Author Topic: Clickspring removal-- what's the best method? (Read 2916 times)

newt3 · « **on:** July 27, 2007, 10:39:26 AM »

Hi Everyone. I'm new to this board, which I discovered in what seems like my endless search to rid my pc of the dreaded Clickspring adware. I know I have it. I've run McAfee, Ad-Aware, and Spybot in attempts to rid my pc of this damned, dreaded, illegal, piece of crap; and no matter how much stuff is cleaned from my machine, it always reappears like a cockroach of the apocalypse. All my online searches, including scanning this board, seem to lead to different approaches for different people in removing this bug, and I can't seem to find the right way to get it off my machine. I am pleading with the experts and kind people of this forum to help save my sanity and last few remaining hairs on my balding head to help/teach/enlighten me on the best way to remove this from my pc.
Help meeeeeeee...........

pyrokitty · « **Reply #1 on:** July 27, 2007, 10:44:04 AM »

I had that in my computer a few years back and I had to actually had to go to a repair store or wherever u bought it and ask them. Their awnser will be you have to get a whole new computerld advise you to just dont worry about the repair store and go straight for the computer isle. Because they charge you i think 150$ just too look at the computer thats what i did and i had to start mowing lawns

guestolo · « **Reply #2 on:** July 27, 2007, 06:14:42 PM »

Hi newt3
Can you do the following please

Download Hijackthis 2.0.2 from my signature below
SAVE it to your desktop

Double click on HJTInstall.exe to run it
Choose Install

Hijackthis v2.0.2 will open

Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum...Don't try and fix anything yet----It is all important!

newt3 · « **Reply #3 on:** July 28, 2007, 11:12:17 AM »

[quote name=\'guestolo\' post=\'364518\' date=\'Jul 27 2007, 06:14 PM\']Hi newt3
Can you do the following please

Download Hijackthis 2.0.2 from my signature below
SAVE it to your desktop

Double click on HJTInstall.exe to run it
Choose Install

Hijackthis v2.0.2 will open

Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum...Don't try and fix anything yet----It is all important![/quote]

newt3 · « **Reply #4 on:** July 29, 2007, 12:59:19 PM »

this is a test b/c every time i try to post the logifle, both Firefox and IE fail to load and I get error messages. What the heck is going on

newt3

guestolo · « **Reply #5 on:** July 29, 2007, 10:05:21 PM »

I'm not sure if I understand?
How are you posting to the forum?

Are you using a different computer?

newt3 · « **Reply #6 on:** July 30, 2007, 09:08:18 AM »

[quote name=\'guestolo\' post=\'365711\' date=\'Jul 29 2007, 10:05 PM\']I'm not sure if I understand?
How are you posting to the forum?

Are you using a different computer?[/quote]

No. Same machine. I'm running HJT, then getting the log file in a text document. I'm highlighting the entire document, then copying it to the clipboard. I'm then coming here, hitting reply to your post, then pasting the file to the reply. When I hit the "Add Reply" button, I get an error message and there's no post. This happens in both Firefox and IE. Ov vey.
Is the post too long with the log file in there? Should I break it up into separate posts?

newt3

guestolo · « **Reply #7 on:** July 30, 2007, 05:37:49 PM »

First, when you reply back to the forum, don't use the reply button just below my post

Use the Add Reply button at the bottom>>>

That should help a bit

When the hijackthis log opens, click EDIT>>SELECT ALL>>EDIT>>COPY

Then Paste the log in the reply box and then choose Add Reply
See if that helps

If not, try multiple posts, but I need to see the log

newt3 · « **Reply #8 on:** July 30, 2007, 09:25:49 PM »

Here we go. Looks like it's gonna take multiple posts...

EDIT>>I've added both replies to this reply box (guestolo)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:33 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Iomega\Network Hard Drive\LDServ.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\AwdImportData\MSSQL$AWDLOCALDB\Binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\s?curity\d?dplay.exe
C:\Program Files\Iomega\Network Hard Drive\Admin.exe
C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
C:\WINDOWS\system32\cravlwxh.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\oqymnfoh.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\RACLE~1\svchost.exe" -vt ndrv
O4 - HKCU\..\Run: [Fanmz] C:\WINDOWS\s?curity\d?dplay.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O4 - Global Startup: Network Hard Drive Administrator.lnk = C:\Program Files\Iomega\Network Hard Drive\Admin.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) -

newt3 · « **Reply #9 on:** July 30, 2007, 09:28:05 PM »

<Removed>
Added info to last reply box

guestolo · « **Reply #10 on:** July 30, 2007, 11:00:04 PM »

Let's try the following
Download this file - Combofix.exe and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.>>C:\Combofix.txt
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post it's log please, I need to see it all

In addition, I will need to see the Whole log from Hijackthis too, you may have not posted the very bottom
Regardless, do a fresh scan and repost it all

newt3 · « **Reply #11 on:** July 31, 2007, 07:54:40 AM »

Man you're quick! I tried for about an hour to post the remaining part of the logfile, but kept getting the same "
Method Not Implemented
POST to /forum/index.php not supported." error. UGH!!!! So I gave up until today to come back to it. What does that mean? This is driving me insane.

guestolo · « **Reply #12 on:** July 31, 2007, 08:01:09 AM »

Don't worry about the old Hijackthis log
I need to see a fresh one anyways, I'm not sure what's going on in your end

Try this, do a fresh scan and save logfile with Hijackthis
Save the new log to desktop
Right click on it and rename
hijackthis.log to hijackthis.txt

Try and upload it
Click on ADD REPLY
At the bottom of the reply box, click Browse....
Browse to the log and double click on it to select it then click the UPLOAD button
Do the same for C:\Combofix.txt

After you upload them don't forget to click the drop down arrow next to Manage Current Attachments and add them to the post

newt3 · « **Reply #13 on:** July 31, 2007, 12:22:07 PM »

Here's the combofix log...

ComboFix 07-07-30.2 - "Matthew" 2007-07-31 9:25:38.1 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\fkdnvaxn.dll
C:\WINDOWS\system32\ruivvabt.dll
C:\WINDOWS\system32\cravlwxh.exe
C:\WINDOWS\system32\gcqnpuee.exe
C:\WINDOWS\system32\lujfcssq.exe
C:\WINDOWS\system32\mfercqaq.exe
C:\WINDOWS\system32\pxgwalah.exe
C:\WINDOWS\system32\ttjtpgsq.exe
C:\WINDOWS\system32\vktibvth.exe
C:\WINDOWS\system32\wdltjryn.exe
C:\WINDOWS\system32\weouccky.exe
C:\WINDOWS\system32\fkdnvaxn.dll
C:\WINDOWS\SYSTEM32\ccfhk.bak1
C:\WINDOWS\SYSTEM32\ccfhk.bak2
C:\WINDOWS\SYSTEM32\ccfhk.ini
C:\WINDOWS\SYSTEM32\ccfhk.ini2
C:\WINDOWS\SYSTEM32\ccfhk.tmp
C:\WINDOWS\SYSTEM32\ccfhk.bak1
C:\WINDOWS\SYSTEM32\ccfhk.bak2
C:\WINDOWS\SYSTEM32\ccfhk.ini
C:\WINDOWS\SYSTEM32\ccfhk.ini2
C:\WINDOWS\SYSTEM32\ccfhk.tmp
C:\WINDOWS\SYSTEM32\ccfhk.bak1
C:\WINDOWS\SYSTEM32\ccfhk.bak2
C:\WINDOWS\SYSTEM32\ccfhk.ini
C:\WINDOWS\SYSTEM32\ccfhk.ini2
C:\WINDOWS\SYSTEM32\ccfhk.tmp
C:\WINDOWS\system32\khfcc.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\racle~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\temp\tn3
C:\WINDOWS\acdt-pid67n.exe
C:\WINDOWS\install.exe
C:\WINDOWS\scurit~1
C:\WINDOWS\scurit~1\d?dplay.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\drivers\Browse.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\dadtray.exe
C:\WINDOWS\system32\drivers\OnScDisp.exe
C:\WINDOWS\system32\gxcyxunk.exe
C:\WINDOWS\system32\haflwksg.exe
C:\WINDOWS\system32\L1
C:\WINDOWS\system32\L11
C:\WINDOWS\system32\L3
C:\WINDOWS\system32\L3\wr716.exe
C:\WINDOWS\system32\L5
C:\WINDOWS\system32\L7
C:\WINDOWS\system32\letwmseb.exe
C:\WINDOWS\system32\lhdamfec.exe
C:\WINDOWS\system32\lvsbrqkw.exe
C:\WINDOWS\system32\lxcosarc.exe
C:\WINDOWS\system32\middxmmc.exe
C:\WINDOWS\system32\oouvfsv.dll
C:\WINDOWS\system32\pdinflun.exe
C:\WINDOWS\system32\quxeergl.exe
C:\WINDOWS\system32\rowbfmld.exe
C:\WINDOWS\system32\scnuxcrh.exe
C:\WINDOWS\system32\temmmxsv.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wnsintsv.exe
C:\WINDOWS\wr.txt

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))

2007-07-31 09:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-31 09:08 125,504 --a------ C:\WINDOWS\SYSTEM32\vswwacgu.dll
2007-07-31 08:34 125,504 --a------ C:\WINDOWS\SYSTEM32\dyggtxki.dll
2007-07-26 14:48 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-07-26 14:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-26 14:38 <DIR> d-------- C:\DOCUME~1\Matthew\APPLIC~1\Viewpoint
2007-07-25 13:03 126,016 --a------ C:\WINDOWS\SYSTEM32\cbytkmgq.dll
2007-07-25 12:45 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2007-07-25 12:36 79,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-07-25 12:36 40,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-07-25 12:36 35,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-07-25 12:36 33,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-07-25 12:36 201,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-07-25 12:35 113,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2007-07-25 12:27 <DIR> d-------- C:\Program Files\McAfee
2007-07-25 12:26 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-07-25 11:11 <DIR> d-------- C:\DOCUME~1\Matthew\APPLIC~1\McAfee
2007-07-25 11:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-25 10:47 126,016 --a------ C:\WINDOWS\SYSTEM32\vdsloxkk.dll
2007-07-23 22:59 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-23 00:11 465,209 --a------ C:\temp\bY001.exe
2007-07-23 00:11 <DIR> d-------- C:\tempc2
2007-07-23 00:10 <DIR> d-------- C:\temp\brr
2007-06-05 13:25 <DIR> d-------- C:\Program Files\iPod
2007-06-05 13:24 <DIR> d-------- C:\Program Files\iTunes
2007-06-04 14:35 <DIR> d-------- C:\DOCUME~1\Matthew\APPLIC~1\eFax Messenger
2007-06-04 14:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\eFax Messenger 4.3 Output
2007-06-04 14:15 <DIR> d-------- C:\Program Files\eFax Messenger 4.3
2007-06-04 14:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\eFax Messenger 4.3 Setup
2007-06-03 20:18 5,632 --a------ C:\WINDOWS\SYSTEM32\ptpusb.dll
2007-06-03 20:18 159,232 --a------ C:\WINDOWS\SYSTEM32\ptpusd.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-28 11:57 --------- d-------- C:\Program Files\Trillian
2007-07-25 12:53 --------- d-------- C:\Program Files\McAfee.com
2007-07-25 11:53 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-25 11:53 --------- d-------- C:\Program Files\WinMX
2007-07-25 11:53 --------- d-------- C:\Program Files\Symantec
2007-07-25 11:53 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-25 11:45 --------- d-------- C:\Program Files\Lavasoft
2007-07-23 01:16 --------- d-------- C:\Program Files\Online Services
2007-07-13 13:17 --------- d-------- C:\Program Files\Picasa2
2007-06-13 11:42 --------- d-------- C:\Program Files\eFax Messenger Plus
2007-06-12 02:52 --------- d-------- C:\Program Files\Cryptainer PE
2007-06-05 13:19 --------- d-------- C:\Program Files\Apple Software Update
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-04-08 22:21 109984 --a--c--- C:\DOCUME~1\Matthew\APPLIC~1\GDIPFONTCACHEV1.DAT

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{840DACDF-C007-4EDE-82D7-11A0B3CBADC3}]
2001-12-31 19:00 131072 --a------ C:\WINDOWS\SYSTEM32\jdqiumwu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"WG511WLU"="C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe" [2004-01-16 16:16]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-17 18:21]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-17 18:20]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 18:15]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-07-13 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2005-11-07 15:49]
"Iomega Automatic Backup"="C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-10-15 09:32]
"Ncao"="C:\PROGRA~1\COMMON~1\RACLE~1\svchost.exe" []
"Fanmz"="C:\WINDOWS\s?curity\d?dplay.exe" []

C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-30 20:02:02]
Trend Micro Anti-Spyware.lnk - C:\Program Files\Trend Micro\Tmasy\Tmasy.exe [2007-07-26 14:48:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-30 20:02:02]
Network Hard Drive Administrator.lnk - C:\Program Files\Iomega\Network Hard Drive\Admin.exe [2003-12-10 16:23:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2002-02-15 09:51 24638 C:\WINDOWS\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuttrq]
wvuttrq.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk
backup=C:\WINDOWS\pss\Camio Viewer 2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.3.lnk
backup=C:\WINDOWS\pss\eFax 4.3.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax.com Tray Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax.com Tray Menu.lnk
backup=C:\WINDOWS\pss\eFax.com Tray Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk
backup=C:\WINDOWS\pss\Live Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk
backup=C:\WINDOWS\pss\SideACT!.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^QuickLink.lnk]
path=C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\QuickLink.lnk
backup=C:\WINDOWS\pss\QuickLink.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^Web Chrono Desktop.lnk]
path=C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\Web Chrono Desktop.lnk
backup=C:\WINDOWS\pss\Web Chrono Desktop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
C:\WINDOWS\Belt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bklwf]
C:\WINDOWS\bklwf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.3]
"C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Automatic Backup]
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Automatic Backup 1.0.1]
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Automatic Backup Pro]
"C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe" -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
"C:\Program Files\Microsoft Money\System\Activation.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
c:\windows\system32\msbb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop-Up Stopper]
"C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
"C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
C:\WINDOWS\System32\SahAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartupDelayer]
"C:\Program Files\r2 studios\Startup Delayer\Startup Launcher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp3\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
C:\PROGRA~1\Zinio\ZDLM.exe /hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 Gernuwa;Gernuwa;C:\WINDOWS\system32\drivers\Gernuwa.sys
R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys
R0 iomdisk;Iomega Devices Disk Filter Services;C:\WINDOWS\system32\DRIVERS\iomdisk.sys
R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\system32\DRIVERS\sonyhcb.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
R1 MPFP;MPFP;C:\WINDOWS\system32\Drivers\Mpfp.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\system32\drivers\pwd_2K.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 CdaC15BA;CdaC15BA;\??\C:\WINDOWS\System32\drivers\CdaC15BA.SYS
R2 LanScsiHelper;LANSCSI Helper Service;C:\Program Files\Iomega\Network Hard Drive\LDServ.exe
R2 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys
R2 MSSQL$AWDLOCALDB;MSSQL$AWDLOCALDB;C:\Program Files\AwdImportData\MSSQL$AWDLOCALDB\Binn\sqlservr.exe -sAWDLOCALDB
R2 ssoftnt4;ssoftnt4;\??\C:\WINDOWS\system32\Drivers\ssoftnt4.sys
R2 tcaicchg;tcaicchg;\??\C:\WINDOWS\System32\tcaicchg.sys
R2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys
R3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\System32\AWINDIS5.SYS
R3 EL556;3Com 10/100 Mini PCI Ethernet Adapter NDIS 5.0 Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys
R3 el575nd5;FE575C-3Com 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys
R3 lanscsibus;LANSCSI Bus Driver for Network Hard Drive;C:\WINDOWS\system32\DRIVERS\lanscsibus.sys
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198xdl.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys
S2 0009611185851002mcinstcleanup;McAfee Application Installer Cleanup (0009611185851002);C:\WINDOWS\TEMP00961~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
S3 awhost32;pcAnywhere Host Service;C:\Program Files\Symantec\pcAnywhere\awhost32.exe
S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 Dot4;MS IEEE-1284.4 Driver;C:\WINDOWS\system32\DRIVERS\Dot4.sys
S3 Dot4Print;Print Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 EL556ND5;3Com 10/100 Mini PCI Ethernet Adapter NDIS5 Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys
S3 lanscsiminiport;LANSCSI Miniport Driver for Network Hard Drive;C:\WINDOWS\system32\DRIVERS\lanscsiminiport.sys
S3 OASIS;OASIS;C:\WINDOWS\system32\drivers\oasisusb.sys
S3 SDDMI2;SDDMI2;\??\C:\WINDOWS\system32\DDMI2.sys
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\system32\snmptrap.exe
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\system32\DRIVERS\sonyhcs.sys
S3 SQLAgent$AWDLOCALDB;SQLAgent$AWDLOCALDB;C:\Program Files\AwdImportData\MSSQL$AWDLOCALDB\Binn\sqlagent.EXE -i AWDLOCALDB
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\Matthew\LOCALS~1\Temp\tni4D8.tmp
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys
S4 IISADMIN;IIS Admin;C:\WINDOWS\System32\inetsrv\inetinfo.exe

Contents of the 'Scheduled Tasks' folder
2007-07-27 22:15:06 C:\WINDOWS\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
2007-07-24 18:05:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2002-04-16 13:34:48 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
2007-07-25 17:31:52 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-07-25 17:31:50 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-31 10:14:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000248
"TracesSuccessful"=dword:00000026

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-31 10:20:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-31 10:18

--- E O F ---

newt3 · « **Reply #14 on:** July 31, 2007, 12:26:59 PM »

Here's the new HJT logfile...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:47 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Iomega\Network Hard Drive\LDServ.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\AwdImportData\MSSQL$AWDLOCALDB\Binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Iomega\Network Hard Drive\Admin.exe
C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

newt3 · « **Reply #15 on:** July 31, 2007, 12:28:58 PM »

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: TChkBHO Class - {840DACDF-C007-4EDE-82D7-11A0B3CBADC3} - C:\WINDOWS\SYSTEM32\jdqiumwu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\RACLE~1\svchost.exe" -vt ndrv
O4 - HKCU\..\Run: [Fanmz] C:\WINDOWS\s?curity\d?dplay.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O4 - Global Startup: Network Hard Drive Administrator.lnk = C:\Program Files\Iomega\Network Hard Drive\Admin.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

newt3 · « **Reply #16 on:** July 31, 2007, 12:37:04 PM »

I couldn't get the last part of the logfile to post, so I'm uploading the entire logfile. Sorry for the convoluted postings.

[attachment=3515:hijackthis3.txt]

guestolo · « **Reply #17 on:** July 31, 2007, 10:56:45 PM »

I'm having the same problem as you posting to some threads
getting the same error message

Let me see if this gets resolved soon, or I'll try and start another thread for you
I may not have a chance tonight, but I will be back tomorrow to carry on

In the meantime, can you do the following
>>HOPEFULLY I can post this all

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Download: CCleaner v1.40.520 - Slim from this link and install it
http://www.ccleaner.com/download/builds.aspx
Do Not run it yet

Download Dr.Web CureIt to the desktop from this link
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Do Not run it yet

Print the rest of these instructions or save them too a text file on desktop

Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: TChkBHO Class - {840DACDF-C007-4EDE-82D7-11A0B3CBADC3} - C:\WINDOWS\SYSTEM32\jdqiumwu.dll

O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\RACLE~1\svchost.exe" -vt ndrv
O4 - HKCU\..\Run: [Fanmz] C:\WINDOWS\s?curity\d?dplay.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS

O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)

O20 - Winlogon Notify: wvuttrq - wvuttrq.dll (file missing)

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In safe mode do the following
Run CCleaner
Next: click Options click the Advanced button
Uncheck: "Only delete files in Windows temp folders older than 48 hrs."
NEXT: Click the Cleaner
Then click Run Cleaner (bottom right)
OK the prompt, when finished scanning, just exit the program

Remain in safe mode
Double click to run Dr.Web-cureit.exe from desktop

Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.

Reboot back to Normal windows

Post back the following

1. Post a fresh hijackthis log
2. Post the report from Dr.Web

Hopefully the problems on the board are corrected after you do the following
If not, we'll see if starting a new topic will help

newt3 · « **Reply #18 on:** August 01, 2007, 01:42:26 PM »

Followed your instructions. Here's the new HJT logfile and Dr. Web report. Sorry I had to upload the HJT document, but I keep getting the same error message about "methond not implemented." when I try to cut and paste the results into a post. ugh. Below is the Dr. Web report.
[attachment=3520:hijackthis4.txt]

script[1].js;C:\Documents and Settings\Rebecca\Local Settings\Temporary Internet Files\Content.IE5\CDAHK56D;Win32.HLLM.Graz;Deleted.; backup-20070801-102107-103.dll;C:\Program Files\Trend Micro\HijackThis\backups;Adware.WildMedia;Incurable.Moved.; DDPLAY~1.VIR;C:\QooBox\Quarantine\C\WINDOWS\SCURIT~1;Adware.ClickSpring;Incurable.Moved.; cravlwxh.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.26570;Deleted.; fkdnvaxn.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; gcqnpuee.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.26570;Deleted.; gxcyxunk.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; haflwksg.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; khfcc.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; letwmseb.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; lhdamfec.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; lujfcssq.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.26570;Deleted.; lvsbrqkw.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; lxcosarc.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; mfercqaq.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Click.2799;Deleted.; middxmmc.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; oouvfsv.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Adware.ClickSpring;Incurable.Moved.; pdinflun.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; pxgwalah.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.26570;Deleted.; quxeergl.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; rowbfmld.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; ruivvabt.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; scnuxcrh.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; temmmxsv.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; ttjtpgsq.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.26570;Deleted.; vktibvth.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.26570;Deleted.; wdltjryn.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoader.26570;Deleted.; weouccky.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Click.2799;Deleted.; wr716.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\L3;Trojan.DownLoader.26881;Deleted.; cbytkmgq.dll;C:\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; dyggtxki.dll;C:\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; vdsloxkk.dll;C:\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.; vswwacgu.dll;C:\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;

guestolo · « **Reply #19 on:** August 01, 2007, 10:34:23 PM »

Hi again Newt
It's only a couple threads I'm having problems with, and yours is one of them unfortuneately

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/ohmy.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Let's try and work thru the problems of the board

Dr. Web cleared some more files for us
Can you run Combofix again please, post the log from it
C:\Combofix.txt
Just to see what remains

Let me know how things are running also

News:

Author Topic: Clickspring removal-- what's the best method? (Read 2916 times)