« previous next »
Pages: [1] 2

Author Topic: downloaded virus  (Read 1244 times)

Offline Marcia

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • View Profile
    • http://
downloaded virus
« on: August 23, 2008, 05:26:29 PM »
First off let me say I'm running Windows XP.  Second, my son downloaded a trojan through a LimeWire song.  I have since Uninstalled LimeWire.  I ran A-Squared and found a Trojan and deleted it.  I also found other medium to low risk adware and spywares and deleted those.  All my icons on my desktop have disappeared.  I can only run a program through Windows Task Manager.  There still something evil on my pc that I'm not catching.  I was able to run HiJackThis and here's the log...

Logfile of HijackThis v1.99.1
Scan saved at 6:39:15 PM, on 8/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Marcia\Desktop\Computer Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8l.hpwis.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?r825=1214822704
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
downloaded virus
« Reply #1 on: August 24, 2008, 09:46:32 AM »
Can you please do the following

If possible, disable SpySweeper so it won't interfere with the next tool
If you do have an older version of ComboFix, delete it as we need the most up to date version

Download this file - Combofix.exe and save it ONLY to your desktop

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
By default it will save a copy to C:\Combofix.txt
Post that log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Marcia

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • View Profile
    • http://
downloaded virus
« Reply #2 on: August 26, 2008, 06:50:13 PM »
Before I do anything I need to say what has happened in the meantime.  Not long after I posted my problem my pc got worse and wouldn't load Windows at all.  All I could see was a dark screen.  My son took my laptop and somehow got Windows to load.  He removed all trojans, viruses, etc....so he says.  Now I have a different problem.  The BIOS was affected and was looping some type of test.  He got that to stop and now every time I want to start my pc I have to press F1 to get Windows to load.  He's supposed to be researching a solution to this but I know I can find the answer here.  What should I do now.  I have the pc in my possession, and am using it right now.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
downloaded virus
« Reply #3 on: August 30, 2008, 11:29:47 AM »
It probably gives a brief explanation why you must press F1 on startup
Does it indicate one?
As eg... CMOS checksum error?

I would like to see a new log to ensure your clean
But I would like to see a fresh updated hijackthis log
Download Hijackthis Installer from [color=\"#FF0000\"]HERE[/color]
For an alternate download location, you can try HERE
SAVE it to your desktop
Double click on HJTInstall.exe to run it
Choose Install

Hijackthis v2.0.2 will open

Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum----It is all important!
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Marcia

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • View Profile
    • http://
downloaded virus
« Reply #4 on: September 02, 2008, 08:07:54 PM »
When I turn on my pc it shows Windows trying to load for about 1 second and then the screen goes black.  F1 allows Windows to finish loading.  There isn't any message.  Following is my HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:33 PM, on 9/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8l.hpwis.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Marcia
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {B49B7CCC-BBF4-4C16-AF73-8E6893ACD967} - (no file)
O2 - BHO: (no name) - {E1DA6974-4B55-4158-91FB-4EEF76309791} - (no file)
O2 - BHO: (no name) - {E4E9A472-0228-469B-A0A2-3C32EA1751C4} - C:\WINDOWS\system32\basecs.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O20 - Winlogon Notify: ssqQJcdc - ssqQJcdc.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7270 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
downloaded virus
« Reply #5 on: September 02, 2008, 09:43:20 PM »
Download this file - Combofix.exe and save it ONLY to your desktop

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
By default it will save a copy to C:\Combofix.txt
Post that log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Marcia

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • View Profile
    • http://
downloaded virus
« Reply #6 on: September 03, 2008, 05:21:41 AM »
ComboFix 08-09-01.05 - Marcia 2008-09-03  6:31:38.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.595 [GMT -4:00]
Running from: C:\Documents and Settings\Marcia\Desktop\ComboFix.exe
 * Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Marcia\Application Data\macromedia\Flash Player\#SharedObjects\J9PHKTT8\bin.clearspring.com
C:\Documents and Settings\Marcia\Application Data\macromedia\Flash Player\#SharedObjects\J9PHKTT8\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Marcia\Application Data\macromedia\Flash Player\#SharedObjects\J9PHKTT8\interclick.com
C:\Documents and Settings\Marcia\Application Data\macromedia\Flash Player\#SharedObjects\J9PHKTT8\interclick.com\ud.sol
C:\Documents and Settings\Marcia\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Marcia\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Marcia\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Marcia\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Marcia\Cookies\marcia@insightexpressai[1].txt
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\system32\bacIOXbc.ini
C:\WINDOWS\system32\bacIOXbc.ini2
C:\WINDOWS\system32\basecs.dll
C:\WINDOWS\system32\dwwnw64r.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msssc.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rownw64r.exe
C:\WINDOWS\system32\winpfz33.sys

.
(((((((((((((((((((((((((   Files Created from 2008-08-03 to 2008-09-03  )))))))))))))))))))))))))))))))
.

2008-09-02 21:46 . 2008-09-02 21:48   <DIR>   d--------   C:\Program Files\QuickTime
2008-09-02 21:44 . 2008-09-02 21:44   <DIR>   d--------   C:\Program Files\Apple Software Update
2008-09-02 21:44 . 2008-09-02 21:44   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple
2008-09-02 21:30 . 2008-09-02 21:30   <DIR>   d--------   C:\Program Files\Trend Micro
2008-08-26 20:55 . 2008-08-26 20:55   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-26 16:53 . 2008-06-23 12:57   6,066,176   -----c---   C:\WINDOWS\system32\dllcache\ieframe.dll
2008-08-26 16:53 . 2007-04-17 05:32   2,455,488   -----c---   C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-08-26 16:53 . 2007-03-08 01:10   991,232   -----c---   C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-08-26 16:53 . 2008-06-23 12:57   459,264   -----c---   C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-08-26 16:53 . 2008-06-23 12:57   383,488   -----c---   C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-08-26 16:53 . 2008-06-23 12:57   267,776   -----c---   C:\WINDOWS\system32\dllcache\iertutil.dll
2008-08-26 16:53 . 2008-06-23 12:57   63,488   -----c---   C:\WINDOWS\system32\dllcache\icardie.dll
2008-08-26 16:53 . 2008-06-23 12:57   52,224   -----c---   C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-08-26 16:53 . 2008-06-23 05:20   13,824   -----c---   C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-26 16:30 . 2008-05-01 10:33   331,776   -----c---   C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-26 16:30 . 2008-05-08 10:02   203,136   -----c---   C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-26 16:14 . 2008-08-26 16:15   <DIR>   d--------   C:\Program Files\MobilityDotNET
2008-08-26 15:33 . 2008-08-26 15:33   <DIR>   d--------   C:\ATI
2008-08-26 14:01 . 2008-08-26 14:01   <DIR>   d--------   C:\Dell
2008-08-26 13:04 . 2008-08-26 13:04   <DIR>   d--------   C:\bios
2008-08-26 08:04 . 2008-04-11 15:04   691,712   -----c---   C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-26 08:04 . 2008-07-07 16:26   253,952   -----c---   C:\WINDOWS\system32\dllcache\es.dll
2008-08-26 07:07 . 2008-04-13 20:12   1,306,624   -----c---   C:\WINDOWS\system32\dllcache\msxml6.dll
2008-08-26 07:07 . 2008-04-13 13:27   79,872   -----c---   C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-08-26 07:06 . 2006-12-28 15:01   19,569   --a------   C:\WINDOWS\005786_.tmp
2008-08-26 00:09 . 2007-08-13 18:06   56,700   --a------   C:\WINDOWS\system32\ieuinit.inf
2008-08-26 00:09 . 2004-08-02 14:20   7,208   ---------   C:\WINDOWS\system32\secupd.sig
2008-08-26 00:09 . 2004-08-02 14:20   4,569   ---------   C:\WINDOWS\system32\secupd.dat
2008-08-25 23:30 . 2008-04-13 20:12   354,304   --a------   C:\WINDOWS\system32\winhttp.dll
2008-08-25 23:30 . 2008-04-13 20:12   18,944   --a------   C:\WINDOWS\system32\qmgrprxy.dll
2008-08-25 22:53 . 2008-07-18 22:09   215,752   --a------   C:\WINDOWS\system32\wuaucpl.cpl
2008-08-25 21:53 . 2008-08-25 21:53   1,904   -rahs----   C:\WINDOWS\system32\drivers\HP_Pavilion zv5000 (DZ329U ABA)_YN_Pavi_QCND410_E_4_I089C_SHP_V31.31_BF.12_T040216_WXH1_L409_M896_J40_7Inte
l_8Celeron_92.8_1_N10EC8139_P104CAC55_Z1002434D_K_A10024341_U10024347_G10025835_O
TEAC DW-224E-A_D.MRK
2008-08-25 21:44 . 2002-10-23 08:38   24,576   --a------   C:\WINDOWS\system32\xpsp1hfm.exe
2008-08-25 21:38 . 2003-10-30 09:40   1,205,324   -ra------   C:\WINDOWS\system32\drivers\AGRSM.sys
2008-08-25 21:38 . 2003-10-30 09:40   88,363   -ra------   C:\WINDOWS\AGRSMMSG.exe
2008-08-25 21:38 . 2003-10-30 09:40   64,512   -ra------   C:\WINDOWS\agrsmdel.exe
2008-08-25 21:31 . 2008-04-13 15:19   146,048   --a------   C:\WINDOWS\system32\drivers\portcls.sys
2008-08-25 21:31 . 2008-04-13 14:45   60,160   --a------   C:\WINDOWS\system32\drivers\drmk.sys
2008-08-25 21:31 . 2002-11-06 20:00   40,820   --a------   C:\WINDOWS\system32\Syncor11.dll
2008-08-25 20:49 . 2003-03-31 15:00   41,600   --a--c---   C:\WINDOWS\system32\dllcache\weitekp9.dll
2008-08-25 20:49 . 2003-03-31 15:00   31,232   --a--c---   C:\WINDOWS\system32\dllcache\weitekp9.sys
2008-08-25 20:47 . 2003-03-31 15:00   10,096,640   --a--c---   C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-08-25 20:46 . 2001-08-17 22:36   2,134,528   --a--c---   C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-08-25 20:45 . 2008-08-25 20:45   299,552   --a------   C:\WINDOWS\WMSysPrx.prx
2008-08-25 20:45 . 2008-08-25 21:07   25,065   --a------   C:\WINDOWS\system32\wmpscheme.xml
2008-08-25 20:44 . 2008-08-25 20:44   488   -rah-----   C:\WINDOWS\system32\logonui.exe.manifest
2008-08-25 20:42 . 2008-04-11 15:04   691,712   --a------   C:\WINDOWS\system32\inetcomm.dll
2008-08-25 20:40 . 2008-04-13 20:11   2,061,824   --a------   C:\WINDOWS\system32\mstscax.dll
2008-08-25 20:34 . 2008-04-13 14:45   52,864   --a------   C:\WINDOWS\system32\drivers\dmusic.sys
2008-08-25 20:34 . 2008-04-13 14:45   6,272   --a------   C:\WINDOWS\system32\drivers\splitter.sys
2008-08-25 20:33 . 2008-04-13 14:40   57,600   --a------   C:\WINDOWS\system32\drivers\redbook.sys
2008-08-25 20:32 . 2003-12-08 00:18   229,376   --a------   C:\WINDOWS\system32\atiiiexx.dll
2008-08-25 20:27 . 2003-03-31 15:00   13,608   -ra------   C:\WINDOWS\SET51.tmp
2008-08-25 20:26 . 2003-03-31 15:00   1,086,182   -ra------   C:\WINDOWS\SET43.tmp
2008-08-25 19:47 . 2008-04-13 20:13   40,840   --a------   C:\WINDOWS\system32\drivers\termdd.sys
2008-08-25 19:37 . 2008-08-25 23:33   1,089,141   --a------   C:\WINDOWS\setupapi.log.0.old
2008-08-25 14:22 . 2008-08-25 14:22   <DIR>   d--------   C:\WINDOWS\mui
2008-08-24 20:45 . 2008-08-24 20:45   <DIR>   d--------   C:\Program Files\Alwil Software
2008-08-24 17:28 . 2008-08-24 17:28   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Webroot
2008-08-24 17:07 . 2008-08-24 17:07   <DIR>   d--------   C:\Documents and Settings\Administrator
2008-08-23 15:59 . 2008-08-23 15:59   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-08-23 15:58 . 2008-08-23 15:59   90,921   --a------   C:\WINDOWS\system32\bdozocczpteyabhz.dll-uninst.exe
2008-08-23 15:41 . 2008-08-23 15:41   64,859   --a------   C:\WINDOWS\system32\hqqmrbtifl.exe
2008-08-23 15:39 . 2008-08-23 15:39   64,896   --a------   C:\WINDOWS\system32\ebvaigdfjelqh.exe
2008-08-23 15:33 . 2008-08-24 16:58   <DIR>   d--hs----   C:\WINDOWS\TWFyY2lhIE11cnBoeQ
2008-08-23 15:33 . 2008-08-23 19:27   <DIR>   d--------   C:\WINDOWS\system32\spol
2008-08-23 15:33 . 2008-08-26 03:23   <DIR>   d--------   C:\WINDOWS\system32\pIT
2008-08-23 15:33 . 2008-08-23 15:33   <DIR>   d--------   C:\WINDOWS\system32\jr
2008-08-23 15:33 . 2008-08-26 03:22   <DIR>   d--------   C:\WINDOWS\system32\eMaxt02
2008-08-23 15:33 . 2008-08-24 16:58   <DIR>   d--------   C:\WINDOWS\system32\drive2
2008-08-23 15:33 . 2008-08-24 16:58   <DIR>   d--------   C:\WINDOWS\system32\Cusp
2008-08-23 15:33 . 2008-08-23 15:33   <DIR>   d--------   C:\Temp\bbc2
2008-08-23 15:33 . 2008-09-03 06:32   <DIR>   d--------   C:\Temp
2008-08-23 15:33 . 2008-08-23 15:33   108,544   --a------   C:\ctfmon.exe
2008-08-23 12:49 . 2008-08-23 12:49   <DIR>   d--------   C:\WINDOWS\system32\scripting
2008-08-23 12:49 . 2008-08-23 12:49   <DIR>   d--------   C:\WINDOWS\system32\en
2008-08-23 12:49 . 2008-08-23 12:49   <DIR>   d--------   C:\WINDOWS\system32\bits
2008-08-23 12:49 . 2008-08-23 12:49   <DIR>   d--------   C:\WINDOWS\l2schemas
2008-08-23 12:45 . 2008-08-23 12:50   <DIR>   d--------   C:\WINDOWS\ServicePackFiles
2008-08-23 12:32 . 2008-08-26 07:19   <DIR>   d--------   C:\WINDOWS\EHome
2008-08-21 22:04 . 2004-08-03 22:41   404,990   ---------   C:\WINDOWS\system32\drivers\slntamr.sys
2008-08-21 22:03 . 2008-04-13 20:12   397,056   ---------   C:\WINDOWS\system32\s3gnb.dll
2008-08-21 22:03 . 2008-04-13 20:12   291,328   ---------   C:\WINDOWS\system32\qagentrt.dll
2008-08-21 22:03 . 2004-08-03 22:29   166,912   ---------   C:\WINDOWS\system32\drivers\s3gnbm.sys
2008-08-21 22:03 . 2008-04-13 20:12   150,528   ---------   C:\WINDOWS\system32\qagent.dll
2008-08-21 22:03 . 2004-08-03 22:41   13,776   ---------   C:\WINDOWS\system32\drivers\recagent.sys
2008-08-21 22:01 . 2008-04-13 20:12   155,136   ---------   C:\WINDOWS\system32\mssha.dll
2008-08-21 22:00 . 2008-04-13 20:11   397,312   ---------   C:\WINDOWS\system32\mmcex.dll
2008-08-21 22:00 . 2008-04-13 20:11   184,320   ---------   C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-08-21 21:59 . 2008-04-13 20:11   86,016   ---------   C:\WINDOWS\system32\mdmxsdk.dll
2008-08-21 21:59 . 2004-08-03 22:41   11,868   ---------   C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-08-21 21:58 . 2008-04-13 20:09   6,144   ---------   C:\WINDOWS\system32\kbdpash.dll
2008-08-21 21:58 . 2008-04-13 20:09   6,144   ---------   C:\WINDOWS\system32\kbdnepr.dll
2008-08-21 21:58 . 2008-04-13 20:09   6,144   ---------   C:\WINDOWS\system32\kbdiultn.dll
2008-08-21 21:58 . 2008-04-13 20:09   6,144   ---------   C:\WINDOWS\system32\kbdbhc.dll
2008-08-21 21:57 . 2004-08-03 22:41   1,041,536   ---------   C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-21 21:57 . 2004-08-03 22:41   685,056   ---------   C:\WINDOWS\system32\drivers\hsfcxts2.sys
2008-08-21 21:57 . 2004-08-03 22:41   220,032   ---------   C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2008-08-21 21:57 . 2008-04-13 12:36   144,384   ---------   C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-08-21 21:57 . 2008-04-13 14:36   46,464   ---------   C:\WINDOWS\system32\drivers\gagp30kx.sys
2008-08-21 21:57 . 2008-04-13 20:11   32,285   ---------   C:\WINDOWS\system32\hsfcisp2.dll
2008-08-21 21:57 . 2008-04-13 14:46   25,600   ---------   C:\WINDOWS\system32\drivers\hidbth.sys
2008-08-21 21:57 . 2007-09-17 04:48   1,261   ---------   C:\WINDOWS\system32\pid.inf
2008-08-21 21:56 . 2008-04-13 20:11   184,832   ---------   C:\WINDOWS\system32\eapp3hst.dll
2008-08-21 21:56 . 2008-04-13 20:11   180,224   ---------   C:\WINDOWS\system32\eapphost.dll
2008-08-21 21:56 . 2008-04-13 20:11   126,976   ---------   C:\WINDOWS\system32\eappcfg.dll
2008-08-21 21:56 . 2008-04-13 20:11   94,208   ---------   C:\WINDOWS\system32\eappgnui.dll
2008-08-21 21:56 . 2006-12-28 15:01   19,569   --a------   C:\WINDOWS\003038_.tmp
2008-08-21 21:55 . 2008-04-13 20:11   650,752   ---------   C:\WINDOWS\system32\dot3ui.dll
2008-08-21 21:55 . 2008-04-13 20:11   132,096   ---------   C:\WINDOWS\system32\dot3svc.dll
2008-08-21 21:55 . 2004-07-17 22:55   129,045   ---------   C:\WINDOWS\system32\drivers\cxthsfs2.cty
2008-08-21 21:55 . 2008-04-13 20:11   15,423   ---------   C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2008-08-21 21:54 . 2008-04-13 14:46   37,888   ---------   C:\WINDOWS\system32\drivers\bthmodem.sys
2008-08-21 21:54 . 2008-04-13 14:46   18,944   ---------   C:\WINDOWS\system32\drivers\bthusb.sys
2008-08-21 21:54 . 2008-04-13 14:46   17,024   ---------   C:\WINDOWS\system32\drivers\bthenum.sys
2008-08-21 21:54 . 2008-04-13 20:11   7,168   ---------   C:\WINDOWS\system32\bitsprx4.dll
2008-08-21 21:51 . 2008-04-13 20:11   4,255   ---------   C:\WINDOWS\system32\drivers\adv01nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,967   ---------   C:\WINDOWS\system32\drivers\adv02nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,775   ---------   C:\WINDOWS\system32\drivers\adv11nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,711   ---------   C:\WINDOWS\system32\drivers\adv09nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,647   ---------   C:\WINDOWS\system32\drivers\adv07nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,615   ---------   C:\WINDOWS\system32\drivers\adv05nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,135   ---------   C:\WINDOWS\system32\drivers\adv08nt5.dll
2008-08-10 12:33 . 2008-08-10 12:33   13,824   --ahs----   C:\WINDOWS\system32\Thumbs.db

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 01:46   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-27 03:43   ---------   d-----w   C:\Documents and Settings\Marcia\Application Data\Lavasoft
2008-08-27 00:58   ---------   d-----w   C:\Program Files\SpywareBlaster
2008-08-26 01:58   ---------   d-----w   C:\Program Files\HPQ
2008-08-23 20:59   ---------   d-----w   C:\Program Files\A-squared Free
2008-08-23 20:18   ---------   d-----w   C:\Documents and Settings\Marcia\Application Data\LimeWire
2008-08-22 01:11   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Webroot
2008-08-22 01:10   ---------   d-----w   C:\Program Files\Webroot
2008-08-10 16:32   ---------   d-----w   C:\Program Files\Microsoft Works
2008-08-10 16:32   ---------   d-----w   C:\Program Files\Apoint2K
2008-07-27 12:58   ---------   d-----w   C:\Program Files\Diablo II
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 159744]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-15 335872]
"ATIModeChange"="Ati2mdxx.exe" [2003-12-08 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-10-30 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 5562368]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoUserNameInStartMenu"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2003-07-17 13:50 184412 C:\Program Files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2003-11-18 08:31 241664 C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 08:00 208952 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDUiP6000DMon]
--a------ 2004-05-31 14:26 57344 C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDUiP6000DTskbr]
--a------ 2004-05-28 10:29 69632 C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2004-04-14 5632]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 PhDebug32;PhDebug32;c:\bios\hr60\debug32.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5771962-590f-11dd-b222-00023f6e860f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0b5e03b-baeb-11db-8679-00023f6e860f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

Notify-ssqQJcdc - ssqQJcdc.dll
MSConfigStartUp-PHIME2002A - C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
MSConfigStartUp-PHIME2002ASync - C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
MSConfigStartUp-RoxioDragToDisc - C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
MSConfigStartUp-RoxioEngineUtility - C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe
MSConfigStartUp-Zone Labs Client - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
MSConfigStartUp-{393e4b0d-a148-d08c-1943-40d40f2447a3} - C:\WINDOWS\system32\ainulievswzaq.dll
MSConfigStartUp-{73a54190-2c37-6d3b-af96-45f03d1b4375} - C:\WINDOWS\system32\jevmpgtqjtel.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Marcia\Application Data\Mozilla\Firefox\Profiles\uzmhb9sh.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 06:37:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-09-03  6:43:11 - machine was rebooted
ComboFix-quarantined-files.txt  2008-09-03 10:43:00

Pre-Run: 22,198,898,688 bytes free
Post-Run: 22,131,109,888 bytes free

285   --- E O F ---   2008-08-27 10:23:13
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
downloaded virus
« Reply #7 on: September 03, 2008, 06:33:13 AM »
Access your  Add and Remove Programs, remove anything related to Viewpoint

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
[color=\"blue\"]Updating Java:[/color]
  • Download the latest version of  Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • In the Window that opens, select Windows,>>Check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.

- Examples of older versions in Add or Remove Programs:
  • Java 2 Runtime Environment, SE v1.4.2
  • J2SE Runtime Environment 5.0
  • J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe that you downloaded to install the newest version.
Download [color=\"#FF0000\"]ATF-Cleaner[/color] by Atribune.
Save it to your desktop
      Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
-------------
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt
Exit ATF-Cleaner from the Main menu


Afterwards:
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]File::
C:\WINDOWS\system32\bdozocczpteyabhz.dll-uninst.exe
C:\WINDOWS\system32\hqqmrbtifl.exe
C:\WINDOWS\system32\ebvaigdfjelqh.exe
C:\ctfmon.exe
Folder::
C:\WINDOWS\system32\spol
C:\WINDOWS\system32\pIT
C:\WINDOWS\system32\jr
C:\WINDOWS\system32\eMaxt02
C:\WINDOWS\system32\drive2
C:\WINDOWS\system32\Cusp
C:\Temp\bbc2
DirLook::
C:\Temp

[/color]
Save this as txtfile on your desktop
CFScript

Then

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts

When finished, it shall produce a log for you  with the same name C:\ComboFix.txt..

I'll need to see that log again later
But first, please do the following
download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
       
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
       
  • Make sure that everything is checked, and click Remove Selected.
        * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
       
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

With the log from Malwarebytes, can you also post the following
1. Post the log from ComboFix>>C:\ComboFix.txt
2. And post a fresh Hijackthis log

Please keep me informed how things are now running
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Marcia

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • View Profile
    • http://
downloaded virus
« Reply #8 on: September 03, 2008, 07:42:18 PM »
I tried everything you told me.  I downloaded ATF-cleaner but couldn't run it.  I got the following error "Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item."  I tried downloading from another site and got the same error message.  

I did update Java, ran ComboFix and MBAM, and another Hijack This.  All the logs will follow.  

On another note I still have to press F1 to get Windows to boot.  I tried pressing ESC before Windows tries to boot to change boot order (just to see what's up) and I got a message that an imminent boot failure may arise (or something along that line).  

ComboFix 08-09-01.05 - Marcia 2008-09-03 19:45:04.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.582 [GMT -4:00]
Running from: C:\Documents and Settings\Marcia\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marcia\Desktop\CFScript.txt
 * Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ctfmon.exe
C:\Documents and Settings\Marcia\Application Data\macromedia\Flash Player\#SharedObjects\J9PHKTT8\bin.clearspring.com
C:\Documents and Settings\Marcia\Application Data\macromedia\Flash Player\#SharedObjects\J9PHKTT8\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Marcia\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Marcia\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Temp\bbc2
C:\Temp\bbc2\i5dB.log
C:\WINDOWS\system32\bdozocczpteyabhz.dll-uninst.exe
C:\WINDOWS\system32\Cusp
C:\WINDOWS\system32\drive2
C:\WINDOWS\system32\ebvaigdfjelqh.exe
C:\WINDOWS\system32\eMaxt02
C:\WINDOWS\system32\hqqmrbtifl.exe
C:\WINDOWS\system32\jr
C:\WINDOWS\system32\jr\vgrem084.exe
C:\WINDOWS\system32\pIT
C:\WINDOWS\system32\spol

.
(((((((((((((((((((((((((   Files Created from 2008-08-03 to 2008-09-03  )))))))))))))))))))))))))))))))
.

2008-09-03 18:28 . 2008-09-03 18:28   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 18:28 . 2008-09-03 18:28   <DIR>   d--------   C:\Documents and Settings\Marcia\Application Data\Malwarebytes
2008-09-03 18:28 . 2008-09-03 18:28   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 18:28 . 2008-09-02 00:16   38,528   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 18:28 . 2008-09-02 00:16   17,200   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 18:21 . 2008-09-03 18:21   <DIR>   d--h-----   C:\WINDOWS\PIF
2008-09-03 18:12 . 2008-09-03 18:12   <DIR>   d--------   C:\Program Files\Sun
2008-09-02 21:46 . 2008-09-02 21:48   <DIR>   d--------   C:\Program Files\QuickTime
2008-09-02 21:44 . 2008-09-02 21:44   <DIR>   d--------   C:\Program Files\Apple Software Update
2008-09-02 21:44 . 2008-09-02 21:44   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple
2008-09-02 21:30 . 2008-09-02 21:30   <DIR>   d--------   C:\Program Files\Trend Micro
2008-08-26 20:55 . 2008-08-26 20:55   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-26 16:53 . 2008-06-23 12:57   6,066,176   -----c---   C:\WINDOWS\system32\dllcache\ieframe.dll
2008-08-26 16:53 . 2007-04-17 05:32   2,455,488   -----c---   C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-08-26 16:53 . 2007-03-08 01:10   991,232   -----c---   C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-08-26 16:53 . 2008-06-23 12:57   459,264   -----c---   C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-08-26 16:53 . 2008-06-23 12:57   383,488   -----c---   C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-08-26 16:53 . 2008-06-23 12:57   267,776   -----c---   C:\WINDOWS\system32\dllcache\iertutil.dll
2008-08-26 16:53 . 2008-06-23 12:57   63,488   -----c---   C:\WINDOWS\system32\dllcache\icardie.dll
2008-08-26 16:53 . 2008-06-23 12:57   52,224   -----c---   C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-08-26 16:53 . 2008-06-23 05:20   13,824   -----c---   C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-26 16:30 . 2008-05-01 10:33   331,776   -----c---   C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-26 16:30 . 2008-05-08 10:02   203,136   -----c---   C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-26 16:14 . 2008-08-26 16:15   <DIR>   d--------   C:\Program Files\MobilityDotNET
2008-08-26 15:33 . 2008-08-26 15:33   <DIR>   d--------   C:\ATI
2008-08-26 14:01 . 2008-08-26 14:01   <DIR>   d--------   C:\Dell
2008-08-26 13:04 . 2008-08-26 13:04   <DIR>   d--------   C:\bios
2008-08-26 08:04 . 2008-04-11 15:04   691,712   -----c---   C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-26 08:04 . 2008-07-07 16:26   253,952   -----c---   C:\WINDOWS\system32\dllcache\es.dll
2008-08-26 07:07 . 2008-04-13 20:12   1,306,624   -----c---   C:\WINDOWS\system32\dllcache\msxml6.dll
2008-08-26 07:07 . 2008-04-13 13:27   79,872   -----c---   C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-08-26 07:06 . 2006-12-28 15:01   19,569   --a------   C:\WINDOWS\005786_.tmp
2008-08-26 00:09 . 2007-08-13 18:06   56,700   --a------   C:\WINDOWS\system32\ieuinit.inf
2008-08-26 00:09 . 2004-08-02 14:20   7,208   ---------   C:\WINDOWS\system32\secupd.sig
2008-08-26 00:09 . 2004-08-02 14:20   4,569   ---------   C:\WINDOWS\system32\secupd.dat
2008-08-25 23:30 . 2008-04-13 20:12   354,304   --a------   C:\WINDOWS\system32\winhttp.dll
2008-08-25 23:30 . 2008-04-13 20:12   18,944   --a------   C:\WINDOWS\system32\qmgrprxy.dll
2008-08-25 22:53 . 2008-07-18 22:09   215,752   --a------   C:\WINDOWS\system32\wuaucpl.cpl
2008-08-25 21:53 . 2008-08-25 21:53   1,904   -rahs----   C:\WINDOWS\system32\drivers\HP_Pavilion zv5000 (DZ329U ABA)_YN_Pavi_QCND410_E_4_I089C_SHP_V31.31_BF.12_T040216_WXH1_L409_M896_J40_7Inte
l_8Celeron_92.8_1_N10EC8139_P104CAC55_Z1002434D_K_A10024341_U10024347_G10025835_O
TEAC DW-224E-A_D.MRK
2008-08-25 21:44 . 2002-10-23 08:38   24,576   --a------   C:\WINDOWS\system32\xpsp1hfm.exe
2008-08-25 21:38 . 2003-10-30 09:40   1,205,324   -ra------   C:\WINDOWS\system32\drivers\AGRSM.sys
2008-08-25 21:38 . 2003-10-30 09:40   88,363   -ra------   C:\WINDOWS\AGRSMMSG.exe
2008-08-25 21:38 . 2003-10-30 09:40   64,512   -ra------   C:\WINDOWS\agrsmdel.exe
2008-08-25 21:31 . 2008-04-13 15:19   146,048   --a------   C:\WINDOWS\system32\drivers\portcls.sys
2008-08-25 21:31 . 2008-04-13 14:45   60,160   --a------   C:\WINDOWS\system32\drivers\drmk.sys
2008-08-25 21:31 . 2002-11-06 20:00   40,820   --a------   C:\WINDOWS\system32\Syncor11.dll
2008-08-25 20:49 . 2003-03-31 15:00   41,600   --a--c---   C:\WINDOWS\system32\dllcache\weitekp9.dll
2008-08-25 20:49 . 2003-03-31 15:00   31,232   --a--c---   C:\WINDOWS\system32\dllcache\weitekp9.sys
2008-08-25 20:47 . 2003-03-31 15:00   10,096,640   --a--c---   C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-08-25 20:46 . 2001-08-17 22:36   2,134,528   --a--c---   C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-08-25 20:45 . 2008-08-25 20:45   299,552   --a------   C:\WINDOWS\WMSysPrx.prx
2008-08-25 20:45 . 2008-08-25 21:07   25,065   --a------   C:\WINDOWS\system32\wmpscheme.xml
2008-08-25 20:44 . 2008-08-25 20:44   488   -rah-----   C:\WINDOWS\system32\logonui.exe.manifest
2008-08-25 20:42 . 2008-04-11 15:04   691,712   --a------   C:\WINDOWS\system32\inetcomm.dll
2008-08-25 20:40 . 2008-04-13 20:11   2,061,824   --a------   C:\WINDOWS\system32\mstscax.dll
2008-08-25 20:34 . 2008-04-13 14:45   52,864   --a------   C:\WINDOWS\system32\drivers\dmusic.sys
2008-08-25 20:34 . 2008-04-13 14:45   6,272   --a------   C:\WINDOWS\system32\drivers\splitter.sys
2008-08-25 20:33 . 2008-04-13 14:40   57,600   --a------   C:\WINDOWS\system32\drivers\redbook.sys
2008-08-25 20:32 . 2003-12-08 00:18   229,376   --a------   C:\WINDOWS\system32\atiiiexx.dll
2008-08-25 20:27 . 2003-03-31 15:00   13,608   -ra------   C:\WINDOWS\SET51.tmp
2008-08-25 20:26 . 2003-03-31 15:00   1,086,182   -ra------   C:\WINDOWS\SET43.tmp
2008-08-25 19:47 . 2008-04-13 20:13   40,840   --a------   C:\WINDOWS\system32\drivers\termdd.sys
2008-08-25 19:37 . 2008-08-25 23:33   1,089,141   --a------   C:\WINDOWS\setupapi.log.0.old
2008-08-25 14:22 . 2008-08-25 14:22   <DIR>   d--------   C:\WINDOWS\mui
2008-08-24 20:45 . 2008-08-24 20:45   <DIR>   d--------   C:\Program Files\Alwil Software
2008-08-24 17:28 . 2008-08-24 17:28   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Webroot
2008-08-24 17:07 . 2008-08-24 17:07   <DIR>   d--------   C:\Documents and Settings\Administrator
2008-08-23 15:59 . 2008-08-23 15:59   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-08-23 15:33 . 2008-08-24 16:58   <DIR>   d--hs----   C:\WINDOWS\TWFyY2lhIE11cnBoeQ
2008-08-23 15:33 . 2008-09-03 19:46   <DIR>   d--------   C:\Temp
2008-08-23 12:49 . 2008-08-23 12:49   <DIR>   d--------   C:\WINDOWS\system32\scripting
2008-08-23 12:49 . 2008-08-23 12:49   <DIR>   d--------   C:\WINDOWS\system32\en
2008-08-23 12:49 . 2008-08-23 12:49   <DIR>   d--------   C:\WINDOWS\system32\bits
2008-08-23 12:49 . 2008-08-23 12:49   <DIR>   d--------   C:\WINDOWS\l2schemas
2008-08-23 12:45 . 2008-08-23 12:50   <DIR>   d--------   C:\WINDOWS\ServicePackFiles
2008-08-23 12:32 . 2008-08-26 07:19   <DIR>   d--------   C:\WINDOWS\EHome
2008-08-21 22:04 . 2004-08-03 22:41   404,990   ---------   C:\WINDOWS\system32\drivers\slntamr.sys
2008-08-21 22:03 . 2008-04-13 20:12   397,056   ---------   C:\WINDOWS\system32\s3gnb.dll
2008-08-21 22:03 . 2008-04-13 20:12   291,328   ---------   C:\WINDOWS\system32\qagentrt.dll
2008-08-21 22:03 . 2004-08-03 22:29   166,912   ---------   C:\WINDOWS\system32\drivers\s3gnbm.sys
2008-08-21 22:03 . 2008-04-13 20:12   150,528   ---------   C:\WINDOWS\system32\qagent.dll
2008-08-21 22:03 . 2004-08-03 22:41   13,776   ---------   C:\WINDOWS\system32\drivers\recagent.sys
2008-08-21 22:01 . 2008-04-13 20:12   155,136   ---------   C:\WINDOWS\system32\mssha.dll
2008-08-21 22:00 . 2008-04-13 20:11   397,312   ---------   C:\WINDOWS\system32\mmcex.dll
2008-08-21 22:00 . 2008-04-13 20:11   184,320   ---------   C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-08-21 21:59 . 2008-04-13 20:11   86,016   ---------   C:\WINDOWS\system32\mdmxsdk.dll
2008-08-21 21:59 . 2004-08-03 22:41   11,868   ---------   C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-08-21 21:58 . 2008-04-13 20:09   6,144   ---------   C:\WINDOWS\system32\kbdpash.dll
2008-08-21 21:58 . 2008-04-13 20:09   6,144   ---------   C:\WINDOWS\system32\kbdnepr.dll
2008-08-21 21:58 . 2008-04-13 20:09   6,144   ---------   C:\WINDOWS\system32\kbdiultn.dll
2008-08-21 21:58 . 2008-04-13 20:09   6,144   ---------   C:\WINDOWS\system32\kbdbhc.dll
2008-08-21 21:57 . 2004-08-03 22:41   1,041,536   ---------   C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-21 21:57 . 2004-08-03 22:41   685,056   ---------   C:\WINDOWS\system32\drivers\hsfcxts2.sys
2008-08-21 21:57 . 2004-08-03 22:41   220,032   ---------   C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2008-08-21 21:57 . 2008-04-13 12:36   144,384   ---------   C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-08-21 21:57 . 2008-04-13 14:36   46,464   ---------   C:\WINDOWS\system32\drivers\gagp30kx.sys
2008-08-21 21:57 . 2008-04-13 20:11   32,285   ---------   C:\WINDOWS\system32\hsfcisp2.dll
2008-08-21 21:57 . 2008-04-13 14:46   25,600   ---------   C:\WINDOWS\system32\drivers\hidbth.sys
2008-08-21 21:57 . 2007-09-17 04:48   1,261   ---------   C:\WINDOWS\system32\pid.inf
2008-08-21 21:56 . 2008-04-13 20:11   184,832   ---------   C:\WINDOWS\system32\eapp3hst.dll
2008-08-21 21:56 . 2008-04-13 20:11   180,224   ---------   C:\WINDOWS\system32\eapphost.dll
2008-08-21 21:56 . 2008-04-13 20:11   126,976   ---------   C:\WINDOWS\system32\eappcfg.dll
2008-08-21 21:56 . 2008-04-13 20:11   94,208   ---------   C:\WINDOWS\system32\eappgnui.dll
2008-08-21 21:56 . 2006-12-28 15:01   19,569   --a------   C:\WINDOWS\003038_.tmp
2008-08-21 21:55 . 2008-04-13 20:11   650,752   ---------   C:\WINDOWS\system32\dot3ui.dll
2008-08-21 21:55 . 2008-04-13 20:11   132,096   ---------   C:\WINDOWS\system32\dot3svc.dll
2008-08-21 21:55 . 2004-07-17 22:55   129,045   ---------   C:\WINDOWS\system32\drivers\cxthsfs2.cty
2008-08-21 21:55 . 2008-04-13 20:11   15,423   ---------   C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2008-08-21 21:54 . 2008-04-13 14:46   37,888   ---------   C:\WINDOWS\system32\drivers\bthmodem.sys
2008-08-21 21:54 . 2008-04-13 14:46   18,944   ---------   C:\WINDOWS\system32\drivers\bthusb.sys
2008-08-21 21:54 . 2008-04-13 14:46   17,024   ---------   C:\WINDOWS\system32\drivers\bthenum.sys
2008-08-21 21:54 . 2008-04-13 20:11   7,168   ---------   C:\WINDOWS\system32\bitsprx4.dll
2008-08-21 21:51 . 2008-04-13 20:11   4,255   ---------   C:\WINDOWS\system32\drivers\adv01nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,967   ---------   C:\WINDOWS\system32\drivers\adv02nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,775   ---------   C:\WINDOWS\system32\drivers\adv11nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,711   ---------   C:\WINDOWS\system32\drivers\adv09nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,647   ---------   C:\WINDOWS\system32\drivers\adv07nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,615   ---------   C:\WINDOWS\system32\drivers\adv05nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,135   ---------   C:\WINDOWS\system32\drivers\adv08nt5.dll
2008-08-10 12:33 . 2008-08-10 12:33   13,824   --ahs----   C:\WINDOWS\system32\Thumbs.db

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 22:16   ---------   d-----w   C:\Program Files\Java
2008-09-03 21:45   ---------   d-----w   C:\Documents and Settings\Marcia\Application Data\Viewpoint
2008-09-03 21:45   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-03 01:46   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-27 03:43   ---------   d-----w   C:\Documents and Settings\Marcia\Application Data\Lavasoft
2008-08-27 00:58   ---------   d-----w   C:\Program Files\SpywareBlaster
2008-08-26 01:58   ---------   d-----w   C:\Program Files\HPQ
2008-08-23 20:59   ---------   d-----w   C:\Program Files\A-squared Free
2008-08-23 20:18   ---------   d-----w   C:\Documents and Settings\Marcia\Application Data\LimeWire
2008-08-22 01:11   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Webroot
2008-08-22 01:10   ---------   d-----w   C:\Program Files\Webroot
2008-08-10 16:32   ---------   d-----w   C:\Program Files\Microsoft Works
2008-08-10 16:32   ---------   d-----w   C:\Program Files\Apoint2K
2008-07-27 12:58   ---------   d-----w   C:\Program Files\Diablo II
2008-07-27 12:55   43,520   ----a-w   C:\WINDOWS\system32\CmdLineExt03.dll
2008-07-19 02:10   94,920   ----a-w   C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10   53,448   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10   45,768   ----a-w   C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10   36,552   ----a-w   C:\WINDOWS\system32\wups.dll
2008-07-19 02:09   563,912   ----a-w   C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09   325,832   ----a-w   C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09   205,000   ----a-w   C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09   1,811,656   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:26   253,952   ----a-w   C:\WINDOWS\system32\es.dll
2008-07-02 17:26   173,448   ----a-w   C:\WINDOWS\system32\wdfproc.dll
2008-06-24 16:43   74,240   ----a-w   C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46   245,248   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-11 00:04   200,704   ----a-w   C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04   1,044,480   ----a-w   C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp ----

2008-08-23 15:33   1858   --a------   C:\Temp\bbc2\i5dB.log


(((((((((((((((((((((((((((((   snapshot@2008-09-03_ 6.42.10.37   )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-14 04:31:24   135,168   ----a-w   C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01   135,168   ----a-w   C:\WINDOWS\system32\java.exe
- 2007-03-14 04:31:28   135,168   ----a-w   C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04   135,168   ----a-w   C:\WINDOWS\system32\javaw.exe
- 2007-03-14 06:04:46   139,264   ----a-w   C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34   139,264   ----a-w   C:\WINDOWS\system32\javaws.exe
+ 2008-09-03 22:03:00   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5c0.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 159744]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-15 335872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ATIModeChange"="Ati2mdxx.exe" [2003-12-08 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-10-30 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 5562368]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoUserNameInStartMenu"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2003-07-17 13:50 184412 C:\Program Files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2003-11-18 08:31 241664 C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 08:00 208952 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDUiP6000DMon]
--a------ 2004-05-31 14:26 57344 C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDUiP6000DTskbr]
--a------ 2004-05-28 10:29 69632 C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2004-04-14 5632]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
S3 PhDebug32;PhDebug32;c:\bios\hr60\debug32.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5771962-590f-11dd-b222-00023f6e860f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0b5e03b-baeb-11db-8679-00023f6e860f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 19:49:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-09-03 19:51:27
ComboFix-quarantined-files.txt  2008-09-03 23:51:14
ComboFix2.txt  2008-09-03 10:43:16

Pre-Run: 21,450,178,560 bytes free
Post-Run: 21,437,878,272 bytes free

278   --- E O F ---   2008-08-27 10:23:13








Malwarebytes' Anti-Malware 1.26
Database version: 1111
Windows 5.1.2600 Service Pack 3

9/3/2008 8:43:42 PM
mbam-log-2008-09-03 (20-43-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 109912
Time elapsed: 48 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\radbanner (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\agadoo (Adware.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\jr\vgrem084.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D1201D15-CDD8-4B90-9D40-5B44D346E2E9}\RP38\A0012079.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\cleanup.bat (Trojan.Agent) -> Quarantined and deleted successfully.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:46, on 9/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6130 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
downloaded virus
« Reply #9 on: September 06, 2008, 10:24:42 AM »
Quote
On another note I still have to press F1 to get Windows to boot. I tried pressing ESC before Windows tries to boot to change boot order (just to see what's up) and I got a message that an imminent boot failure may arise (or something along that line).
I can only guess what the error is
But it's sounding as if the harddrive may be starting fail
I suggest that just in case you backup important files/folders

Can we redo CFScript please,

Delete cfscript.txt on desktop, we're going to redo this step
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]
Folder::
C:\WINDOWS\TWFyY2lhIE11cnBoeQ
C:\Temp
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[/color]
Save this as txtfile on your desktop
CFScript

Then

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts

When finished, it shall produce a log for you  with the same name C:\ComboFix.txt..
If ComboFix did not need to restart the computer
Can you reboot manually

Post the log from ComboFix please

Can you also let me know the exact make/model of your computer
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Marcia

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • View Profile
    • http://
downloaded virus
« Reply #10 on: September 06, 2008, 12:28:28 PM »
I have a HP Pavilion zv5000 with an Intel Celeron CPU 2.80 GHz.

ComboFix 08-09-05.02 - Marcia 2008-09-06 13:44:51.3 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.553 [GMT -4:00]
Running from: C:\Documents and Settings\Marcia\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marcia\Desktop\CFScript.txt
 * Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Marcia\Cookies\marcia@revsci[2].txt
C:\Temp
C:\WINDOWS\TWFyY2lhIE11cnBoeQ

.
(((((((((((((((((((((((((   Files Created from 2008-08-06 to 2008-09-06  )))))))))))))))))))))))))))))))
.

2008-09-03 18:28 . 2008-09-03 18:28   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 18:28 . 2008-09-03 18:28   <DIR>   d--------   C:\Documents and Settings\Marcia\Application Data\Malwarebytes
2008-09-03 18:28 . 2008-09-03 18:28   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 18:28 . 2008-09-02 00:16   38,528   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 18:28 . 2008-09-02 00:16   17,200   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 18:21 . 2008-09-03 18:21   <DIR>   d--h-----   C:\WINDOWS\PIF
2008-09-03 18:12 . 2008-09-03 18:12   <DIR>   d--------   C:\Program Files\Sun
2008-09-02 21:46 . 2008-09-02 21:48   <DIR>   d--------   C:\Program Files\QuickTime
2008-09-02 21:44 . 2008-09-02 21:44   <DIR>   d--------   C:\Program Files\Apple Software Update
2008-09-02 21:44 . 2008-09-02 21:44   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple
2008-09-02 21:30 . 2008-09-02 21:30   <DIR>   d--------   C:\Program Files\Trend Micro
2008-08-26 20:55 . 2008-08-26 20:55   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-26 16:53 . 2008-06-23 12:57   6,066,176   -----c---   C:\WINDOWS\system32\dllcache\ieframe.dll
2008-08-26 16:53 . 2007-04-17 05:32   2,455,488   -----c---   C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-08-26 16:53 . 2007-03-08 01:10   991,232   -----c---   C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-08-26 16:53 . 2008-06-23 12:57   459,264   -----c---   C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-08-26 16:53 . 2008-06-23 12:57   383,488   -----c---   C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-08-26 16:53 . 2008-06-23 12:57   267,776   -----c---   C:\WINDOWS\system32\dllcache\iertutil.dll
2008-08-26 16:53 . 2008-06-23 12:57   63,488   -----c---   C:\WINDOWS\system32\dllcache\icardie.dll
2008-08-26 16:53 . 2008-06-23 12:57   52,224   -----c---   C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-08-26 16:53 . 2008-06-23 05:20   13,824   -----c---   C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-26 16:30 . 2008-05-01 10:33   331,776   -----c---   C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-26 16:30 . 2008-05-08 10:02   203,136   -----c---   C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-26 16:14 . 2008-08-26 16:15   <DIR>   d--------   C:\Program Files\MobilityDotNET
2008-08-26 15:33 . 2008-08-26 15:33   <DIR>   d--------   C:\ATI
2008-08-26 14:01 . 2008-08-26 14:01   <DIR>   d--------   C:\Dell
2008-08-26 13:04 . 2008-08-26 13:04   <DIR>   d--------   C:\bios
2008-08-26 08:04 . 2008-04-11 15:04   691,712   -----c---   C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-26 08:04 . 2008-07-07 16:26   253,952   -----c---   C:\WINDOWS\system32\dllcache\es.dll
2008-08-26 07:07 . 2008-04-13 20:12   1,306,624   -----c---   C:\WINDOWS\system32\dllcache\msxml6.dll
2008-08-26 07:07 . 2008-04-13 13:27   79,872   -----c---   C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-08-26 07:06 . 2006-12-28 15:01   19,569   --a------   C:\WINDOWS\005786_.tmp
2008-08-26 00:09 . 2007-08-13 18:06   56,700   --a------   C:\WINDOWS\system32\ieuinit.inf
2008-08-26 00:09 . 2004-08-02 14:20   7,208   ---------   C:\WINDOWS\system32\secupd.sig
2008-08-26 00:09 . 2004-08-02 14:20   4,569   ---------   C:\WINDOWS\system32\secupd.dat
2008-08-25 23:30 . 2008-04-13 20:12   354,304   --a------   C:\WINDOWS\system32\winhttp.dll
2008-08-25 23:30 . 2008-04-13 20:12   18,944   --a------   C:\WINDOWS\system32\qmgrprxy.dll
2008-08-25 22:53 . 2008-07-18 22:09   215,752   --a------   C:\WINDOWS\system32\wuaucpl.cpl
2008-08-25 21:53 . 2008-08-25 21:53   1,904   -rahs----   C:\WINDOWS\system32\drivers\HP_Pavilion zv5000 (DZ329U ABA)_YN_Pavi_QCND410_E_4_I089C_SHP_V31.31_BF.12_T040216_WXH1_L409_M896_J40_7Inte
l_8Celeron_92.8_1_N10EC8139_P104CAC55_Z1002434D_K_A10024341_U10024347_G10025835_O
TEAC DW-224E-A_D.MRK
2008-08-25 21:44 . 2002-10-23 08:38   24,576   --a------   C:\WINDOWS\system32\xpsp1hfm.exe
2008-08-25 21:38 . 2003-10-30 09:40   1,205,324   -ra------   C:\WINDOWS\system32\drivers\AGRSM.sys
2008-08-25 21:38 . 2003-10-30 09:40   88,363   -ra------   C:\WINDOWS\AGRSMMSG.exe
2008-08-25 21:38 . 2003-10-30 09:40   64,512   -ra------   C:\WINDOWS\agrsmdel.exe
2008-08-25 21:31 . 2008-04-13 15:19   146,048   --a------   C:\WINDOWS\system32\drivers\portcls.sys
2008-08-25 21:31 . 2008-04-13 14:45   60,160   --a------   C:\WINDOWS\system32\drivers\drmk.sys
2008-08-25 21:31 . 2002-11-06 20:00   40,820   --a------   C:\WINDOWS\system32\Syncor11.dll
2008-08-25 20:49 . 2003-03-31 15:00   41,600   --a--c---   C:\WINDOWS\system32\dllcache\weitekp9.dll
2008-08-25 20:49 . 2003-03-31 15:00   31,232   --a--c---   C:\WINDOWS\system32\dllcache\weitekp9.sys
2008-08-25 20:47 . 2003-03-31 15:00   10,096,640   --a--c---   C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-08-25 20:46 . 2001-08-17 22:36   2,134,528   --a--c---   C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-08-25 20:45 . 2008-08-25 20:45   299,552   --a------   C:\WINDOWS\WMSysPrx.prx
2008-08-25 20:45 . 2008-08-25 21:07   25,065   --a------   C:\WINDOWS\system32\wmpscheme.xml
2008-08-25 20:44 . 2008-08-25 20:44   488   -rah-----   C:\WINDOWS\system32\logonui.exe.manifest
2008-08-25 20:42 . 2008-04-11 15:04   691,712   --a------   C:\WINDOWS\system32\inetcomm.dll
2008-08-25 20:40 . 2008-04-13 20:11   2,061,824   --a------   C:\WINDOWS\system32\mstscax.dll
2008-08-25 20:34 . 2008-04-13 14:45   52,864   --a------   C:\WINDOWS\system32\drivers\dmusic.sys
2008-08-25 20:34 . 2008-04-13 14:45   6,272   --a------   C:\WINDOWS\system32\drivers\splitter.sys
2008-08-25 20:33 . 2008-04-13 14:40   57,600   --a------   C:\WINDOWS\system32\drivers\redbook.sys
2008-08-25 20:32 . 2003-12-08 00:18   229,376   --a------   C:\WINDOWS\system32\atiiiexx.dll
2008-08-25 20:27 . 2003-03-31 15:00   13,608   -ra------   C:\WINDOWS\SET51.tmp
2008-08-25 20:26 . 2003-03-31 15:00   1,086,182   -ra------   C:\WINDOWS\SET43.tmp
2008-08-25 19:47 . 2008-04-13 20:13   40,840   --a------   C:\WINDOWS\system32\drivers\termdd.sys
2008-08-25 19:37 . 2008-08-25 23:33   1,089,141   --a------   C:\WINDOWS\setupapi.log.0.old
2008-08-25 14:22 . 2008-08-25 14:22   <DIR>   d--------   C:\WINDOWS\mui
2008-08-24 20:45 . 2008-08-24 20:45   <DIR>   d--------   C:\Program Files\Alwil Software
2008-08-24 17:28 . 2008-08-24 17:28   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Webroot
2008-08-24 17:07 . 2008-08-24 17:07   <DIR>   d--------   C:\Documents and Settings\Administrator
2008-08-23 15:59 . 2008-08-23 15:59   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-08-23 12:49 . 2008-08-23 12:49   <DIR>   d--------   C:\WINDOWS\system32\scripting
2008-08-23 12:49 . 2008-08-23 12:49   <DIR>   d--------   C:\WINDOWS\system32\en
2008-08-23 12:49 . 2008-08-23 12:49   <DIR>   d--------   C:\WINDOWS\system32\bits
2008-08-23 12:49 . 2008-08-23 12:49   <DIR>   d--------   C:\WINDOWS\l2schemas
2008-08-23 12:45 . 2008-08-23 12:50   <DIR>   d--------   C:\WINDOWS\ServicePackFiles
2008-08-23 12:32 . 2008-08-26 07:19   <DIR>   d--------   C:\WINDOWS\EHome
2008-08-21 22:04 . 2004-08-03 22:41   404,990   ---------   C:\WINDOWS\system32\drivers\slntamr.sys
2008-08-21 22:03 . 2008-04-13 20:12   397,056   ---------   C:\WINDOWS\system32\s3gnb.dll
2008-08-21 22:03 . 2008-04-13 20:12   291,328   ---------   C:\WINDOWS\system32\qagentrt.dll
2008-08-21 22:03 . 2004-08-03 22:29   166,912   ---------   C:\WINDOWS\system32\drivers\s3gnbm.sys
2008-08-21 22:03 . 2008-04-13 20:12   150,528   ---------   C:\WINDOWS\system32\qagent.dll
2008-08-21 22:03 . 2004-08-03 22:41   13,776   ---------   C:\WINDOWS\system32\drivers\recagent.sys
2008-08-21 22:01 . 2008-04-13 20:12   155,136   ---------   C:\WINDOWS\system32\mssha.dll
2008-08-21 22:00 . 2008-04-13 20:11   397,312   ---------   C:\WINDOWS\system32\mmcex.dll
2008-08-21 22:00 . 2008-04-13 20:11   184,320   ---------   C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-08-21 21:59 . 2008-04-13 20:11   86,016   ---------   C:\WINDOWS\system32\mdmxsdk.dll
2008-08-21 21:59 . 2004-08-03 22:41   11,868   ---------   C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-08-21 21:58 . 2008-04-13 20:09   6,144   --a------   C:\WINDOWS\system32\kbdpash.dll
2008-08-21 21:58 . 2008-04-13 20:09   6,144   --a------   C:\WINDOWS\system32\kbdnepr.dll
2008-08-21 21:58 . 2008-04-13 20:09   6,144   ---------   C:\WINDOWS\system32\kbdiultn.dll
2008-08-21 21:58 . 2008-04-13 20:09   6,144   ---------   C:\WINDOWS\system32\kbdbhc.dll
2008-08-21 21:58 . 2008-04-13 20:09   6,144   --a--c---   C:\WINDOWS\system32\dllcache\kbdpash.dll
2008-08-21 21:58 . 2008-04-13 20:09   6,144   --a--c---   C:\WINDOWS\system32\dllcache\kbdnepr.dll
2008-08-21 21:57 . 2004-08-03 22:41   1,041,536   ---------   C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-21 21:57 . 2004-08-03 22:41   685,056   ---------   C:\WINDOWS\system32\drivers\hsfcxts2.sys
2008-08-21 21:57 . 2004-08-03 22:41   220,032   ---------   C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2008-08-21 21:57 . 2008-04-13 12:36   144,384   ---------   C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-08-21 21:57 . 2008-04-13 14:36   46,464   ---------   C:\WINDOWS\system32\drivers\gagp30kx.sys
2008-08-21 21:57 . 2008-04-13 20:11   32,285   ---------   C:\WINDOWS\system32\hsfcisp2.dll
2008-08-21 21:57 . 2008-04-13 14:46   25,600   ---------   C:\WINDOWS\system32\drivers\hidbth.sys
2008-08-21 21:57 . 2007-09-17 04:48   1,261   ---------   C:\WINDOWS\system32\pid.inf
2008-08-21 21:56 . 2008-04-13 20:11   184,832   ---------   C:\WINDOWS\system32\eapp3hst.dll
2008-08-21 21:56 . 2008-04-13 20:11   180,224   ---------   C:\WINDOWS\system32\eapphost.dll
2008-08-21 21:56 . 2008-04-13 20:11   126,976   ---------   C:\WINDOWS\system32\eappcfg.dll
2008-08-21 21:56 . 2008-04-13 20:11   94,208   ---------   C:\WINDOWS\system32\eappgnui.dll
2008-08-21 21:56 . 2006-12-28 15:01   19,569   --a------   C:\WINDOWS\003038_.tmp
2008-08-21 21:55 . 2008-04-13 20:11   650,752   ---------   C:\WINDOWS\system32\dot3ui.dll
2008-08-21 21:55 . 2008-04-13 20:11   132,096   ---------   C:\WINDOWS\system32\dot3svc.dll
2008-08-21 21:55 . 2004-07-17 22:55   129,045   ---------   C:\WINDOWS\system32\drivers\cxthsfs2.cty
2008-08-21 21:55 . 2008-04-13 20:11   15,423   ---------   C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2008-08-21 21:54 . 2008-04-13 14:46   37,888   ---------   C:\WINDOWS\system32\drivers\bthmodem.sys
2008-08-21 21:54 . 2008-04-13 14:46   18,944   ---------   C:\WINDOWS\system32\drivers\bthusb.sys
2008-08-21 21:54 . 2008-04-13 14:46   17,024   ---------   C:\WINDOWS\system32\drivers\bthenum.sys
2008-08-21 21:54 . 2008-04-13 20:11   7,168   ---------   C:\WINDOWS\system32\bitsprx4.dll
2008-08-21 21:51 . 2008-04-13 20:11   4,255   ---------   C:\WINDOWS\system32\drivers\adv01nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,967   ---------   C:\WINDOWS\system32\drivers\adv02nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,775   ---------   C:\WINDOWS\system32\drivers\adv11nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,711   ---------   C:\WINDOWS\system32\drivers\adv09nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,647   ---------   C:\WINDOWS\system32\drivers\adv07nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,615   ---------   C:\WINDOWS\system32\drivers\adv05nt5.dll
2008-08-21 21:51 . 2008-04-13 20:11   3,135   ---------   C:\WINDOWS\system32\drivers\adv08nt5.dll
2008-08-10 12:33 . 2008-08-10 12:33   13,824   --ahs----   C:\WINDOWS\system32\Thumbs.db

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 22:16   ---------   d-----w   C:\Program Files\Java
2008-09-03 21:45   ---------   d-----w   C:\Documents and Settings\Marcia\Application Data\Viewpoint
2008-09-03 21:45   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-03 01:46   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-27 03:43   ---------   d-----w   C:\Documents and Settings\Marcia\Application Data\Lavasoft
2008-08-27 00:58   ---------   d-----w   C:\Program Files\SpywareBlaster
2008-08-26 01:58   ---------   d-----w   C:\Program Files\HPQ
2008-08-23 20:59   ---------   d-----w   C:\Program Files\A-squared Free
2008-08-23 20:18   ---------   d-----w   C:\Documents and Settings\Marcia\Application Data\LimeWire
2008-08-22 01:11   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Webroot
2008-08-22 01:10   ---------   d-----w   C:\Program Files\Webroot
2008-08-10 16:32   ---------   d-----w   C:\Program Files\Microsoft Works
2008-08-10 16:32   ---------   d-----w   C:\Program Files\Apoint2K
2008-07-27 12:58   ---------   d-----w   C:\Program Files\Diablo II
2008-07-27 12:55   43,520   ----a-w   C:\WINDOWS\system32\CmdLineExt03.dll
2008-07-19 02:10   94,920   ----a-w   C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10   53,448   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10   45,768   ----a-w   C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10   36,552   ----a-w   C:\WINDOWS\system32\wups.dll
2008-07-19 02:09   563,912   ----a-w   C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09   325,832   ----a-w   C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09   205,000   ----a-w   C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09   1,811,656   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:26   253,952   ----a-w   C:\WINDOWS\system32\es.dll
2008-07-02 17:26   173,448   ----a-w   C:\WINDOWS\system32\wdfproc.dll
2008-06-24 16:43   74,240   ----a-w   C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46   245,248   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-11 00:04   200,704   ----a-w   C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04   1,044,480   ----a-w   C:\WINDOWS\system32\libdivx.dll
.

(((((((((((((((((((((((((((((   snapshot@2008-09-03_ 6.42.10.37   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-04-02 18:25:59   19,456   -c--a-w   C:\WINDOWS\system32\dllcache\agt0401.dll
+ 2007-04-02 18:26:00   19,456   -c--a-w   C:\WINDOWS\system32\dllcache\agt040d.dll
+ 2008-04-14 00:09:55   6,144   -c--a-w   C:\WINDOWS\system32\dllcache\kbdinbe1.dll
+ 2008-04-14 00:09:55   6,144   -c--a-w   C:\WINDOWS\system32\dllcache\kbdinben.dll
+ 2008-04-14 00:09:55   6,656   -c--a-w   C:\WINDOWS\system32\dllcache\kbdinmal.dll
- 2008-08-26 12:01:19   291,680   ----a-w   C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-09-04 01:53:54   218,448   ----a-w   C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-03-14 04:31:24   135,168   ----a-w   C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01   135,168   ----a-w   C:\WINDOWS\system32\java.exe
- 2007-03-14 04:31:28   135,168   ----a-w   C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04   135,168   ----a-w   C:\WINDOWS\system32\javaw.exe
- 2007-03-14 06:04:46   139,264   ----a-w   C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34   139,264   ----a-w   C:\WINDOWS\system32\javaws.exe
+ 2008-09-06 12:11:17   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5d4.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 159744]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-15 335872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"ATIModeChange"="Ati2mdxx.exe" [2003-12-08 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-10-30 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 5562368]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoUserNameInStartMenu"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2003-07-17 13:50 184412 C:\Program Files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2003-11-18 08:31 241664 C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 08:00 208952 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDUiP6000DMon]
--a------ 2004-05-31 14:26 57344 C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDUiP6000DTskbr]
--a------ 2004-05-28 10:29 69632 C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2004-04-14 5632]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
S3 PhDebug32;PhDebug32;c:\bios\hr60\debug32.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5771962-590f-11dd-b222-00023f6e860f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0b5e03b-baeb-11db-8679-00023f6e860f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-06 13:48:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-09-06 13:51:01
ComboFix-quarantined-files.txt  2008-09-06 17:50:53
ComboFix2.txt  2008-09-03 23:51:29
ComboFix3.txt  2008-09-03 10:43:16

Pre-Run: 22,368,063,488 bytes free
Post-Run: 22,354,870,272 bytes free

269   --- E O F ---   2008-08-27 10:23:13
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
downloaded virus
« Reply #11 on: September 06, 2008, 12:52:35 PM »
I forgot that your son changed some settings in the bios
Did he set the bios back to Default settings?

You should test the harddrive however
Here's instructions>>Steps 1>6
http://h10025.www1.hp.com/ewfrf/wc/documen...;product=385148
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Marcia

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • View Profile
    • http://
downloaded virus
« Reply #12 on: September 06, 2008, 01:49:45 PM »
Yes, the default settings are in place.  I ran both HDD tests and they passed.  I don't understand why I still need to press F1 to boot Windows.  Other than that, everything is working perfectly....hats off to you.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
downloaded virus
« Reply #13 on: September 06, 2008, 02:17:21 PM »
I'll assume that this Laptop does not have a floppy drive

Ensure that you have no discs in your CD/DVD drive
If you do, remove them and try rebooting and see if your prompted to F1

If not, can you enter the bios
Let me know what the boot order is set to please
Should be located under the Advanced menu
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Marcia

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • View Profile
    • http://
downloaded virus
« Reply #14 on: September 06, 2008, 03:52:06 PM »
My boot order is

Floppy Diskette Drive
ATAPI CD-ROM Drive
Hard Drive
Network Adapter

I have tried putting the Hard Drive first but that didn't work.  My pc has the option of changing the boot order by pressing ESC when the pc is turned on and that's when I get the imminent HD failure message.  Is that screen different than when I enter into the BIOS settings and change it from there?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
downloaded virus
« Reply #15 on: September 06, 2008, 05:10:11 PM »
Can you enter the BIOS and set to CD rom drive first then Harddrive second

In addition, you said the following
Quote
I ran both HDD tests and they passed.

According to HP site, the following tests should be done
Quote
A Quick  test, a Comprehensive  test and a SMART  test will execute when the Enter  key is pressed.

Did all those tests run?
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Marcia

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • View Profile
    • http://
downloaded virus
« Reply #16 on: September 06, 2008, 07:33:35 PM »
My BIOS utility doesn't show the option for a SMART test so I went onto the HP website and ran the diagnostic tests from there.  Everything passed except I got the same message about an imminent hard drive failure.

I'm not sure whether to purchase an external hard drive and copy all my information, seeing that I don't want to lose any of my programs, and install a new hard drive.....or....should I consider backing up my information anyway, get a new pc, and copy everything back onto the new pc.  Which option makes more sense.  I completely understand you don't want to tell me what to do but if you were in my situation, what would you do?

Also,  I went online and came across the following suggestion:  put in one of the XP cd's (not the recovery CD), go to the recovery console and enter FIXMBR and then try FIXBOOT.  Is that a possiblity?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
downloaded virus
« Reply #17 on: September 06, 2008, 08:20:39 PM »
It's possible that a Fixmbr may fix the problem
But I think you should also run a Chkdsk on your drive
This can take some time

Double click on MyComputer icon
Right click on your C: drive and select Properties

Select TOOLS in the menu bar
Under Error Checking select "Check Now"
and then put a tick on both selections under "Check disk options"
Then click START

You should be prompted that it will schedule a scan on next startup
Reboot and let the scan finish
Post back if it found errors and if it couldn't repair any of the sectors

In addition, do you know what settings your son changed in the BIOS?
It could be that something was changed to cause the F1, if this only started after bios configurations

In the bios, there may be a setting to either Load defaults or Reset Configuration Data
You may have to choose that option and ensure to save the changes
« Last Edit: September 06, 2008, 08:29:15 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Marcia

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • View Profile
    • http://
downloaded virus
« Reply #18 on: September 07, 2008, 06:42:49 AM »
I have loaded the default settings on two separate occasions and still I have to press F1.  

I ran checkdisk and it came back clean.

I think my next step will be using the recovery console and running both FIXMBR and FIXBOOT.

I mentioned earlier about my options and you didn't respond.  Considering cost, copying and installation times, which one would be more to my benefit....copy all my info and replace the HDD or copy all my info onto a new pc?  I think one of my main questions is if I reinstall Windows XP on my pc will it fix the problem with the hard drive?  or is the hard drive mechanically no good?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
downloaded virus
« Reply #19 on: September 07, 2008, 09:56:56 AM »
You should backup important files/folders as it is good practice
If something does go wrong, you may lose all your information

So with that said, having something like an External harddrive would do as you can keep a copy of important documents to it
You can also just backup to CD's

What I'm curious about is that the Harddrive tests all passed
I don't know what tests they ran, as all BIOS options are a bit different

Can you enter the Bios, is there an option to Disable the Floppy disk?
On my laptop I go directly into the Boot order and disable it from there
Yours might be in a different location
You may even see something like Onboard FDC Controller

Do you have any other external devices attached to the laptop?
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1] 2
« previous next »