Jump to content


Photo

Svchost Using More Than Usual


  • This topic is locked This topic is locked
14 replies to this topic

#1 jimmiechipz

jimmiechipz

    TEG Forum Member

  • Members
  • 57 posts
  • Gender:Male
  • Location:Dallas, TX

Posted 12 July 2008 - 06:09 PM

Hi I have a big problem. I thought I had a virus so I installed kasperski which identified svchost as an invader. It blocked several attempts to access other files, causing legit programs to not work. So I ran a repair operation with my xp cd, and the problem still exist, here is my hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:20 PM, on 7/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\SoftwareDistribution\Download\64ed0a1c038340f7dcd71548187888e1\update\update.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\MpcStar\Codecs\Real\RCAPlugins\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1215897751446
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198982953281
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 14264 bytes


Any advice?????
  • 0

Common Fact Banner

#2 quietman7

quietman7

    Elder Janitor & Bug Exterminator

  • Admin
  • 11,370 posts
  • Gender:Male
  • Location:Virginia, USA

Posted 13 July 2008 - 06:11 AM

Did Kaspersky provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on your system?

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix". This program is for Windows 2000/XP ONLY.
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Instructions with screenshots if needed.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Please temporarily disable any anti-spyware programs you are using which are listed here so they will not interfere with the entries we will be fixing in HijackThis.

Run HijackThis, and press "Scan." When the scan is complete place a check mark next to the following entries (if they are still present): (Please be careful and do not check any other boxes)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)


After checking these items CLOSE ALL open windows except HijackThis and click "Fix Checked" to remove the entries you checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, close HijackThis and reboot your computer normally.

Your log shows that MSConfig is running at startup. This indicates that you have disabled (unchecked) an item(s) in the Startup group and are using "Selective Startup" or "Diagnostic Startup" rather than "Normal Startup". Malware can also run from this group and it is possible that you disabled an entry that will not show up in your Hijackthis log. In order to see what is listed there and ensure no malware is present please do this:

1. Open Notepad and copy/paste the code box below into a new text file.
echo doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg >msconfig.txt
regedit /a msconfig.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
msconfig.txt
2. Save the file as msconfig.bat by choosing save as *all files, and save it to your Desktop.
3. Locate msconfig.bat on your Desktop and double-click on it to run the program.
4. When done, it will create a file named msconfig.txt on your Desktop and notepad will open with a list of disabled startup entries in MSConfig.
5. Copy/Paste that text log in your next reply.

Reports/logs to post in your next reply:
* Report.txt <- SDFix report
* MBAM report log
* msconfig.bat
* A fresh HijackThis log
  • 0
Microsoft MVP - Consumer Security 2007-2014 Posted Image

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#3 jimmiechipz

jimmiechipz

    TEG Forum Member

  • Members
  • 57 posts
  • Gender:Male
  • Location:Dallas, TX

Posted 13 July 2008 - 10:02 PM

thanx for the speedy reply, I'll give it a shot and reply soon.
  • 0

#4 quietman7

quietman7

    Elder Janitor & Bug Exterminator

  • Admin
  • 11,370 posts
  • Gender:Male
  • Location:Virginia, USA

Posted 14 July 2008 - 10:33 AM

Ok. Don't forget to post the logs I requested.
  • 0
Microsoft MVP - Consumer Security 2007-2014 Posted Image

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#5 jimmiechipz

jimmiechipz

    TEG Forum Member

  • Members
  • 57 posts
  • Gender:Male
  • Location:Dallas, TX

Posted 14 July 2008 - 09:24 PM

Okay here we go. There are a few changes since my last post. I switched to mcafee, and I couldn't get into safe mode, my cpu kept freezing at "document........windows\system32\drivers\agp440.sys"

but heres the rest of it.

dss report:

Deckard's System Scanner v20071014.68
Run by Compaq_Owner on 2008-07-14 20:13:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
13: 2008-07-15 01:14:07 UTC - RP13 - Deckard's System Scanner Restore Point
12: 2008-07-14 12:32:50 UTC - RP12 - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
11: 2008-07-14 03:12:45 UTC - RP11 - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
10: 2008-07-13 22:56:40 UTC - RP10 - Removed Kaspersky Anti-Virus 7.0.
9: 2008-07-13 19:26:40 UTC - RP9 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-07-12 21:11:54 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 11.7 GiB (less than 15%) free.


-- HijackThis (run as Compaq_Owner.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:03 PM, on 7/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Compaq_Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\MpcStar\Codecs\Real\RCAPlugins\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-21-34214103-2451079910-3483301754-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-34214103-2451079910-3483301754-500\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'Administrator')
O4 - HKUS\S-1-5-21-34214103-2451079910-3483301754-500\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'Administrator')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1215897751446
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198982953281
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: McAfee Application Installer Cleanup (0283471216052780) (0283471216052780mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\028347~1.EXE (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 15008 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080713-213335-338 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080713-213335-524 O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
backup-20080713-213335-568 O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dll
backup-20080713-213335-788 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
backup-20080713-213335-871 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe ,
backup-20080713-213732-225 O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 timounter (Acronis True Image Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R1 kbfilter (Keyboard Filter Driver) - c:\windows\system32\drivers\kbfilter.sys <Not Verified; WayTech Development, Inc.; Keyboard filter driver>
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.10.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.10.0>
R2 tifsfilter (Acronis True Image FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; Acronis True Image>

S0 BootScreen - c:\windows\\systemroot\system32\drivers\vidstub.sys (file missing)
S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 CA561 (ICatch (VI) PC Camera) - c:\windows\system32\drivers\spca561.sys <Not Verified; SP; Microsoft® Windows NT® Operating System>
S3 TSP - c:\windows\system32\drivers\klif.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 LinksysUpdater (Linksys Updater) - "c:\program files\linksys\linksys updater\bin\linksysupdater.exe" -s "c:\program files\linksys\linksys updater\conf\wrapper.conf"
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
R2 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application>

S2 0283471216052780mcinstcleanup (McAfee Application Installer Cleanup (0283471216052780)) - c:\windows\temp\028347~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)
S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 WLSetupSvc (Windows Live Setup Service) - "c:\program files\windows live\installer\wlsetupsvc.exe" <Not Verified; Microsoft Corporation; Windows Live installer>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-14 19:51:01 268 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-07-13 17:59:33 364 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-07-13 17:59:32 366 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-06-27 08:40:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-14 and 2008-07-14 -----------------------------

2008-07-14 11:26:16 0 d-------- C:\WINDOWS\LastGood
2008-07-13 22:13:48 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-07-13 22:12:52 0 d-------- C:\Program Files\Common Files\iS3
2008-07-13 22:12:51 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-07-13 21:02:14 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2008-07-13 21:02:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 21:02:10 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 18:02:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-13 18:02:39 0 d-------- C:\Program Files\SiteAdvisor
2008-07-13 18:02:39 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SiteAdvisor
2008-07-13 18:01:30 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-07-13 17:59:11 0 d-------- C:\Program Files\McAfee.com
2008-07-13 17:59:04 0 d-------- C:\Program Files\Common Files\McAfee
2008-07-13 17:58:57 0 d-------- C:\Program Files\McAfee
2008-07-13 15:59:46 0 d-------- C:\WINDOWS\$SQLUninstallSQL2000-KB948110-v8.00.2050-x86-ENU$
2008-07-13 14:02:04 0 d-------- C:\WINDOWS\Prefetch
2008-07-12 17:22:48 0 d-------- C:\Program Files\Trend Micro
2008-07-09 21:24:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-09 21:24:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-07-09 20:42:44 590848 --a------ C:\General_Removal.exe <Not Verified; Yaman; GeneralVirusRemoval>
2008-07-09 20:30:15 0 d-a------ C:\WINDOWS\zts2.exe
2008-07-09 20:30:15 0 d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-07-09 20:30:15 0 d-a------ C:\WINDOWS\system32\systems.txt
2008-07-09 20:30:15 0 d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-07-09 20:30:15 0 d-a------ C:\WINDOWS\rundll16.exe
2008-07-09 20:30:15 0 d-a------ C:\WINDOWS\rundl132.dll
2008-07-09 20:30:15 0 d-a------ C:\WINDOWS\logo1_.exe
2008-07-08 22:02:02 3038 --a------ C:\fix_svchost.bat
2008-07-07 23:10:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-07-07 21:19:37 0 d---s---- C:\Documents and Settings\Administrator\UserData
2008-07-07 21:16:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-07-07 21:16:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-07-07 21:13:09 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-07 15:45:11 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-07-07 15:45:11 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-07 15:45:11 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-07 15:45:11 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-07 15:45:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-07 15:45:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-07-07 15:45:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-07-07 15:45:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-07-07 15:45:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-07-07 15:45:11 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-07 15:45:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intervideo
2008-07-07 15:45:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-07 15:45:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-07 15:45:10 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-07 15:45:10 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-07 15:45:10 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-07 15:45:10 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-07 15:45:10 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-07 15:45:10 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-07 15:45:10 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-07 15:45:10 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-07-07 15:45:10 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-07 15:45:09 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-06 06:58:33 0 d-------- C:\WINDOWS\dell
2008-07-02 22:52:41 0 d-------- C:\kav
2008-06-30 07:56:27 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\U3
2008-06-29 19:32:39 0 d-------- C:\Program Files\WebEx
2008-06-29 19:27:56 0 d-------- C:\Documents and Settings\LocalService\Application Data\Sun
2008-06-29 19:26:53 0 d-------- C:\Program Files\Common Files\Pure Networks Shared
2008-06-29 19:26:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-06-29 19:11:29 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-06-29 19:11:22 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR
2008-06-29 19:11:19 0 d-------- C:\Documents and Settings\LocalService\Application Data\IEPro
2008-06-29 19:11:19 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-29 19:11:18 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-06-29 19:08:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Linksys
2008-06-29 19:08:21 0 d-------- C:\Program Files\Linksys
2008-06-28 19:54:03 0 d-------- C:\WINDOWS\Logs
2008-06-28 19:33:15 0 d-------- C:\Program Files\XP Codec Pack
2008-06-22 19:25:43 0 d-------- C:\Program Files\VistaCodecPack
2008-06-22 19:05:27 0 d-------- C:\Documents and Settings\All Users\Application Data\VistaCodecs


-- Find3M Report ---------------------------------------------------------------

2008-07-13 22:28:23 29409 --a------ C:\WINDOWS\hpoins03.dat
2008-07-13 22:12:52 0 d-------- C:\Program Files\Common Files
2008-07-13 13:56:04 0 d-------- C:\Program Files\Movie Maker
2008-07-13 13:52:36 0 d-------- C:\Program Files\Windows NT
2008-07-12 17:06:28 0 d-------- C:\Program Files\Yahoo!
2008-07-12 16:22:02 0 d-------- C:\Program Files\Webshots
2008-07-12 16:18:18 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Yahoo!
2008-07-12 15:51:21 23444 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-29 19:25:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-29 19:08:12 0 d-------- C:\Program Files\Java
2008-06-28 20:08:38 0 d-------- C:\Program Files\IEPro
2008-06-28 19:21:33 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\IEPro
2008-06-19 23:44:01 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\OpenOffice.org2
2008-06-13 21:24:50 0 d-------- C:\Program Files\Wild Tangent
2008-06-12 11:25:06 962560 --a------ C:\WINDOWS\system32\VSFilter.dll <Not Verified; Gabest; VSFilter>
2008-06-09 00:06:48 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AVGTOOLBAR
2008-06-08 16:15:21 0 d-------- C:\Program Files\DivX
2008-06-08 16:04:30 0 d-------- C:\Program Files\QuickTime
2008-06-01 15:54:16 0 d-------- C:\Program Files\NeroInstall.bak
2008-06-01 15:52:07 0 d-------- C:\Program Files\Common Files\Nero
2008-06-01 13:16:58 0 d-------- C:\Program Files\Overland
2008-05-30 21:00:49 0 d-------- C:\Program Files\Messenger
2008-05-30 20:12:42 0 d-------- C:\Program Files\Belkin
2008-05-30 18:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 18:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 18:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 18:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 18:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-22 20:32:36 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\TigerPlayer
2008-05-22 17:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 17:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 17:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 17:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
11/26/2007 10:46 AM 324936 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [03/08/2005 05:33 AM C:\WINDOWS\system32\VTTimer.exe]
"TkBellExe"="C:\Program Files\MpcStar\Codecs\Real\RCAPlugins\realsched.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [04/14/2004 10:43 PM]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [05/16/2008 06:11 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [02/28/2008 09:59 AM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [02/18/2008 04:29 PM]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [10/14/2004 11:54 PM]
"Logitech Utility"="Logi_MwX.Exe" [12/17/2003 09:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"KBD"="C:\HP\KBD\KBD.EXE" [02/11/2003 10:02 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/21/2004 12:55 AM]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [04/19/2007 09:24 PM]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [04/26/2004 05:21 PM]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [04/19/2007 09:38 PM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [04/19/2007 09:29 PM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [09/12/2003 10:13 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [06/21/2007 03:06 PM]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [11/30/2007 05:42 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 07:12 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [12/30/2007 3:29:55 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Enable Belkin Wireless Keyboard Driver.lnk - C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe [12/31/2007 9:53:50 AM]
Enable Belkin Wireless Mouse Driver.lnk - C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe [12/31/2007 9:53:52 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/16/2003 6:19:24 AM]
Icatch(VI) SnapDetect.lnk - C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe [12/30/2007 11:45:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
dxdllreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LELA]
"C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
Rundll32.exe SiSPower.dll,ModeAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
AutoRun\command- K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12a17bdc-bc3b-11dc-a2aa-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8930ef08-b67d-11dc-8fcd-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d578f172-fd5d-11dc-8cba-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6909d3f-b68b-11dc-8fd4-0011d821a36c}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - SITEADVISOR_SERVICE



-- End of Deckard's System Scanner: finished at 2008-07-14 20:19:05 ------------


mbam 1

Malwarebytes' Anti-Malware 1.20
Database version: 948
Windows 5.1.2600 Service Pack 3

9:22:01 PM 7/13/2008
mbam-log-7-13-2008 (21-22-01).txt

Scan type: Quick Scan
Objects scanned: 62389
Time elapsed: 14 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


mbam 2:


Malwarebytes' Anti-Malware 1.20
Database version: 948
Windows 5.1.2600 Service Pack 3

9:14:18 PM 7/14/2008
mbam-log-7-14-2008 (21-14-17).txt

Scan type: Quick Scan
Objects scanned: 52771
Time elapsed: 9 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Hijack this log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:26 PM, on 7/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\snmp.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\MpcStar\Codecs\Real\RCAPlugins\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1215897751446
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198982953281
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: McAfee Application Installer Cleanup (0283471216052780) (0283471216052780mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\028347~1.EXE (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 14472 bytes


The End
  • 0

#6 jimmiechipz

jimmiechipz

    TEG Forum Member

  • Members
  • 57 posts
  • Gender:Male
  • Location:Dallas, TX

Posted 14 July 2008 - 09:26 PM

Oh I forgot the msconfig one

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\!AVG Anti-Spyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgas"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Reader Speed Launcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Reader_sl"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AGRSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AGRSMMSG"
"hkey"="HKLM"
"command"="AGRSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AlcxMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCXMNTR"
"hkey"="HKLM"
"command"="ALCXMNTR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DXDllRegExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dxdllreg"
"hkey"="HKLM"
"command"="dxdllreg.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\GrooveMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GrooveMonitor"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\hpsysdrv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpsysdrv"
"hkey"="HKLM"
"command"="c:\\windows\\system\\hpsysdrv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LELA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Linksys EasyLink Advisor"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Linksys\\Linksys EasyLink Advisor\\Linksys EasyLink Advisor.exe\" /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SiSPower]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Rundll32"
"hkey"="HKLM"
"command"="Rundll32.exe SiSPower.dll,ModeAgent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UpdateManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"
  • 0

#7 quietman7

quietman7

    Elder Janitor & Bug Exterminator

  • Admin
  • 11,370 posts
  • Gender:Male
  • Location:Virginia, USA

Posted 15 July 2008 - 07:39 AM

Please temporarily disable any anti-spyware programs you are using which are listed here so they will not interfere with the entries we will be fixing in HijackThis.

Run HijackThis, and press "Scan." When the scan is complete place a check mark next to the following entries (if they are still present): (Please be careful and do not check any other boxes)

O23 - Service: McAfee Application Installer Cleanup (0283471216052780) (0283471216052780mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\028347~1.EXE (file missing)

After checking these items CLOSE ALL open windows except HijackThis and click "Fix Checked" to remove the entries you checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, close HijackThis and reboot your computer normally.

Please download OTMoveIt2 by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt2.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

[kill explorer]
C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\systems.txt
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\logo1_.exe
[start explorer]

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


Please print out and follow these instructions: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!

Be sure to install the Recovery Console first or download the appropriate XP Setup boot disks for your operating system if you don't have an XP CD. The Windows recovery console will allow you to boot up into a special recovery (repair) mode should your computer have a problem after an attempted removal of malware. Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed.
  • Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • Make sure Combofix has been saved directly to your Desktop <- (Important!)
  • Close your browser and disconnect from the Internet.
  • When you have completed all instructions and have run ComboFix, a log with automatically be created and saved to C:\ComboFix.txt.
  • Please copy and paste the contents of ComboFix.txt in your next reply.
  • Be sure to re-enable your anti-virus and other security programs before connecting to the Internet.
-- Do not touch your mouse/keyboard until the Combofix scan has completed, as this may cause the process to stall or your computer to lock.
-- Combofix will temporarily disable your desktop, and if interrupted may leave it disabled. If this occurs, please reboot to restore it.
-- Combofix disconnects your machine from the Internet so if you did not disconnect, you may loose your connection. The connection is automatically restored before ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be restored by restarting your machine.
-- Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security.


Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.


Reports/logs to post in your next reply:
* OTMoveIt log
* ComboFix.txt
* A fresh HijackThis log

Note: Issues with agp440.sys loading in safe mode is a known problem.

If you try to restart your computer in Safe mode, your computer may stop responding (hang) when Windows XP tries to load the Agp440.sys service...This issue may occur if Windows XP tries to use an incompatible motherboard chipset video driver during startup.

Problems when Windows XP tries to load the Agp440.sys service
  • 0
Microsoft MVP - Consumer Security 2007-2014 Posted Image

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#8 jimmiechipz

jimmiechipz

    TEG Forum Member

  • Members
  • 57 posts
  • Gender:Male
  • Location:Dallas, TX

Posted 16 July 2008 - 01:11 AM

Explorer killed successfully
C:\WINDOWS\zts2.exe moved successfully.
C:\WINDOWS\system32\vcmgcd32.dll moved successfully.
C:\WINDOWS\system32\systems.txt moved successfully.
C:\WINDOWS\system32\iifgfgf.dll moved successfully.
C:\WINDOWS\rundll16.exe moved successfully.
C:\WINDOWS\rundl132.dll moved successfully.
C:\WINDOWS\logo1_.exe moved successfully.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07152008_100017





ComboFix 08-07-14.2 - Compaq_Owner 2008-07-16 0:48:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.420 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2008-06-16 to 2008-07-16 )))))))))))))))))))))))))))))))
.

2008-07-15 20:32 . 2008-07-15 20:32 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-07-15 10:07 . 2008-07-15 10:07 <DIR> d-------- C:\Program Files\VIA
2008-07-15 10:06 . 2008-07-15 10:06 <DIR> d-------- C:\softpaq
2008-07-15 10:00 . 2008-07-15 10:00 <DIR> d-------- C:\_OTMoveIt
2008-07-14 20:25 . 2008-07-14 20:47 <DIR> d-------- C:\SDFix
2008-07-14 20:13 . 2008-07-14 20:13 <DIR> d-------- C:\Deckard
2008-07-13 22:13 . 2008-07-13 22:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-07-13 22:12 . 2008-07-13 22:12 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-07-13 22:12 . 2008-07-14 07:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-07-13 21:02 . 2008-07-13 21:02 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 21:02 . 2008-07-13 21:02 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2008-07-13 21:02 . 2008-07-13 21:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 21:02 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-13 21:02 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-13 18:07 . 2008-07-16 00:54 7,144 --a------ C:\WINDOWS\system32\Config.MPF
2008-07-13 18:02 . 2008-07-14 18:34 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-07-13 18:02 . 2008-07-13 18:02 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-13 18:02 . 2008-07-14 02:35 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SiteAdvisor
2008-07-13 18:01 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-07-13 18:00 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-13 18:00 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-07-13 18:00 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-07-13 18:00 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-07-13 18:00 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-07-13 17:59 . 2008-07-13 17:59 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-13 17:59 . 2008-07-13 18:33 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-13 17:59 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-07-13 17:58 . 2008-07-15 10:11 <DIR> d-------- C:\Program Files\McAfee
2008-07-13 15:59 . 2008-07-13 15:59 <DIR> d-------- C:\WINDOWS\$SQLUninstallSQL2000-KB948110-v8.00.2050-x86-ENU$
2008-07-13 15:56 . 2008-04-22 23:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-13 15:56 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-13 15:56 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-13 15:56 . 2008-04-22 23:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-13 15:56 . 2008-04-22 23:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-13 15:56 . 2008-04-22 23:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-13 15:56 . 2008-04-22 23:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-13 15:56 . 2008-04-22 23:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-13 15:56 . 2008-04-22 02:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-13 14:21 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-13 14:20 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-07-12 17:36 . 2008-04-13 19:12 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-07-12 17:36 . 2008-04-13 12:27 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-07-12 17:36 . 2006-12-28 14:01 19,569 --a------ C:\WINDOWS\003141_.tmp
2008-07-12 17:22 . 2008-07-12 17:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-12 15:57 . 2004-08-04 05:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-07-12 15:55 . 2008-04-13 19:09 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-07-12 15:54 . 2004-08-04 05:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-07-12 15:52 . 2008-07-12 15:52 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-07-12 15:52 . 2008-07-12 15:52 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-07-12 15:52 . 2008-07-12 15:52 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-07-12 15:52 . 2008-07-12 15:52 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-07-12 15:52 . 2008-07-12 15:52 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-07-09 23:00 . 2004-08-04 05:00 1,086,058 -ra------ C:\WINDOWS\SET76.tmp
2008-07-09 23:00 . 2004-08-04 05:00 1,042,903 -ra------ C:\WINDOWS\SET73.tmp
2008-07-09 23:00 . 2006-03-30 05:03 22,339 -ra------ C:\WINDOWS\SETB5.tmp
2008-07-09 23:00 . 2004-08-04 05:00 13,753 -ra------ C:\WINDOWS\SET82.tmp
2008-07-09 23:00 . 2005-03-30 12:54 10,559 -ra------ C:\WINDOWS\SETB6.tmp
2008-07-09 21:24 . 2008-07-09 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-09 21:24 . 2008-07-09 21:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-07-09 20:42 . 2008-07-05 06:52 590,848 --a------ C:\General_Removal.exe
2008-07-09 20:29 . 2004-08-04 05:00 146,432 --a------ C:\WINDOWS\R.COM
2008-07-09 20:29 . 2004-08-04 05:00 135,680 --a------ C:\WINDOWS\system32\T.COM
2008-07-09 20:29 . 2008-07-09 20:30 50 --a------ C:\WINDOWS\Lic.xxx
2008-07-08 22:02 . 2007-07-31 02:05 6,136,176 --a------ C:\WindowsUpdateAgent30-x86.exe
2008-07-08 22:02 . 2008-04-19 08:04 1,266,056 --a------ C:\WindowsXP-KB927891.exe
2008-07-08 22:02 . 2008-04-19 08:04 3,038 --a------ C:\fix_svchost.bat
2008-07-07 23:10 . 2008-07-07 23:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-07-07 21:19 . 2008-07-07 21:19 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-07-07 21:13 . 2008-07-12 16:11 1,324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-07 15:45 . 2004-10-20 09:47 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-07 15:45 . 2004-10-21 05:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-07 15:45 . 2004-10-21 01:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-07-07 15:45 . 2004-10-21 01:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-07-07 15:45 . 2004-10-20 09:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intervideo
2008-07-07 15:45 . 2004-10-20 09:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-07 15:45 . 2008-07-07 21:19 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-06 12:55 . 2008-07-12 16:10 1,316 --a------ C:\WINDOWS\system32\wpa.bak
2008-07-06 12:27 . 2004-08-04 05:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-07-06 12:12 . 2004-08-04 05:00 1,086,058 -ra------ C:\WINDOWS\SET9B.tmp
2008-07-06 12:12 . 2004-08-04 05:00 1,042,903 -ra------ C:\WINDOWS\SET98.tmp
2008-07-06 12:12 . 2006-03-30 05:03 22,339 -ra------ C:\WINDOWS\SETDA.tmp
2008-07-06 12:12 . 2004-08-04 05:00 13,753 -ra------ C:\WINDOWS\SETA7.tmp
2008-07-06 12:12 . 2005-03-30 12:54 10,559 -ra------ C:\WINDOWS\SETDB.tmp
2008-07-06 06:58 . 2008-07-06 06:58 <DIR> d-------- C:\WINDOWS\dell
2008-07-02 22:52 . 2008-07-02 22:52 <DIR> d-------- C:\kav
2008-06-30 07:56 . 2008-07-03 08:46 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\U3
2008-06-29 19:32 . 2008-06-29 19:32 <DIR> d-------- C:\Program Files\WebEx
2008-06-29 19:27 . 2008-05-16 06:10 25,272 --a------ C:\WINDOWS\system32\drivers\purendis.sys
2008-06-29 19:27 . 2008-05-16 06:10 23,992 --a------ C:\WINDOWS\system32\drivers\pnarp.sys
2008-06-29 19:26 . 2008-06-29 19:26 <DIR> d-------- C:\Program Files\Common Files\Pure Networks Shared
2008-06-29 19:26 . 2008-06-29 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-06-29 19:11 . 2008-06-29 19:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-06-29 19:11 . 2008-06-29 19:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\IEPro
2008-06-29 19:11 . 2008-06-29 19:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR
2008-06-29 19:08 . 2008-06-29 19:24 <DIR> d-------- C:\Program Files\Linksys
2008-06-29 19:08 . 2008-06-29 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Linksys
2008-06-28 19:54 . 2008-06-28 19:54 <DIR> d-------- C:\WINDOWS\Logs
2008-06-28 19:54 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-06-28 19:54 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-06-28 19:54 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-06-28 19:54 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-06-28 19:54 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-06-28 19:54 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-06-28 19:54 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-06-28 19:33 . 2008-06-28 19:33 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-06-28 19:33 . 2007-08-18 01:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-06-22 19:25 . 2008-06-22 19:25 <DIR> d-------- C:\Program Files\VistaCodecPack
2008-06-22 19:05 . 2008-06-22 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\VistaCodecs
2008-06-20 12:46 . 2008-06-20 12:46 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 12:46 . 2008-06-20 12:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 06:51 . 2008-06-20 06:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:40 . 2008-06-20 06:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 06:08 . 2008-06-20 06:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 15:05 --------- d-----w C:\Program Files\HP
2008-07-13 23:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-13 21:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-12 22:06 --------- d-----w C:\Program Files\Yahoo!
2008-07-12 21:22 --------- d-----w C:\Program Files\Webshots
2008-07-12 21:18 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Yahoo!
2008-07-12 21:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-30 00:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-30 00:08 --------- d-----w C:\Program Files\Java
2008-06-29 01:08 --------- d-----w C:\Program Files\IEPro
2008-06-29 00:21 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\IEPro
2008-06-25 11:36 43,520 ----a-w C:\WINDOWS\system32\drivers\fetnd5bv.sys
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 04:44 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\OpenOffice.org2
2008-06-14 02:24 --------- d-----w C:\Program Files\Wild Tangent
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 05:06 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\AVGTOOLBAR
2008-06-08 22:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-08 21:15 --------- d-----w C:\Program Files\DivX
2008-06-08 21:04 --------- d-----w C:\Program Files\QuickTime
2008-06-08 21:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-01 20:54 --------- d-----w C:\Program Files\NeroInstall.bak
2008-06-01 20:52 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-01 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-06-01 18:16 --------- d-----w C:\Program Files\Overland
2008-05-31 01:13 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-31 01:12 --------- d-----w C:\Program Files\Belkin
2008-05-23 01:32 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\TigerPlayer
2007-12-31 06:04 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-12-30 07:13 146 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 06:11 648504]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 23:54 253952]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-21 00:55 155648]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 21:24 1169744]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 17:21 270336]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 21:38 1945688]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 21:29 149024]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 22:13 98304]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-06-21 15:06 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"VTTimer"="VTTimer.exe" [2004-10-22 11:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-12-30 03:29:55 157008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Enable Belkin Wireless Keyboard Driver.lnk - C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe [2007-12-31 09:53:50 192512]
Enable Belkin Wireless Mouse Driver.lnk - C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe [2007-12-31 09:53:52 212992]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24 237568]
Icatch(VI) SnapDetect.lnk - C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe [2007-12-30 23:45:54 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FFDS"= ffdshow.ax
"msacm.divxa32"= divxa32.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2004-05-12 15:18 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 18:28 49152 C:\Program Files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 18:04 52736 c:\WINDOWS\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LELA]
--a------ 2008-06-13 11:51 139264 C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 10:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-06-29 19:06 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
--a------ 2004-09-24 11:49 49152 C:\WINDOWS\system32\SiSPower.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
"C:\\kav\\kav7\\setup.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"10445:TCP"= 10445:TCP:BitComet 10445 TCP
"10445:UDP"= 10445:UDP:BitComet 10445 UDP
"22964:TCP"= 22964:TCP:BitComet 22964 TCP
"22964:UDP"= 22964:UDP:BitComet 22964 UDP
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2001-11-27 16:07]
R2 LinksysUpdater;Linksys Updater;C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 10:28]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-06-25 06:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12a17bdc-bc3b-11dc-a2aa-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8930ef08-b67d-11dc-8fcd-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5fbc756-4b51-11dd-b22e-806d6172696f}]
\Shell\AutoRun\command - J:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d578f172-fd5d-11dc-8cba-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6909d3f-b68b-11dc-8fd4-0011d821a36c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-06-27 13:40:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-16 05:51:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-07-13 22:59:33 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-07-13 22:59:32 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
ShellIconOverlayIdentifiers-{E4000AC4-5E5F-4956-807A-C5854405D64F} - %SystemRoot%\system32\VirtualExpander\VEShellExt.dll
HKLM-Run-TkBellExe - C:\Program Files\MpcStar\Codecs\Real\RCAPlugins\realsched.exe
MSConfigStartUp-!AVG Anti-Spyware - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
MSConfigStartUp-DXDllRegExe - dxdllreg.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-16 00:57:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
.
**************************************************************************
.
Completion time: 2008-07-16 1:05:55 - machine was rebooted [Compaq_Owner]
ComboFix-quarantined-files.txt 2008-07-16 06:05:49

Pre-Run: 11,955,646,464 bytes free
Post-Run: 12,049,793,024 bytes free

351 --- E O F --- 2008-07-13 22:14:57




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:38 AM, on 7/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\snmp.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\msiexec.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1215897751446
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198982953281
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 13972 bytes
  • 0

#9 jimmiechipz

jimmiechipz

    TEG Forum Member

  • Members
  • 57 posts
  • Gender:Male
  • Location:Dallas, TX

Posted 16 July 2008 - 01:25 AM

Now my cpu hangs on vidstub.sys. Should I disable it the same way as agp440?
  • 0

#10 quietman7

quietman7

    Elder Janitor & Bug Exterminator

  • Admin
  • 11,370 posts
  • Gender:Male
  • Location:Virginia, USA

Posted 16 July 2008 - 06:40 AM

vidstub.sys is related to Stardock BootSkin software and is used to change Windows 2000 and Windows XP boot screens. There have been similar reports of the system hanging on this file discussed in the Stardock Forums. However, if you are not using BootSkin the file may be dangerous as described here.

The two other threads were for two more computers.

In that case do not follow any of my previous instructions. At this point its unclear which computer I was addressing.

Are you fixing computers for people or do all three PC's belong to you?

Yes please answer this question before posting any further logs.
  • 0
Microsoft MVP - Consumer Security 2007-2014 Posted Image

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#11 quietman7

quietman7

    Elder Janitor & Bug Exterminator

  • Admin
  • 11,370 posts
  • Gender:Male
  • Location:Virginia, USA

Posted 16 July 2008 - 11:24 AM

We will continue with this system where we already successfully used OTMoveIt:

Compaq_Owner
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)


Use OTMoveIT the same as before but this time copy & paste the following path - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

[kill explorer]
C:\General_Removal.exe
C:\WINDOWS\R.COM
C:\WINDOWS\system32\T.COM
C:\WINDOWS\Lic.xxx
[start explorer]

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved (under the light blue bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
-- You may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix". This program is for Windows 2000/XP ONLY.
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

Then run Hijackthis again and post a fresh log.

Reports/logs to post in your next reply:
* Report.txt <- SDFix report
* A fresh HijackThis log
  • 0
Microsoft MVP - Consumer Security 2007-2014 Posted Image

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#12 jimmiechipz

jimmiechipz

    TEG Forum Member

  • Members
  • 57 posts
  • Gender:Male
  • Location:Dallas, TX

Posted 17 July 2008 - 12:36 AM

We will continue with this system where we already successfully used OTMoveIt:

Compaq_Owner
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)


Use OTMoveIT the same as before but this time copy & paste the following path - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

[kill explorer]
C:\General_Removal.exe
C:\WINDOWS\R.COM
C:\WINDOWS\system32\T.COM
C:\WINDOWS\Lic.xxx
[start explorer]

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved (under the light blue bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
-- You may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix". This program is for Windows 2000/XP ONLY.
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

Then run Hijackthis again and post a fresh log.

Reports/logs to post in your next reply:
* Report.txt <- SDFix report
* A fresh HijackThis log



I work on this computer while at home, could you give me the next steps on the other two while I'm at work and with the other two?




Explorer killed successfully
C:\General_Removal.exe moved successfully.
C:\WINDOWS\R.COM moved successfully.
C:\WINDOWS\system32\T.COM moved successfully.
C:\WINDOWS\Lic.xxx moved successfully.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07162008_185821




SDFix: Version 1.205
Run by Administrator on Thu 07/17/2008 at 12:10 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-17 00:23:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe:*:Enabled:BackWeb for Presario"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe:*:Enabled:Nero ControlCenter"
"C:\\WINDOWS\\system32\\mshta.exe"="C:\\WINDOWS\\system32\\mshta.exe:*:Enabled:Microsoft ® HTML Application host"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\IEPro\\MiniDM.exe"="C:\\Program Files\\IEPro\\MiniDM.exe:*:Enabled:MiniDM"
"C:\\kav\\kav7\\setup.exe"="C:\\kav\\kav7\\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Sun 13 Jul 2008 282 A.SH. --- "C:\BOOT.BAK"
Sun 18 Feb 2007 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.SYS"
Sat 28 Jun 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 13 Jul 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sun 13 Jul 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Sat 28 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 13 Jul 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 13 Jun 2008 90,112 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\ar\LelaResource.resources.dll"
Fri 13 Jun 2008 77,824 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\da\LelaResource.resources.dll"
Fri 13 Jun 2008 81,920 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\de\LelaResource.resources.dll"
Fri 13 Jun 2008 106,496 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\el\LelaResource.resources.dll"
Fri 13 Jun 2008 110,592 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\en-US\LelaAccount.resources.dll"
Fri 13 Jun 2008 450,560 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\en-US\LelaNetwork.resources.dll"
Fri 13 Jun 2008 7,565,312 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\en-US\LelaResource.resources.dll"
Fri 13 Jun 2008 1,937,408 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\en-US\Linksys EasyLink Advisor.resources.dll"
Fri 1 Sep 2006 563,000 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\04dd5b8c42be97f87e8bd2dca0d98ff7\BIT18.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1e9932cdb151e63543dfe60a0ebec20f\BIT6F.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5498c785851ff90b892674f94bdfa81d\BIT73.tmp"
Wed 19 Mar 2008 102,213 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5bbdb5674637f5b44c94a13289d32513\BIT15.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\70a4fbe7217488f673cf5d20367dabc9\BIT5B.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\71c884b3a348fe876677e718ab666a66\BIT56.tmp"
Mon 7 Feb 2005 333,544 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9a2dcac64b311638f09a8890302a2c3e\BIT22.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a30fe106c075193a6848a7f64073a7cc\BIT6C.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ada4d488d7d0854b79cefb8bc70c8d98\BIT5A.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b5330da089196b346d1ee0676e21afcc\BIT58.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b600c3564bddf4a7fe9d1996c0016b82\BIT59.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c810b29b22044bd72df654fd63ee0af2\BIT5E.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c9704c1d31015ba6a200ac1782063d02\BIT70.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ec3e2e6b3f1b25baadb3a70dfe94cd10\BIT6D.tmp"
Fri 2 Jun 2006 153,861 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f800fb87a28ec4ca869706531385e23a\BIT19.tmp"
Mon 11 Apr 2005 4,348 A..H. --- "C:\Documents and Settings\Compaq_Owner\My Documents\My Music\License Backup\drmv1key.bak"
Tue 12 Jul 2005 1,544 A..H. --- "C:\Documents and Settings\Compaq_Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 3 Jun 2005 400 A.SH. --- "C:\Documents and Settings\Compaq_Owner\My Documents\My Music\License Backup\drmv2key.bak"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1410961c7f4f5684c30d6b41322b3e42\download\BIT7D.tmp"
Fri 5 Aug 2005 253,544 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1a72abe4120e101373a4e6a8f3333cc4\download\BIT21.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\218766960d1465c026412385b0d1d978\download\BIT79.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\299962a31e45d27ead63e99f90e24465\download\BIT74.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6ac42657c636012f9effce4f937863f4\download\BIT7A.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\75654b110105f9569579992b0c774b3f\download\BIT77.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ad6c31f7d0a4d2645ed6d67e2530522e\download\BIT78.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f8c6a8157d1ed68b0b0f724babd8b17f\download\BIT7C.tmp"
Sun 13 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fae81cc29bef49249f2d64f8fb9c8b1d\download\BIT75.tmp"

Finished!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:50 AM, on 7/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1215897751446
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198982953281
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 14015 bytes





Here U go, sorry took so long.
  • 0

#13 quietman7

quietman7

    Elder Janitor & Bug Exterminator

  • Admin
  • 11,370 posts
  • Gender:Male
  • Location:Virginia, USA

Posted 17 July 2008 - 07:01 AM

Please temporarily disable any anti-spyware programs you are using which are listed here so they will not interfere with the entries we will be fixing in HijackThis.

Run HijackThis, and press "Scan." When the scan is complete place a check mark next to the following entries (if they are still present): (Please be careful and do not check any other boxes)

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)

After checking these items CLOSE ALL open windows except HijackThis and click "Fix Checked" to remove the entries you checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, close HijackThis and reboot your computer normally.

Other than that your log looks clean. However, your log shows mdm.exe is running. Mdm.exe is Microsoft's Machine Debug Manager program which is included in Microsoft Visual Studio .NET, Microsoft Office 2007, Microsoft Office 2003, and a Microsoft Office XP post-Service Pack 3 release to provide support for program debugging. The Script Debugger is actually a JScript debugger used by programmers and advanced users when debugging programs; testing scripts developed using an ActiveX script engine; debug scripts developed with VBScript and JScript, ActiveX components and Java applets. It allows viewing and modifying program source code, variables, and values, or controlling the flow and pace of how the script works and allows debugging Internet Explorer errors by using a script interface tool.

This process starts when script debugging is enabled in Internet Explorer. It runs as a service with the local system account and is loaded when the computer starts but sometimes tends to slow system performance. This is a non-essential process and if you do not use your computer for debugging purposes, you can safely turn off the Machine Debug Manager.

To reconfigure script debugging options and Disable Machine Debug Manager:
  • Click on Start > Run and type: iexplore.exe.
  • On the Tools menu, click Internet Options > Advanced tab.
  • Click the "Advanced tab" and scroll down to "Browsing".
  • Put a check mark next to "Disable Script Debugging (IE)".
  • Put a check mark next to "Disable Script Debugging (Other)".
  • Uncheck "Display a notification about every script error".
  • Click "OK" and close Internet Explorer.
To disable the service:
  • Click on Start > Run and type: services.msc
  • Press OK.
  • Click the "Extended tab" at the bottom to view all the info on your services.
  • Scroll down the list and find the service called Machine Debug Manager.
  • When you find the service, double-click on it or right-click and choose "Properties".
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Disabled".
  • Click Apply, then OK and close any open windows.
Screenshot with an example of how to do this if needed.

Note: If another application like Microsoft Visual Studio or .NET reinstalls Mdm.exe, or if Mdm.exe /Regserver is run on a computer that is running Window XP, Mdm.exe is re-added to the RunServices registry key. If the Detect and Repair feature within some Microsoft applications runs, this will also cause Mdm.exe to be re-registered on the system and reappear in Task Manager.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Google Toolbar unless you want it.

  • 0
Microsoft MVP - Consumer Security 2007-2014 Posted Image

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#14 jimmiechipz

jimmiechipz

    TEG Forum Member

  • Members
  • 57 posts
  • Gender:Male
  • Location:Dallas, TX

Posted 17 July 2008 - 11:44 AM

Please temporarily disable any anti-spyware programs you are using which are listed here so they will not interfere with the entries we will be fixing in HijackThis.

Run HijackThis, and press "Scan." When the scan is complete place a check mark next to the following entries (if they are still present): (Please be careful and do not check any other boxes)

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)

After checking these items CLOSE ALL open windows except HijackThis and click "Fix Checked" to remove the entries you checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, close HijackThis and reboot your computer normally.

Other than that your log looks clean. However, your log shows mdm.exe is running. Mdm.exe is Microsoft's Machine Debug Manager program which is included in Microsoft Visual Studio .NET, Microsoft Office 2007, Microsoft Office 2003, and a Microsoft Office XP post-Service Pack 3 release to provide support for program debugging. The Script Debugger is actually a JScript debugger used by programmers and advanced users when debugging programs; testing scripts developed using an ActiveX script engine; debug scripts developed with VBScript and JScript, ActiveX components and Java applets. It allows viewing and modifying program source code, variables, and values, or controlling the flow and pace of how the script works and allows debugging Internet Explorer errors by using a script interface tool.

This process starts when script debugging is enabled in Internet Explorer. It runs as a service with the local system account and is loaded when the computer starts but sometimes tends to slow system performance. This is a non-essential process and if you do not use your computer for debugging purposes, you can safely turn off the Machine Debug Manager.

To reconfigure script debugging options and Disable Machine Debug Manager:

  • Click on Start > Run and type: iexplore.exe.
  • On the Tools menu, click Internet Options > Advanced tab.
  • Click the "Advanced tab" and scroll down to "Browsing".
  • Put a check mark next to "Disable Script Debugging (IE)".
  • Put a check mark next to "Disable Script Debugging (Other)".
  • Uncheck "Display a notification about every script error".
  • Click "OK" and close Internet Explorer.
To disable the service:
  • Click on Start > Run and type: services.msc
  • Press OK.
  • Click the "Extended tab" at the bottom to view all the info on your services.
  • Scroll down the list and find the service called Machine Debug Manager.
  • When you find the service, double-click on it or right-click and choose "Properties".
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Disabled".
  • Click Apply, then OK and close any open windows.
Screenshot with an example of how to do this if needed.

Note: If another application like Microsoft Visual Studio or .NET reinstalls Mdm.exe, or if Mdm.exe /Regserver is run on a computer that is running Window XP, Mdm.exe is re-added to the RunServices registry key. If the Detect and Repair feature within some Microsoft applications runs, this will also cause Mdm.exe to be re-registered on the system and reappear in Task Manager.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Google Toolbar unless you want it.





Okay, I've done everything and it seems to be running much smoother now. Thanx for everyting!
  • 0

#15 quietman7

quietman7

    Elder Janitor & Bug Exterminator

  • Admin
  • 11,370 posts
  • Gender:Male
  • Location:Virginia, USA

Posted 17 July 2008 - 12:18 PM

You're welcome.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Malware Prevention - Preventing Re-infection".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".

• Avoid online gaming sites and peer-to-peer (P2P) or file sharing programs as they are a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans target and spread across P2P files sharing networks and gaming sites. In some instances the infection may cause so much damage to your system that recovery is not possible and the only option is to wipe your drive, reformat and reinstall the OS. The best way to reduce the risk of infection is to avoid gaming sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
  • 0
Microsoft MVP - Consumer Security 2007-2014 Posted Image

Member of UNITE, Unified Network of Instructors and Trusted Eliminators