 04:51 450816]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-26 13:08 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"QMYF Agent"="C:\WINDOWS\system32\28463\QMYF.exe" [2007-08-07 17:11 483328]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-13 13:05 36640]
C:\Documents and Settings\Stephen Kelly\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2005-10-19 20:51:51]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllml]
C:\WINDOWS\system32\mllml.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjrs32]
winjrs32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-11-10 23:05 344064 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2005-08-01 16:26 233534 --a------ C:\Program Files\HPQ\Default Settings\cpqset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-10 10:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 23:56 64512 --a------ C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1153937209\EE\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-11 22:12 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-12-13 15:45 507904 --a------ C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2005-12-12 13:39 94208 --a------ C:\Program Files\HP\QuickPlay\QPService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
2005-10-11 12:23 1187840 --------- C:\Windows\SMINST\RecGuard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2006-02-09 11:52 643072 --------- C:\Windows\CREATOR\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 15:03 36975 --a------ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-06-19 15:50 729178 --a------ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 04:06]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\STEPHE~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10]
*Newly Created Service* - PROCEXP90
*Newly Created Service* - SITEADVISOR_SERVICE
.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 14:51:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-01-02 14:40:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
.
Completion time: 2008-01-02 14:41:12
ComboFix-quarantined-files.txt 2008-01-02 19:40:58
.
2007-12-13 21:52:40 --- E O F ---
-
Can you do the following
Please supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents
-
Heres the list you asked for:
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0.1
Adobe Shockwave Player
AIM 6
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Instant Messenger
ArtMoney SE v7.22
Athlon 64 Processor Driver
ATI Control Panel
ATI Display Driver
Axife Mouse Recorder DEMO 5.01
Before You Know It
Blackhawk Striker 2 from Hewlett-Packard Laptops (remove only)
Blasterball 2 from Hewlett-Packard Laptops (remove only)
Boggle Supreme from Hewlett-Packard Laptops (remove only)
Bookworm Deluxe from Hewlett-Packard Laptops (remove only)
Bots
Broadcom 802.11 Wireless LAN Adapter
Chuzzle Deluxe from Hewlett-Packard Laptops (remove only)
CleanMyPC - Registry Cleaner
CleanMyPC Popup Blocker
Conexant AC-Link Audio
Customer Experience Enhancement
Direct Show Ogg Vorbis Filter (remove only)
Easy Internet Sign-up
ESPNMotion
ewido anti-spyware 4.0
Flip Words from Hewlett-Packard Laptops (remove only)
Form Fill (Windows Live Toolbar)
GemMaster Mystic
Google Desktop Search
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP BatteryCheck 1.00 A7
HP Document Viewer 5.3
HP Extended Capabilities 5.3
HP Game Console and games
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP PSC & OfficeJet 5.3.A
HP QuickPlay 2.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HP User Guides 0025
HP User Guides--System Recovery
HP Wireless Assistant 2.00 C1
HyperCam 2
ijji
Insaniquarium Deluxe from Hewlett-Packard Laptops (remove only)
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Java 2 SDK Standard Edition v1.2.2_017
Java 2 SDK Standard Edition v1.3.0_05
Java(tm) 6 Update 2
Java(tm) SE Runtime Environment 6 Update 1
Jewel Quest from Hewlett-Packard Laptops (remove only)
KalOnlineEng
Language of Nature
Lexibox Deluxe from Hewlett-Packard Laptops (remove only)
LimeWire 4.14.8
LiveUpdate 3.0 (Symantec Corporation)
Mah Jong Quest from Hewlett-Packard Laptops (remove only)
Mall Tycoon 2 Deluxe
Map Button (Windows Live Toolbar)
Math Trek - Algebra 1
McAfee SiteAdvisor
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Money 2006
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Microsoft Zoo Tycoon
Middle School Vocabulary
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
muvee autoProducer 4.5
Need For Extreme v.2.0
Office 2003 Trial Assistant
OneCare Advisor (Windows Live Toolbar)
Otto
Pivot Stickfigure Animator
Popup Blocker (Windows Live Toolbar)
Quick Launch Buttons 5.20 G1
Quicken 2006
QuickTime
RealPlayer Basic
Registry Defender
Rhapsody Player Engine
RS2 Toolbar
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Slingo Deluxe from Hewlett-Packard Laptops (remove only)
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SonicAC3Encoder
SonicMPEGEncoder
Stronghold 2
Super Granny from Hewlett-Packard Laptops (remove only)
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TourSetup
Update for Windows Internet Explorer 7 Beta 3 (KB922880)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Ventrilo Client
Viewpoint Media Player
VSToolbar for Internet Explorer
WildTangent Web Driver
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7 Beta 3
Windows Live Favorites for Windows Live Toolbar
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888402
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890546
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
Windows XP Media Center Edition 2005 KB925766
WinPcap 3.1
Wireless Home Network Setup
World of Warcraft
Xfire (remove only)
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
Zuma Deluxe from Hewlett-Packard Laptops (remove only)
-
Do a "System scan only" with Hijackthis and put a check next to these entries:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.jcash.biz/l/cb0eeb4cfe61748c96...c5b50e8d_13.exe (http://\"http://code.jcash.biz/l/cb0eeb4cfe61748c96...c5b50e8d_13.exe\")
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
[color=\"blue\"]Your Java Runtime Environment is out of date.[/color] Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
[color=\"blue\"]Updating Java:[/color]- Download the latest version of Java Runtime Environment (JRE) 6u3 (http://\"http://java.sun.com/javase/downloads/index.jsp\").
- Scroll down to where it says "Java Runtime Enviroinment (JRE) 6u3, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement[/i]".
- The page will refresh.
- Click on the link to download Windows Offline Installation, Multi-language and save it to your desktop (13.16 MB).
- Close any programs you may have running - especially any web browsers.
- Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.>>This includes all the following
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Java 2 SDK Standard Edition v1.2.2_017
Java 2 SDK Standard Edition v1.3.0_05
Javaâ„¢ 6 Update 2
Javaâ„¢ SE Runtime Environment 6 Update 1
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- DO NOT Reboot the computer yet, even if prompted
Do Not install the latest version yet
Remain in add/remove programs and remove the following
The next one, usually because it gets unknowingly installed by programs such as AIM and AOL IM
Viewpoint Media Player
Still in Add/remove programs remove
VSToolbar for Internet Explorer
WildTangent Web Driver
If you didn't intentionally install WinPcap 3.1
Remove it also
==Open notepad and copy/paste the text in the quotebox below into it:
Don't use anything else than notepad or the script will not work
File::
C:\WINDOWS\system32\lmllm.bak2
C:\WINDOWS\system32\lmllm.ini2
C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\SYSTEM32\winjrs32.dll
C:\WINDOWS\system32\28463\QMYF.exe
Folder::
c:\program files\zango
C:\Program Files\VSToolbar
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{149D5630-08D5-4230-B613-9F0464325B14}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56F1D444-11BF-4879-A12B-79CF0177F038}]
[-HKEY_CLASSES_ROOT\clsid\{821f87ff-8245-4972-9e28-732e92ec2f51}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{821F87FF-8245-4972-9E28-732E92EC2F51}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{821F87FF-8245-4972-9E28-732E92EC2F51}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllml]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjrs32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"ishost.exe"=-
DirLook::
C:\WINDOWS\system32\28463
Save this as txtfile on your desktop
CFScript
(http://img.photobucket.com/albums/v666/sUBs/CFScript.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Don't mouse click on it, let it complete
When finished, it shall produce a log for you again, with the same name C:\ComboFix.txt..
I'll need to see that log again later
Go ahead and install the latest version of Java from the installer on desktop
1. Post the log from Combofix
2. Post a fresh hijackthis log
NOTE: I see you have parts of Symantec's AV disabled from running on startup
Why is that?
Is Norton's outdated?
-
Okay, I did as you asked and here are the logs:
Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:04 PM, on 1/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 (http://\"http://go.microsoft.com/fwlink/?linkid=677\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR (http://\"http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop\")
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: RS2 Toolbar - {ea1194ad-f64b-4fe2-bead-5881d52f2754} - C:\Program Files\RS2\tbRS2.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CleanMyPC Popup Blocker - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: RS2 Toolbar - {ea1194ad-f64b-4fe2-bead-5881d52f2754} - C:\Program Files\RS2\tbRS2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: RS2 Toolbar - {ea1194ad-f64b-4fe2-bead-5881d52f2754} - C:\Program Files\RS2\tbRS2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QMYF Agent] C:\WINDOWS\system32\28463\QMYF.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx (http://\"http://favorites.live.com/quickadd.aspx\")
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB (http://\"http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab (http://\"http://download.movienetworks.com/install/US/altpmtscab.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab (http://\"http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab (http://\"http://www.acclaim.com/cabs/acclaim_v4.cab\")
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/53/install/gtdownls.cab (http://\"http://www.linksysfix.com/netcheck/53/install/gtdownls.cab\")
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab (http://\"http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab\")
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematyc...inematycoon.cab (http://\"http://www.shockwave.com/content/cinematycoon/sis/cinematycoon.cab\")
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...100/mcfscan.cab (http://\"http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5100/mcfscan.cab\")
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
--
End of file - 10868 bytes
Here is the Combofix log:
ComboFix 08-01-02.1 - Stephen Kelly 2008-01-02 16:25:51.2 - NTFSx86
Running from: C:\Documents and Settings\Stephen Kelly\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Stephen Kelly\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\28463\QMYF.exe
C:\WINDOWS\system32\lmllm.bak2
C:\WINDOWS\system32\lmllm.ini2
C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\SYSTEM32\winjrs32.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\VSToolbar
C:\WINDOWS\system32\28463\QMYF.exe
C:\WINDOWS\system32\lmllm.bak2
C:\WINDOWS\system32\lmllm.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_NPF
((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.
2008-01-02 14:46 . 2008-01-02 14:46 778 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-02 14:45 . 2008-01-02 14:44 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-02 14:45 . 2008-01-02 14:44 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-02 14:45 . 2008-01-02 14:44 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-02 14:45 . 2008-01-02 14:44 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-02 14:45 . 2008-01-02 14:44 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-02 14:45 . 2008-01-02 14:44 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-01 14:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 14:19 . 2008-01-01 14:19 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-18 19:47 . 2007-12-18 19:47 <DIR> d-------- C:\Program Files\Pivot Stickfigure Animator
2007-12-02 21:06 . 2007-12-02 21:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-02 21:06 . 2007-12-02 21:06 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 21:21 --------- d-----w C:\Program Files\WildTangent
2008-01-02 21:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-02 21:18 --------- d-----w C:\Program Files\Java
2008-01-01 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-21 15:10 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-04 21:30 --------- d-----w C:\Program Files\Warcraft III
2007-11-30 21:10 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-30 21:09 --------- d-----w C:\Program Files\Windows Live Favorites
2007-11-18 04:24 --------- d-----w C:\Documents and Settings\Stephen Kelly\Application Data\Ventrilo
2007-11-18 04:22 --------- d-----w C:\Program Files\Ventrilo
2007-11-18 04:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-17 01:16 --------- d-----w C:\Documents and Settings\Stephen Kelly\Application Data\SiteAdvisor
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 00:56 126,976 ----a-w C:\WINDOWS\War3Unin.exe
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\WINDOWS\system32\28463 ----
2008-01-02 16:25 3214708 --a------ C:\WINDOWS\system32\28463\QMYF.002
2007-08-07 17:11 483328 --a------ C:\WINDOWS\system32\28463\QMYF.exe
2007-08-07 17:11 428 --a------ C:\WINDOWS\system32\28463\QMYF.001
2007-08-07 17:11 402944 --a------ C:\WINDOWS\system32\28463\AKV.exe
2007-08-07 16:45 7680 --a------ C:\WINDOWS\system32\28463\QMYF.006
2007-08-07 16:45 5632 --a------ C:\WINDOWS\system32\28463\QMYF.007
((((((((((((((((((((((((((((( snapshot@2008-01-02_14.40.37.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2006-07-26 00:29:33 262,144 ---ha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2008-01-02 21:12:07 262,144 ---ha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 10:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 00:25 68856]
"License Manager"="C:\Program Files\License_Manager\license_manager.exe" [ ]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-24 14:16 118784]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17 50736]
"Registry Cleaner Scheduler"="C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" [2007-08-23 04:51 450816]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-26 13:08 98304]
"QMYF Agent"="C:\WINDOWS\system32\28463\QMYF.exe" [ ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-13 13:05 36640]
C:\Documents and Settings\Stephen Kelly\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2005-10-19 20:51:51]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-11-10 23:05 344064 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2005-08-01 16:26 233534 --a------ C:\Program Files\HPQ\Default Settings\cpqset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-10 10:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 23:56 64512 --a------ C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1153937209\EE\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-11 22:12 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-12-13 15:45 507904 --a------ C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2005-12-12 13:39 94208 --a------ C:\Program Files\HP\QuickPlay\QPService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
2005-10-11 12:23 1187840 --------- C:\Windows\SMINST\RecGuard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2006-02-09 11:52 643072 --------- C:\Windows\CREATOR\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-06-19 15:50 729178 --a------ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 04:06]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\STEPHE~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 19:51:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-01-02 16:31:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopDeskbar2.dll
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopResources_en.dll
.
Completion time: 2008-01-02 16:36:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-02 21:36:06
ComboFix2.txt 2008-01-02 19:41:13
.
2007-12-13 21:52:40 --- E O F ---
-
I'm just stepping out for a bit, in the meantime can you do the following please
Use the Internet Explorer browser (or FireFox with IETab), and do an online scan with [color=\"blue\"]Kaspersky Online Scanner[/color] (http://\"http://www.kaspersky.com/virusscanner\")
Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet [color=\"#3333FF\"]Explorer 7[/color] users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%[/i].)
The program launches and downloads the latest definition files. - Once the files are downloaded click on Next
- Click on Scan Settings and configure as follows:
- Scan using the following Anti-Virus database:[color=\"#6666CC\"]Extended[/color]
- Scan Options:[color=\"#6666CC\"]Scan Archives[/color]
[color=\"#6666CC\"]Scan Mail Bases[/color]
[/list]
[/list]
- Click OK and, under select a target to scan, select My Computer
When the scan is done, in the [color=\"Navy\"]Scan is completed [/color]window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
(http://img.photobucket.com/albums/v666/sUBs/Kas-SaveReport-1.gif)
(http://img.photobucket.com/albums/v666/sUBs/Kas-Savetxt.gif)
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the [color=\"Navy\"]Save as [/color]prompt, [color=\"navy\"]Save in[/color] area, select: Desktop
In the [color=\"navy\"]File name[/color] area, use KScan, or something similar
In [color=\"navy\"]Save as type[/color], click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the [color=\"Navy\"]Kaspersky Online Scanner Report [/color]in your reply.
-
Okay, I'm sorry I haven't had a chance to get on but I've completed the virus scan and here are the results:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 03, 2008 4:28:45 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/01/2008
Kaspersky Anti-Virus database records: 501220
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 81627
Number of viruses found: 16
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 22:39:32
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0314\values Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-01-02_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\006D5663.dll Infected: not-a-virus:AdWare.Win32.Mostofate.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\01046B95.exe Infected: Trojan.Win32.Dialer.qy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\02735789.exe Infected: Trojan-Downloader.Win32.Adload.jm skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\08493BAF.exe Infected: Trojan.Win32.Dialer.qy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\17FA2251.exe Infected: Trojan.Win32.Dialer.qy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\263A6C83.exe Infected: Trojan.Win32.Dialer.pz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27F96496.exe/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27F96496.exe NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27F96496.exe CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2EF30308.exe Infected: Trojan.Win32.Dialer.qy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\33984DA2.exe Infected: Trojan-Downloader.Win32.Zlob.agf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\35BE048A.tmp Infected: Trojan.Win32.Dialer.pz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\362C29CA.tmp Infected: Trojan.Win32.Dialer.pz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\43371C9B.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\445E6177.exe Infected: Trojan.Win32.Dialer.qy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\48771EAB.exe Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\48811CA0.exe Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4894188A.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\506209AD.tmp Infected: Trojan.Win32.Dialer.pz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\508F3F00.exe Infected: Trojan.Win32.Dialer.pz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CB334AF.dll Infected: Packed.Win32.Klone.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\66FE5838.exe Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\67157E1F.exe Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A0A0ADD.exe Infected: Trojan.Win32.Dialer.qy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\71486CFF.exe Infected: Trojan-Downloader.Win32.Zlob.adg skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7FD62951.exe Infected: Trojan-Downloader.Win32.Zlob.adg skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Stephen Kelly\Desktop\Stats of l1l4zn 9-15-07.png.exe Infected: Trojan-Spy.Win32.Ardamax.n skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Google\Google Desktop Search\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Google\Google Desktop Search\dbdam Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Google\Google Desktop Search\dbdao Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Google\Google Desktop Search\dbeam Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Google\Google Desktop Search\dbeao Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Google\Google Desktop Search\dbm Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Google\Google Desktop Search\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Google\Google Desktop Search\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Google\Google Desktop Search\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Google\Google Desktop Search\fii.cf1 Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Google\Google Desktop Search\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Google\Google Desktop Search\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Google\Google Desktop Search\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Microsoft\Messenger\stkelly95Email Removed\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Microsoft\Messenger\stkelly95Email Removed\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Microsoft\Messenger\stkelly95Email Removed\SharingMetadata\Working\database_5B95_8120_7673_3D6F\dfsr.db Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Microsoft\Messenger\stkelly95Email Removed\SharingMetadata\Working\database_5B95_8120_7673_3D6F\fsr.log Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Microsoft\Messenger\stkelly95Email Removed\SharingMetadata\Working\database_5B95_8120_7673_3D6F\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Microsoft\Messenger\stkelly95Email Removed\SharingMetadata\Working\database_5B95_8120_7673_3D6F\tmp.edb Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Microsoft\Windows Live Contacts\stkelly95Email Removed\real\members.stg Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Application Data\Microsoft\Windows Live Contacts\stkelly95Email Removed\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Temp\~DFCCB8.tmp Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Temp\~DFD39C.tmp Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Temp\~DFD3AF.tmp Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Temp\~DFDCFA.tmp Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Temp\~DFE458.tmp Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Temporary Internet Files\AntiPhishing\07FB382D-AA75-4683-82F4-EAB265A275CB.dat Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Local Settings\Temporary Internet Files\Content.IE5\SJ5BYDH5\FacebookPhotoUploader[1].cab Object is locked skipped
C:\Documents and Settings\Stephen Kelly\ntuser.dat Object is locked skipped
C:\Documents and Settings\Stephen Kelly\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Stephen Kelly\Shared\!! bilbo baggins leonard nimoey 43.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\28463\QMYF.exe.vir Infected: Trojan-Spy.Win32.Ardamax.e skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP164\A0145956.exe Infected: Trojan-Spy.Win32.Ardamax.e skipped
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP165\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_AC97 Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{64084280-F0E7-41B0-8FF6-74F7A715DA23}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\28463\AKV.exe Infected: not-a-virus:Monitor.Win32.Ardamax.o skipped
C:\WINDOWS\system32\28463\QMYF.006 Infected: not-a-virus:Monitor.Win32.Ardamax.271 skipped
C:\WINDOWS\system32\28463\QMYF.007 Infected: not-a-virus:Monitor.Win32.Ardamax.271 skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP165\change.log Object is locked skipped
Scan process completed.
-
Still a bit of cleaning to do
You have a Key logger on your machine, did you knowingly install it?
-
No I did not. Please help!
-
Download [color=\"blue\"]ATF Cleaner[/color] (http://\"http://www.atribune.org/ccount/click.php?id=1\")
to desktop
- Double-click ATF-Cleaner.exe to run the program.
- Click Select All found at the bottom of the list.
- Click the Empty Selected button.
If you use Firefox browser, do this also:
- Click Firefox at the top and choose Select All from the list.
- Click the Empty Selected button.
- [color=\"green\"]NOTE : If you would like to keep your saved passwords, please click No at the prompt.[/color]
If you use Opera browser, do this also:
- Click Opera at the top and choose Select All from the list.
- Click the Empty Selected button.
- [color=\"green\"]NOTE : If you would like to keep your saved passwords, please click No at the prompt.[/color]
Click Exit on the Main menu to close the program.
Download [color=\"blue\"]OTMoveIt2.exe[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe\") by OldTimer:- Save it to your desktop.
- Please double-click OTMoveIt2.exe to run it.
- Copy the file/folder/reg. entry paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
================================================
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QMYF Agent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp
C:\WINDOWS\system32\28463
C:\Documents and Settings\Stephen Kelly\Desktop\Stats of l1l4zn 9-15-07.png.exe
======================================================
- Return to OTMoveIt2, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
- Click the red "[color=\"red\"]MoveIt![/color]" button.
- Close OTMoveIt.
[color=\"red\"]Note[/color]: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".
OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Post back the contents of that log along with a fresh hijackthis log
-
I'm guessing this is the OTMoveIt2 log:
File/Folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QMYF Agent not found.
File/Folder HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp not found.
C:\WINDOWS\system32\28463 moved successfully.
C:\Documents and Settings\Stephen Kelly\Desktop\Stats of l1l4zn 9-15-07.png.exe moved successfully.
File/Folder not found.
Created on 01032008_184735
Here is a fresh Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:59 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Stephen Kelly\Desktop\OTMoveIt2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 (http://\"http://go.microsoft.com/fwlink/?linkid=677\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR (http://\"http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop\")
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: RS2 Toolbar - {ea1194ad-f64b-4fe2-bead-5881d52f2754} - C:\Program Files\RS2\tbRS2.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CleanMyPC Popup Blocker - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: RS2 Toolbar - {ea1194ad-f64b-4fe2-bead-5881d52f2754} - C:\Program Files\RS2\tbRS2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: RS2 Toolbar - {ea1194ad-f64b-4fe2-bead-5881d52f2754} - C:\Program Files\RS2\tbRS2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QMYF Agent] C:\WINDOWS\system32\28463\QMYF.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx (http://\"http://favorites.live.com/quickadd.aspx\")
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab (http://\"http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab\")
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB (http://\"http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab (http://\"http://download.movienetworks.com/install/US/altpmtscab.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab (http://\"http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab (http://\"http://www.acclaim.com/cabs/acclaim_v4.cab\")
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/53/install/gtdownls.cab (http://\"http://www.linksysfix.com/netcheck/53/install/gtdownls.cab\")
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab (http://\"http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab\")
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematyc...inematycoon.cab (http://\"http://www.shockwave.com/content/cinematycoon/sis/cinematycoon.cab\")
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...100/mcfscan.cab (http://\"http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5100/mcfscan.cab\")
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
--
End of file - 11009 bytes
-
My bad, we removed the file/folder, but not the registry entries
Can you do the following
- Please double-click OTMoveIt2.exe to run it.
- Copy the file/folder/reg. entry paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
================================================
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QMYF Agent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp
======================================================
- Return to OTMoveIt2, right-click on the "Paste List of Files/Patterns to Search for and Move" window (The lower box) and choose "Paste".
- Click the red "[color=\"red\"]MoveIt![/color]" button.
- Close OTMoveIt when it has completed.
[color=\"red\"]Note[/color]: If an entry cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".
OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
It will have a header of <Manual Searches> in the top part of the log
Can you post that one
Also include a fresh hijackthis log
Also, can you change all online passwords to Email, gaming, banking, etc....
This should be done since you had a keylogger on your machine
Let me know how things are running
-
File/Folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QMYF Agent not found.
File/Folder HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp not found.
Created on 01032008_191425
and
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:10 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 (http://\"http://go.microsoft.com/fwlink/?linkid=677\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR (http://\"http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop\")
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: RS2 Toolbar - {ea1194ad-f64b-4fe2-bead-5881d52f2754} - C:\Program Files\RS2\tbRS2.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CleanMyPC Popup Blocker - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: RS2 Toolbar - {ea1194ad-f64b-4fe2-bead-5881d52f2754} - C:\Program Files\RS2\tbRS2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QMYF Agent] C:\WINDOWS\system32\28463\QMYF.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx (http://\"http://favorites.live.com/quickadd.aspx\")
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab (http://\"http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab\")
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB (http://\"http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab (http://\"http://download.movienetworks.com/install/US/altpmtscab.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab (http://\"http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab (http://\"http://www.acclaim.com/cabs/acclaim_v4.cab\")
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/53/install/gtdownls.cab (http://\"http://www.linksysfix.com/netcheck/53/install/gtdownls.cab\")
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab (http://\"http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab\")
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematyc...inematycoon.cab (http://\"http://www.shockwave.com/content/cinematycoon/sis/cinematycoon.cab\")
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...100/mcfscan.cab (http://\"http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5100/mcfscan.cab\")
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
--
End of file - 10944 byte
-
Looks as if you copy/pasted the entries to OTMoveit2.exe to the top Pane and not to the LOWER PANE as I instructed
Do the following, and follow the instructions EXACTLY
Delete your version of OTMoveit from desktop
REDownload [color=\"blue\"]OTMoveIt2.exe[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe\") by OldTimer:- Save it to your desktop.
- Please double-click OTMoveIt2.exe to run it.
- Copy the entries below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
================================================
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QMYF Agent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp
======================================================
- Return to OTMoveIt2, right-click on the "Paste List of Files/Patterns to Search for and Move" window (The lower Pane) and choose "Paste".
- Click the red "[color=\"red\"]MoveIt![/color]" button.
- Close OTMoveIt when it has completed.
[color=\"red\"]Note[/color]: If an entry cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".
OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
It will have a header of <Manual Searches> in the top part of the log
Can you post that one
Also asked this
Let me know how things are running
-
[Manual Searches]
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QMYF Agent >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QMYF Agent deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp\ deleted successfully.
Created on 01032008_211743
There you go. Sorry about the misunderstanding. Things are running a little better. Thank you for your help so far. Whats next?
-
Can I see another fresh hijackthis log now that you ran OTMoveit2.exe correctly please
-
[quote name=\'guestolo\' post=\'417541\' date=\'Jan 2 2008, 09:23 PM\']Can I see another fresh hijackthis log now that you ran OTMoveit2.exe correctly please[/quote]
Sure. Here you go:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:21 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Stephen Kelly\Desktop\OTMoveIt2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 (http://\"http://go.microsoft.com/fwlink/?linkid=677\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR (http://\"http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop\")
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: RS2 Toolbar - {ea1194ad-f64b-4fe2-bead-5881d52f2754} - C:\Program Files\RS2\tbRS2.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CleanMyPC Popup Blocker - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: RS2 Toolbar - {ea1194ad-f64b-4fe2-bead-5881d52f2754} - C:\Program Files\RS2\tbRS2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx (http://\"http://favorites.live.com/quickadd.aspx\")
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program (http://\"http://file:///C:Program\") Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab (http://\"http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab\")
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB (http://\"http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab (http://\"http://download.movienetworks.com/install/US/altpmtscab.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab (http://\"http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab (http://\"http://www.acclaim.com/cabs/acclaim_v4.cab\")
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/53/install/gtdownls.cab (http://\"http://www.linksysfix.com/netcheck/53/install/gtdownls.cab\")
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab (http://\"http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab\")
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematyc...inematycoon.cab (http://\"http://www.shockwave.com/content/cinematycoon/sis/cinematycoon.cab\")
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...100/mcfscan.cab (http://\"http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5100/mcfscan.cab\")
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
--
End of file - 10925 bytes
-
The log looks good, but I asked earlier about Norton's AV
Is it outdated, is that why you had part of it disabled?
-
Yes. So it's all clear?
Edit: Do you have any recommendations for anti-virus, anti-spyware and malware, and a possible popup blocker?
-
Sorry I missed an entry in your list
Do a "System scan only" with Hijackthis and put a check next to these entries:
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot the computer
Back in Windows delete the following
C:\Program Files\License_Manager <-this folder if found
From your uninstall list
I see the following
Bots
CleanMyPC - Registry Cleaner
CleanMyPC Popup Blocker
Do you use those programs? If not uninstall them
Also be very careful with Registry cleaners
Remove Symantec's Live Update from Add/remove
Also suggest you remove Registry Defender
Please post one last hijackthis log afterwards
Also let me know if your purposely opening up so many Notepad files please
I have other suggestions if you want to try them to help speed up the laptop
-
Ok I removed what I could but I need help with the following:
These programs need to be removed but I couldn't do it for some reason. They all gave a message like: unable to uninstall.
Middle School Vocabulary
Before You Know It
Artmoney SE v7.22
Math Trek - Algebra 1
KalOnlineEng
Bots
Aol Instant Messenger -- NOT AIM 6
And I can't find program - Symantec's Live Update
-
And I can't find program - Symantec's Live Update
That will be listed as Live Update 3.0 (Symantec's)
Try uninstalling the other programs in safe mode, if it won't work post back error message
-
I successfully removed the Symantec Live Updater, but the other programs still could not be removed in Safe mode.
Here are the 2 error messages. Each one has either:
Setup.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
or
InstallShield ® Setup Launcher has encountered a problem and needs to close. We are sorry for the inconvenience.
Edit: As for the notepad entries you talked about, they contained the logs from the different programs, and I just didnt bother to shut them. That was all.
-
As for the programs you couldn't uninstall
I can't say for sure what the problem is without the Exact error messages
Strike that, I seen you posted the error messages
You may have to manually remove them if you don't need them on the computer
I would almost guess one cause could be the Registry cleaner you have run on your machine
They can be harmful
I don't usually recommend running registry cleaners unless absolutely necessary
And the ones you ran, I have never used so can't vouch for them
Can you install Windows Installer Cleanup utility
http://support.microsoft.com/kb/290301 (http://\"http://support.microsoft.com/kb/290301\")
Run the tool and see if any of those are on the list of programs
-
Advice?
-
[quote name=\'StephenK\' post=\'417717\' date=\'Jan 3 2008, 03:21 PM\']Advice?[/quote]
Don't run Registry cleaners unless your absolutely sure what your removing!!!
I also edited my last reply
-
None of the programs are on this list.
I have to assure you I had no idea about the Registry cleaners. Please help!
-
[quote name=\'StephenK\' post=\'417722\' date=\'Jan 3 2008, 03:35 PM\']None of the programs are on this list.
I have to assure you I had no idea about the Registry cleaners. Please help![/quote]
Then why did you install them?
We're going in circles here
Post a fresh hijackthis log and and new uninstall list from Hijackthis
-
I don't really remember why. Here are the logs.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:11 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Windows Installer Clean Up\msicuu.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR (http://\"http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop\")
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx (http://\"http://favorites.live.com/quickadd.aspx\")
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab (http://\"http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab\")
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB (http://\"http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab (http://\"http://download.movienetworks.com/install/US/altpmtscab.cab\")
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab (http://\"http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab (http://\"http://www.acclaim.com/cabs/acclaim_v4.cab\")
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/53/install/gtdownls.cab (http://\"http://www.linksysfix.com/netcheck/53/install/gtdownls.cab\")
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab (http://\"http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab\")
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematyc...inematycoon.cab (http://\"http://www.shockwave.com/content/cinematycoon/sis/cinematycoon.cab\")
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...100/mcfscan.cab (http://\"http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5100/mcfscan.cab\")
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
--
End of file - 8795 bytes
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0.1
Adobe Shockwave Player
AIM 6
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Instant Messenger
ArtMoney SE v7.22
Athlon 64 Processor Driver
ATI Control Panel
ATI Display Driver
Axife Mouse Recorder DEMO 5.01
Before You Know It
Bots
Broadcom 802.11 Wireless LAN Adapter
Conexant AC-Link Audio
Customer Experience Enhancement
Direct Show Ogg Vorbis Filter (remove only)
Easy Internet Sign-up
ESPNMotion
Form Fill (Windows Live Toolbar)
GemMaster Mystic
Google Desktop Search
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP BatteryCheck 1.00 A7
HP Document Viewer 5.3
HP Extended Capabilities 5.3
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP PSC & OfficeJet 5.3.A
HP QuickPlay 2.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HP User Guides 0025
HP User Guides--System Recovery
HP Wireless Assistant 2.00 C1
HyperCam 2
Java(tm) 6 Update 3
KalOnlineEng
Kaspersky Online Scanner
LimeWire 4.14.8
Map Button (Windows Live Toolbar)
Math Trek - Algebra 1
McAfee SiteAdvisor
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Money 2006
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Middle School Vocabulary
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
muvee autoProducer 4.5
Office 2003 Trial Assistant
OneCare Advisor (Windows Live Toolbar)
Pivot Stickfigure Animator
Popup Blocker (Windows Live Toolbar)
Quick Launch Buttons 5.20 G1
Quicken 2006
QuickTime
RealPlayer Basic
Rhapsody Player Engine
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SonicAC3Encoder
SonicMPEGEncoder
Stronghold 2
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TourSetup
Update for Windows Internet Explorer 7 Beta 3 (KB922880)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VSToolbar for Internet Explorer
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7 Beta 3
Windows Live Favorites for Windows Live Toolbar
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888402
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890546
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
Windows XP Media Center Edition 2005 KB925766
Wireless Home Network Setup
World of Warcraft
-
Try uninstalling the next 2 from Add/remove programs, let me know if you can remove them
ESPNMotion
VSToolbar for Internet Explorer
-
I could remove the ESPNMotion but not the VSToolbar.
Edit: When I click remove on the tab, the box disappears for a second and then comes back into plain view. Nothing happens other than that.
-
Don't try and reinstall VSToolbar
I'm not even sure what Bots is, do you know what it is?
But the others you had trouble removing, can you reinstall them then remove them?
-
Bots is some sort of game my cousin installed. It's an internet downloaded program. The others, I could try, but maybe it requires the CDs to remove them?
Edit: I tried to uninstall the Middle School Vocabulary but it says cannot locate file: INSTALL.log
-
[quote name=\'StephenK\' post=\'417761\' date=\'Jan 3 2008, 06:43 PM\']Bots is some sort of game my cousin installed. It's an internet downloaded program. The others, I could try, but maybe it requires the CDs to remove them?
Edit: I tried to uninstall the Middle School Vocabulary but it says cannot locate file: INSTALL.log[/quote]
Ok, I know what Bots is I think
I thought you tried uninstalling Middle school earlier
What happened to reinstall then uninstall?
-
I tried something different. Anyways I've had to go out of town for my sister who is having a baby and I don't have my laptop, but I have my dad's which is having problems. Please take a look at my other post.