Go Back   Cyber Tech Help Support Forums > Software > Malware Removal
Reload this Page I've been hi jacked
Register FAQ Calendar Search Today's Active Topics Mark Forums Read

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
Page 1 of 2 1 2
 
Topic Tools
  #1  
Old November 22nd, 2007, 03:04 AM
khmoles khmoles is offline
New Member
  
Join Date: Nov 2007
Posts: 23
I've been hi jacked
My browser has been hi-jacked by ucleaner. I do not seem to be the first. Here is a copy of my hijackthis file. Please help.

Logfile of HijackThis v1.99.1
Scan saved at 5:54:30 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\runservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_3_19_0. dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_3_19_0. dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: The jokwmp - {6BA27973-068D-4F85-BE84-1251E0B20FD3} - C:\WINDOWS\jokwmp.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - http://www.bajabettyssd.com/webcam/VatDec.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) -
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/...lMgr_v01_4.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.25.14/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: sapnet - {E7E7F87E-97A2-4B33-949E-8ACC20CA0B61} - C:\WINDOWS\sapnet.dll (file missing)
O21 - SSODL: rmvgor - {F40DB4EE-C358-4FAE-A78C-A88411123E09} - C:\WINDOWS\rmvgor.dll (file missing)
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

Thanks
Reply With Quote
  #2  
Old November 22nd, 2007, 08:34 AM
Morfeasss Morfeasss is offline
CTH Subscriber
  
Join Date: Feb 2006
O/S: Windows XP Home
Location: Greece
Posts: 5,140
Welcome to CTH khmoles,

Traces of infection are showing in your log, let's start with this.

Please download

SDFix.exe from here and save it to your desktop.

When you have done this, please boot into Safe Mode (Reboot and at startup start tapping the F8 key).

Doubleclick SDFix.exe and click Install. It will create a folder under your C drive named SDFix (C:\SDFix). Navigate to C:\SDFix and doubleclick on RunThis.bat to start the script.

Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. When you hit any key, your computer will reboot. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When your desktop loads, the utility will complete the removal and display Finished. Press any key again to end the script and load your desktop icons. Finally open the SDFix folder on your desktop and copy and paste the contents of Report.txt back in this thread.

Note: Do NOT use the msconfig option to boot into Safe Mode, if you can't boot into Safe Mode by tapping the F8 key, just post back here and let me know.
~~~~~~~~~~~~~~~

I would also like to see another kind of scan, download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here.

Please post back the SDFix report, along with a new HijackThis log and the Silent Runners report.
Reply With Quote
  #3  
Old November 22nd, 2007, 08:00 PM
khmoles khmoles is offline
New Member
  
Join Date: Nov 2007
Posts: 23
Here are the new logs.
Thanks for your prompt reply. here is what you asked for:

Logfile of HijackThis v1.99.1
Scan saved at 10:54:16 AM, on 11/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\runservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_3_19_0. dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_3_19_0. dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - http://www.bajabettyssd.com/webcam/VatDec.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) -
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/...lMgr_v01_4.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.25.14/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
Reply With Quote
  #4  
Old November 22nd, 2007, 08:02 PM
khmoles khmoles is offline
New Member
  
Join Date: Nov 2007
Posts: 23
SDfix
SDFix: Version 1.115

Run by Owner on Thu 11/22/2007 at 10:08 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\Owner\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\Owner\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\Owner\Desktop\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\Program Files\RichVideoCodec\install.ico - Deleted
C:\Program Files\RichVideoCodec\RichVideoCodec.ocx - Deleted
C:\Program Files\RichVideoCodec\Uninstall.exe - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\search_res.txt - Deleted



Folder C:\Program Files\RichVideoCodec - Removed
Folder C:\WINDOWS\privacy_danger - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 10:28:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\kdx\\khost.exe"="C:\\WINDOWS\\kdx\\k host.exe:*:Disabled:Secure Delivery Plug-In"
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"="C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe:*:Disabled:BackWeb-1940576"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Enabled:RealOne Player"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$EX01.422\\MP3Share.exe"="C:\\D ocuments and Settings\\Owner\\Local Settings\\Temp\\Rar$EX01.422\\MP3Share.exe:*:Disab led:MP3Share"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$EX27.610\\MP3Share.exe"="C:\\D ocuments and Settings\\Owner\\Local Settings\\Temp\\Rar$EX27.610\\MP3Share.exe:*:Enabl ed:MP3Share"
"C:\\Program Files\\Gold Miner\\GoldMiner.exe"="C:\\Program Files\\Gold Miner\\GoldMiner.exe:*:Disabled:Gold Miner "
"C:\\Program Files\\Microsoft Games\\Ants\\Ants.exe"="C:\\Program Files\\Microsoft Games\\Ants\\Ants.exe:*:Enabled:Microsoft Ants"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Disabled:Kodak Software Updater"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS \\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\MSN Games\\Wheel of Fortune Deluxe\\Wheel of Fortune Deluxe.exe"="C:\\Program Files\\MSN Games\\Wheel of Fortune Deluxe\\Wheel of Fortune Deluxe.exe:*:Disabled:Wheel of Fortune Deluxe"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \SAGENT4.EXE"="C:\\WINDOWS\\system32\\spool\\drive rs\\w32x86\\3\\SAGENT4.EXE:*:Disabled:SAgent4"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Disabled:BitTo rrent"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Disabled:Flashget"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS \\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\ system32\\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\ system32\\dxdiag.exe:*:Disabled:Microsoft DirectX Diagnostic Tool"
"C:\\Program Files\\WildTangent\\Polar Bowler\\polar.exe"="C:\\Program Files\\WildTangent\\Polar Bowler\\polar.exe:*:Disabled:polar"
"C:\\Program Files\\LucasArts\\SWKotOR\\swupdate.exe"="C:\\Prog ram Files\\LucasArts\\SWKotOR\\swupdate.exe:*:Disabled :Star Wars: Knights of the old Republic Update Program"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Disabled:TurboTa x"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Disabled:Tu rboTax Update Manager"
"C:\\Program Files\\Yahoo! Games\\Wheel of Fortune\\Wheel of Fortune.exe"="C:\\Program Files\\Yahoo! Games\\Wheel of Fortune\\Wheel of Fortune.exe:*:Disabled:Wheel of Fortune"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Disabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\CSLU\\Tcl80\\bin\\wish80.exe"="C:\\Program Files\\CSLU\\Tcl80\\bin\\wish80.exe:*:Disabled:wis h80"
"C:\\Program Files\\MSN Gaming Zone\\zclient.exe"="C:\\Program Files\\MSN Gaming Zone\\zclient.exe:*:Disabled:Zone Datafile"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 19 Jun 2004 196 A.SHR --- "C:\BOOT.BAK"
Wed 29 Sep 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Wed 14 Dec 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(3)(10).sys"
Thu 22 Sep 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(3)(8).sys"
Wed 30 Nov 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(3)(9).sys"
Sun 25 Sep 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(3)(6).sys"
Wed 28 Sep 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(3)(7).sys"
Tue 27 Sep 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(3)(5).sys"
Sun 25 Sep 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(4)(6).sys"
Mon 5 Dec 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(4)(7).sys"
Fri 16 Sep 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(5)(6).sys"
Fri 4 Feb 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(10)(2)(2).sys"
Fri 21 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(10)(3).sys"
Fri 21 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(11)(2).sys"
Sun 25 Sep 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(11)(3).sys"
Wed 19 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(12)(2).sys"
Tue 18 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(13)(2).sys"
Fri 14 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(14)(2).sys"
Fri 14 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(15)(2).sys"
Wed 12 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(16)(2).sys"
Fri 7 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(17)(2).sys"
Thu 6 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(18)(2).sys"
Fri 21 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(19)(2).sys"
Thu 28 Jul 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(2).sys"
Tue 28 Dec 2004 985 A.SH. --- "C:\WINDOWS\system32\mmf(2)(2)(2).sys"
Wed 15 Dec 2004 985 A.SH. --- "C:\WINDOWS\system32\mmf(2)(3).sys"
Sun 6 Feb 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(2)(4).sys"
Sun 24 Apr 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(2)(2).sys"
Mon 27 Dec 2004 985 A.SH. --- "C:\WINDOWS\system32\mmf(22)(2).sys"
Sun 26 Dec 2004 985 A.SH. --- "C:\WINDOWS\system32\mmf(23)(2).sys"
Sun 26 Dec 2004 985 A.SH. --- "C:\WINDOWS\system32\mmf(24)(2).sys"
Sat 25 Dec 2004 985 A.SH. --- "C:\WINDOWS\system32\mmf(25)(2).sys"
Fri 24 Dec 2004 985 A.SH. --- "C:\WINDOWS\system32\mmf(26)(2).sys"
Fri 24 Dec 2004 985 A.SH. --- "C:\WINDOWS\system32\mmf(27)(2).sys"
Tue 21 Dec 2004 985 A.SH. --- "C:\WINDOWS\system32\mmf(28)(2).sys"
Sat 18 Dec 2004 985 A.SH. --- "C:\WINDOWS\system32\mmf(29)(2).sys"
Wed 29 Dec 2004 985 A.SH. --- "C:\WINDOWS\system32\mmf(3)(2)(2).sys"
Sat 5 Feb 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(3)(3).sys"
Sun 24 Apr 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(3)(2).sys"
Fri 9 Sep 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(3)(4).sys"
Thu 16 Dec 2004 985 A.SH. --- "C:\WINDOWS\system32\mmf(31)(2).sys"
Fri 4 Feb 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(32)(2).sys"
Tue 1 Feb 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(33)(2).sys"
Sat 29 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(34)(2).sys"
Tue 25 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(35)(2).sys"
Sat 22 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(36)(2).sys"
Sun 24 Apr 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(4)(2).sys"
Fri 4 Feb 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(4)(3).sys"
Mon 26 Sep 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(4)(4).sys"
Sun 25 Sep 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(4)(5).sys"
Mon 7 Feb 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(49)(2).sys"
Mon 18 Apr 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(5)(2).sys"
Fri 4 Feb 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(5)(3).sys"
Sun 25 Sep 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(5)(4).sys"
Sun 11 Sep 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(5)(5).sys"
Sun 17 Apr 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(6)(2).sys"
Tue 1 Feb 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(6)(3).sys"
Tue 13 Sep 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(6)(4).sys"
Sun 11 Sep 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(6)(5).sys"
Fri 4 Mar 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(7)(2).sys"
Sat 29 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(7)(3).sys"
Tue 25 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(8)(3).sys"
Sat 22 Jan 2005 985 A.SH. --- "C:\WINDOWS\system32\mmf(9)(3).sys"
Thu 22 Nov 2007 985 A.SH. --- "C:\WINDOWS\system32\mmf.sys"
Sat 2 Oct 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 26 Apr 2005 453,632 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0003.tmp"
Sat 22 Jan 2005 31,744 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0004.tmp"
Fri 21 Jan 2005 1,487 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti136.tmp"
Wed 18 Oct 2006 169 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti23D.tmp"
Wed 14 Nov 2007 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Wed 14 Nov 2007 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Tue 20 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BIT10.tmp"
Wed 21 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BIT11.tmp"
Tue 20 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BIT12.tmp"
Tue 20 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BIT13.tmp"
Tue 20 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BIT14.tmp"
Wed 21 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BIT15.tmp"
Wed 8 Aug 2007 85,946 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BIT16.tmp"
Wed 21 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BIT29.tmp"
Wed 21 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BIT3D.tmp"
Wed 21 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BIT3E.tmp"
Wed 8 Aug 2007 85,946 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITA.tmp"
Mon 19 Nov 2007 388,090 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITBF.tmp"
Mon 19 Nov 2007 388,090 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITC1.tmp"
Mon 19 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITC4.tmp"
Mon 19 Nov 2007 388,090 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITC6.tmp"
Mon 19 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITC8.tmp"
Mon 19 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITCA.tmp"
Mon 19 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITCB.tmp"
Mon 19 Nov 2007 388,090 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITCD.tmp"
Mon 19 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITCF.tmp"
Tue 20 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITD.tmp"
Mon 19 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITD1.tmp"
Mon 19 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITD3.tmp"
Tue 20 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITD5.tmp"
Mon 19 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITD7.tmp"
Mon 19 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITD9.tmp"
Mon 19 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITDB.tmp"
Mon 19 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITDD.tmp"
Mon 19 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITDF.tmp"
Tue 20 Nov 2007 388,090 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITE.tmp"
Tue 20 Nov 2007 0 A..H. --- "C:\Documents and Settings\Alex\Local Settings\Temp\BITF.tmp"
Thu 25 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 7 Feb 2004 5,294,080 A..H. --- "C:\hp\patches\42WW1REC\src\App00153.exe"
Sat 7 Feb 2004 452,096 A..H. --- "C:\hp\patches\42WW1REC\src\App00292.exe"
Sat 7 Feb 2004 444,416 A..H. --- "C:\hp\patches\42WW1REC\src\App00491.exe"
Sat 7 Feb 2004 1,838,592 A..H. --- "C:\hp\patches\42WW1REC\src\App02995.exe"
Sat 7 Feb 2004 492,544 A..H. --- "C:\hp\patches\42WW1REC\src\App04827.exe"
Sat 7 Feb 2004 1,401,856 A..H. --- "C:\hp\patches\42WW1REC\src\App05447.exe"
Sat 7 Feb 2004 440,320 A..H. --- "C:\hp\patches\42WW1REC\src\App05705.exe"
Sat 7 Feb 2004 462,848 A..H. --- "C:\hp\patches\42WW1REC\src\App09961.exe"
Sat 7 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App14604.exe"
Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App16827.exe"
Sat 7 Feb 2004 3,668,992 A..H. --- "C:\hp\patches\42WW1REC\src\App17421.exe"
Tue 10 Feb 2004 696,832 A..H. --- "C:\hp\patches\42WW1REC\src\App18716.exe"
Sat 7 Feb 2004 423,936 A..H. --- "C:\hp\patches\42WW1REC\src\App19169.exe"
Sat 7 Feb 2004 1,157,632 A..H. --- "C:\hp\patches\42WW1REC\src\App19718.exe"
Tue 10 Feb 2004 995,328 A..H. --- "C:\hp\patches\42WW1REC\src\App19895.exe"
Sat 7 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App23281.exe"
Sat 7 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App24464.exe"
Sat 7 Feb 2004 2,251,776 A..H. --- "C:\hp\patches\42WW1REC\src\App26962.exe"
Sat 7 Feb 2004 481,792 A..H. --- "C:\hp\patches\42WW1REC\src\App29358.exe"
Sat 7 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App32391.exe"
Sat 7 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App99990.exe"
Sat 7 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App99992.exe"
Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App99993.exe"
Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\xApp14604.exe"
Mon 3 May 2004 67,944 ...H. --- "C:\Program Files\Ahead\Nero PhotoShow\data\Nero PhotoShow Express.exe"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Thu 11 Jan 2007 3,993,088 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1235.tmp"
Thu 11 Jan 2007 19,456 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2114.tmp"
Sat 2 Oct 2004 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Tue 5 Apr 2005 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 2 Oct 2004 400 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"

Finished!
Reply With Quote
  #5  
Old November 22nd, 2007, 08:03 PM
khmoles khmoles is offline
New Member
  
Join Date: Nov 2007
Posts: 23
Startup programs
"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"RecordNow!" = "(empty string)" [file not found]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"ATI Launchpad" = ""C:\Program Files\ATI Multimedia\main\launchpd.exe"" ["ATI Technologies Inc."]
"PhotoShow Deluxe Media Manager" = "C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.ex e" [null data]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"DW4" = ""C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"" ["The Weather Channel Interactive"]
"updateMgr" = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9" ["Adobe Systems Incorporated"]
"BitTorrent" = ""C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HPHUPD05" = "c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" ["Hewlett-Packard"]
"HPHmon05" = "C:\WINDOWS\System32\hphmon05.exe" ["Hewlett-Packard"]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"VTTimer" = "VTTimer.exe" [file not found]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"]
"Sunkist2k" = "C:\Program Files\Multimedia Card Reader\shwicon2k.exe" ["Alcor Micro, Corp."]
"Ink Monitor" = "C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" ["BillP Studios"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" ["Viewpoint Corporation"]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"" [null data]
"SiteAdvisor" = "C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" ["McAfee, Inc."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb 10.exe" ["HP"]
"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"AlcxMonitor" = "ALCXMNTR.EXE" ["Realtek Semiconductor Corp."]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"mcagent_exe" = "C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey" ["McAfee, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion BHO"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_3_19_0. dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{089FD14D-132B-48FC-8861-0048AE113215}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\6172\SiteAdv.dll" ["McAfee, Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\(Default) = "scriptproxy"
-> {HKLM...CLSID} = "scriptproxy"
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan\scriptsn.dll" ["McAfee, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "c:\Program Files\RecordNow!\shlext.dll" ["Sonic Solutions"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [file not found]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
"{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}" = "eLicense Control"
-> {HKLM...CLSID} = "eLicense Control"
\InProcServer32\(Default) = "C:\WINDOWS\lcmmfu.cpl" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {HKLM...CLSID} = "KodakShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\System\CurrentControlSet\Control\SecurityProv iders\
<<!>> ("zwebauth.dll" [MS]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
Library\(Default) = "{54F51408-DD44-4a12-82EF-519AD2A80DE9}"
-> {HKLM...CLSID} = "Media Library Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\ATI Multimedia\mlibrary\MLShell.dll" ["ATI Technologies Inc."]
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\SWIMMI~1.SCR" [file not found]


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
<<!>> "PowerReg Scheduler V3.exe" ["Leader Technologies"]
"spamsubtract" -> shortcut to: "C:\Program Files\interMute\SpamSubtract\SpamSub.exe -q" ["interMute, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Compaq Connections" -> shortcut to: "C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe -startup" [null data]
"EPSON Status Monitor 3 Environment Check 2" -> shortcut to: "C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV 02.EXE" ["SEIKO EPSON CORPORATION"]
"Event Reminder" -> shortcut to: "C:\Program Files\PrintMaster 16\pmremind.exe" ["Broderbund Properties LLC"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -h" ["Eastman Kodak Company"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Quicken Scheduled Updates" -> shortcut to: "C:\Program Files\Quicken\bagent.exe" ["Intuit Inc."]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"Check Updates for Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]
"McDefragTask" -> launches: "c:\program files\mcafee\mqc\QcConsol.exe "C:\WINDOWS\system32\defrag.exe" C: -f" ["McAfee, Inc."]
"McQcTask" -> launches: "c:\program files\mcafee\mqc\QcConsol.exe 14 0" ["McAfee, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
SpSubLSP.dll ["interMute, Inc."], 01 - 05, 11
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_3_19_0. dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_3_19_0. dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{0BF43445-2F28-4351-9252-17FE6E806AA0}" = "McAfee SiteAdvisor"
-> {HKLM...CLSID} = "McAfee SiteAdvisor"
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\6172\SiteAdv.dll" ["McAfee, Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_11"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_11"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll" ["Sun Microsystems, Inc."]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Adobe Active File Monitor, AdobeActiveFileMonitor, "C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe" [null data]
Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
LicCtrl Service, LicCtrlService, "C:\WINDOWS\runservice.exe" [null data]
McAfee Network Agent, McNASvc, ""c:\program files\common files\mcafee\mna\mcnasvc.exe"" ["McAfee, Inc."]
McAfee Personal Firewall Service, MpfService, ""C:\Program Files\McAfee\MPF\MPFSrv.exe"" ["McAfee, Inc."]
McAfee Proxy Service, McProxy, "c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.e xe" ["McAfee, Inc."]
McAfee Real-time Scanner, McShield, "C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe" ["McAfee, Inc."]
McAfee Services, mcmscsvc, "C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe" ["McAfee, Inc."]
McAfee SystemGuards, McSysmon, "C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe" ["McAfee, Inc."]
Photoshop Elements Device Connect, PhotoshopElementsDeviceConnect, "C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe" [null data]
SiteAdvisor Service, SiteAdvisor Service, "C:\Program Files\SiteAdvisor\6172\SAService.exe" ["McAfee, Inc."]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\system32\MsPMSPSv.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]
hpzsnt10\Driver = "hpzsnt10.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
Xerox DocuPrint P8 Language Monitor\Driver = "ZLMSJXW.DLL" ["Zenographics, Inc."]


---------- (launch time: 2007-11-22 10:53:06)
Reply With Quote
  #6  
Old November 22nd, 2007, 08:26 PM
Morfeasss Morfeasss is offline
CTH Subscriber
  
Join Date: Feb 2006
O/S: Windows XP Home
Location: Greece
Posts: 5,140
Very good,

Download

Combofix.exe and save it to your desktop.

Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix.
When the scan completes it will open a text window. Please copy/paste that log back here together with a new HijackThis log.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Please post back the Combofix report along with a fresh HijackThis log.
Reply With Quote
  #7  
Old November 22nd, 2007, 09:26 PM
khmoles khmoles is offline
New Member
  
Join Date: Nov 2007
Posts: 23
Hijack file
Here are the requested files:

Logfile of HijackThis v1.99.1
Scan saved at 12:23:59 PM, on 11/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\runservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_3_19_0. dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_3_19_0. dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - http://www.bajabettyssd.com/webcam/VatDec.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) -
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/...lMgr_v01_4.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.25.14/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
Reply With Quote
  #8  
Old November 22nd, 2007, 09:28 PM
khmoles khmoles is offline
New Member
  
Join Date: Nov 2007
Posts: 23
combofix file part 1
ComboFix 07-11-19.3 - Owner 2007-11-22 12:05:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.143 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Alex\Desktop\Error Cleaner.url
C:\Documents and Settings\Alex\Desktop\Privacy Protector.url
C:\Documents and Settings\Alex\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Alex\Favorites\Error Cleaner.url
C:\Documents and Settings\Alex\Favorites\Privacy Protector.url
C:\Documents and Settings\Alex\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\All Users\Application Data.\Starware316
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\Highlight.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\HighlightHot.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\highlighthotxp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\highlightxp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\logo.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\logoxp.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\Reference.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\ReferenceHot.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\referencehotxp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\referencexp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\screensaver.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\Screensavers0.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\Weather.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\weatherhotxp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\weatherxp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\contexts\error.xml
C:\Documents and Settings\All Users\Application Data.\Starware316\contexts\related.xml
C:\Documents and Settings\All Users\Application Data.\Starware316\contexts\travel.xml
C:\Documents and Settings\All Users\Application Data.\Starware316\Games\images\active\Games0.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\images\walertXP.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\Movies\images\active\Movies0.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\ScreensaversMarketingSitePager\i mages\active\ScreensaversMarketingSitePager0.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\SimpleUpdate\ProductMessagingCon fig.xml
C:\Documents and Settings\All Users\Application Data.\Starware316\SimpleUpdate\ProductMessagingCon fig.xml.backup
C:\Documents and Settings\All Users\Application Data.\Starware316\SimpleUpdate\SimpleUpdateConfig. xml
C:\Documents and Settings\All Users\Application Data.\Starware316\SimpleUpdate\SimpleUpdateConfig. xml.backup
C:\Documents and Settings\All Users\Application Data.\Starware316\SimpleUpdate\TimerManagerConfig. xml
C:\Documents and Settings\All Users\Application Data.\Starware316\SimpleUpdate\TimerManagerConfig. xml.backup
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\Highlight.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\HighlightHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\highlighthotxp.png
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\highlightxp.png
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\logo.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\logoxp.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\Reference.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\ReferenceHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\referencehotxp.png
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\referencexp.png
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\screensaver.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\Screensavers0.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\Weather.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\weatherhotxp.png
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\weatherxp.png
C:\Documents and Settings\All Users\Application Data\Starware316\contexts\error.xml
C:\Documents and Settings\All Users\Application Data\Starware316\contexts\related.xml
C:\Documents and Settings\All Users\Application Data\Starware316\contexts\travel.xml
C:\Documents and Settings\All Users\Application Data\Starware316\Games\images\active\Games0.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\images\walertXP.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\Movies\images\active\Movies0.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\ScreensaversMarketingSitePager\im ages\active\ScreensaversMarketingSitePager0.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\SimpleUpdate\ProductMessagingConf ig.xml
C:\Documents and Settings\All Users\Application Data\Starware316\SimpleUpdate\ProductMessagingConf ig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware316\SimpleUpdate\SimpleUpdateConfig.x ml
C:\Documents and Settings\All Users\Application Data\Starware316\SimpleUpdate\SimpleUpdateConfig.x ml.backup
C:\Documents and Settings\All Users\Application Data\Starware316\SimpleUpdate\TimerManagerConfig.x ml
C:\Documents and Settings\All Users\Application Data\Starware316\SimpleUpdate\TimerManagerConfig.x ml.backup
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\ActiveDesktop\bin\ActiveDes ktopExe.exe
C:\Program Files\screensavers.com\SSSInstaller\bin\SSSInstall er.dll
C:\Program Files\screensavers.com\SSSUninst.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))
.

2007-11-25 23:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\McAfee
2007-11-24 20:35 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2007-11-24 20:35 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2007-11-24 20:35 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2007-11-24 19:50 <DIR> d-------- C:\Temp\FixEngine
2007-11-22 10:06 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-19 08:28 <DIR> d-------- C:\d3temp
2007-11-15 17:45 <DIR> d-------- C:\Program Files\Gold Miner Vegas
2007-11-15 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Softdisk LLC
2007-11-12 16:33 <DIR> d-------- C:\Program Files\iTunes
2007-11-12 16:33 <DIR> d-------- C:\Program Files\iPod
2007-11-12 16:30 <DIR> d-------- C:\Program Files\QuickTime
2007-11-12 16:28 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-12 16:27 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-12 16:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-12 16:27 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-11-12 16:16 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-11-12 16:16 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-11-12 16:16 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-10-26 17:37 2 --a------ C:\WINDOWS\system32\RICHTX.DEP
2007-10-26 17:36 <DIR> d-------- C:\Program Files\MP3 WAV Converter
2007-10-26 10:21 <DIR> d-------- C:\Program Files\Netflix
2007-10-25 07:46 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-10-25 07:42 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-24 17:38 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-10-24 07:07 <DIR> d--hs---- C:\USMT.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-26 06:18 --------- d-----w C:\Program Files\HP
2007-11-26 06:18 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-22 08:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-19 16:02 --------- d-----w C:\Documents and Settings\Guest\Application Data\SiteAdvisor
2007-11-19 07:34 --------- d-----w C:\Program Files\Shockwave.com
2007-11-19 07:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-19 07:32 --------- d-----w C:\Program Files\Yahoo! Games
2007-11-19 07:28 --------- d-----w C:\Program Files\MSN Games
2007-11-19 07:28 --------- d-----w C:\Program Files\iWin
2007-11-19 07:26 --------- d-----w C:\Program Files\BitTorrent
2007-11-19 07:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-11-17 18:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-11-16 02:19 --------- d-----w C:\Program Files\McAfee
2007-11-14 21:33 --------- d-----w C:\Program Files\Common Files\McAfee
2007-11-13 01:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-10-28 10:14 --------- d-----w C:\Program Files\MSN Messenger
2007-10-18 16:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-10-10 05:35 --------- d-----w C:\Program Files\FlashGet
2007-10-09 23:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2007-10-08 22:46 --------- d-----w C:\Program Files\Google
2007-10-08 02:09 --------- d-----w C:\Program Files\Disney
2007-09-30 01:01 --------- d-----w C:\Program Files\Microsoft Games
2007-08-15 05:07 92,064 ----a-w C:\Documents and Settings\Owner\mqdmmdm.sys
2007-08-15 05:07 9,232 ----a-w C:\Documents and Settings\Owner\mqdmmdfl.sys
2007-08-15 05:07 79,328 ----a-w C:\Documents and Settings\Owner\mqdmserd.sys
2007-08-15 05:07 66,656 ----a-w C:\Documents and Settings\Owner\mqdmbus.sys
2007-08-15 05:07 6,208 ----a-w C:\Documents and Settings\Owner\mqdmcmnt.sys
2007-08-15 05:07 5,936 ----a-w C:\Documents and Settings\Owner\mqdmwhnt.sys
2007-08-15 05:07 4,048 ----a-w C:\Documents and Settings\Owner\mqdmcr.sys
2007-08-15 05:07 25,600 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-08-15 05:07 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2005-01-12 17:58 1,568 ----a-w C:\Documents and Settings\Owner\Application Data\mpauth.dat
2004-09-29 20:59 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2005-02-05 00:27 985 --sha-w C:\WINDOWS\system32\mmf(10)(2)(2).sys
2005-01-21 19:21 985 --sha-w C:\WINDOWS\system32\mmf(10)(3).sys
2005-01-21 18:59 985 --sha-w C:\WINDOWS\system32\mmf(11)(2).sys
2005-09-26 01:35 985 --sha-w C:\WINDOWS\system32\mmf(11)(3).sys
2005-01-19 21:40 985 --sha-w C:\WINDOWS\system32\mmf(12)(2).sys
2005-01-19 02:49 985 --sha-w C:\WINDOWS\system32\mmf(13)(2).sys
2005-01-15 05:18 985 --sha-w C:\WINDOWS\system32\mmf(14)(2).sys
2005-01-15 05:13 985 --sha-w C:\WINDOWS\system32\mmf(15)(2).sys
2005-01-12 19:11 985 --sha-w C:\WINDOWS\system32\mmf(16)(2).sys
2005-01-07 23:48 985 --sha-w C:\WINDOWS\system32\mmf(17)(2).sys
2005-01-06 18:17 985 --sha-w C:\WINDOWS\system32\mmf(18)(2).sys
2005-01-21 19:21 985 --sha-w C:\WINDOWS\system32\mmf(19)(2).sys
2004-12-29 00:00 985 --sha-w C:\WINDOWS\system32\mmf(2)(2)(2).sys
2005-04-25 03:33 985 --sha-w C:\WINDOWS\system32\mmf(2)(2).sys
2004-12-15 17:05 985 --sha-w C:\WINDOWS\system32\mmf(2)(3).sys
2005-02-07 03:04 985 --sha-w C:\WINDOWS\system32\mmf(2)(4).sys
2005-07-28 17:59 985 --sha-w C:\WINDOWS\system32\mmf(2).sys
2004-12-27 23:52 985 --sha-w C:\WINDOWS\system32\mmf(22)(2).sys
2004-12-26 21:48 985 --sha-w C:\WINDOWS\system32\mmf(23)(2).sys
2004-12-26 21:33 985 --sha-w C:\WINDOWS\system32\mmf(24)(2).sys
2004-12-26 03:54 985 --sha-w C:\WINDOWS\system32\mmf(25)(2).sys
2004-12-24 22:36 985 --sha-w C:\WINDOWS\system32\mmf(26)(2).sys
2004-12-24 11:07 985 --sha-w C:\WINDOWS\system32\mmf(27)(2).sys
2004-12-21 13:35 985 --sha-w C:\WINDOWS\system32\mmf(28)(2).sys
2004-12-18 21:53 985 --sha-w C:\WINDOWS\system32\mmf(29)(2).sys
2005-12-14 17:44 985 --sha-w C:\WINDOWS\system32\mmf(3)(10).sys
2004-12-30 00:02 985 --sha-w C:\WINDOWS\system32\mmf(3)(2)(2).sys
2005-04-25 03:27 985 --sha-w C:\WINDOWS\system32\mmf(3)(2).sys
2005-02-05 15:05 985 --sha-w C:\WINDOWS\system32\mmf(3)(3).sys
2005-09-09 21:18 985 --sha-w C:\WINDOWS\system32\mmf(3)(4).sys
2005-09-28 02:08 985 --sha-w C:\WINDOWS\system32\mmf(3)(5).sys
2005-09-26 01:20 985 --sha-w C:\WINDOWS\system32\mmf(3)(6).sys
2005-09-28 15:14 985 --sha-w C:\WINDOWS\system32\mmf(3)(7).sys
2005-09-22 14:30 985 --sha-w C:\WINDOWS\system32\mmf(3)(8).sys
2005-11-30 19:08 985 --sha-w C:\WINDOWS\system32\mmf(3)(9).sys
2004-12-16 11:07 985 --sha-w C:\WINDOWS\system32\mmf(31)(2).sys
2005-02-05 00:19 985 --sha-w C:\WINDOWS\system32\mmf(32)(2).sys
2005-02-01 21:51 985 --sha-w C:\WINDOWS\system32\mmf(33)(2).sys
2005-01-30 01:42 985 --sha-w C:\WINDOWS\system32\mmf(34)(2).sys
2005-01-25 16:31 985 --sha-w C:\WINDOWS\system32\mmf(35)(2).sys
2005-01-22 15:56 985 --sha-w C:\WINDOWS\system32\mmf(36)(2).sys
2005-04-24 14:39 985 --sha-w C:\WINDOWS\system32\mmf(4)(2).sys
2005-02-05 00:27 985 --sha-w C:\WINDOWS\system32\mmf(4)(3).sys
2005-09-26 15:03 985 --sha-w C:\WINDOWS\system32\mmf(4)(4).sys
2005-09-26 01:20 985 --sha-w C:\WINDOWS\system32\mmf(4)(5).sys
2005-09-26 01:25 985 --sha-w C:\WINDOWS\system32\mmf(4)(6).sys
2005-12-06 07:46 985 --sha-w C:\WINDOWS\system32\mmf(4)(7).sys
2005-02-07 15:49 985 --sha-w C:\WINDOWS\system32\mmf(49)(2).sys
2005-04-18 10:09 985 --sha-w C:\WINDOWS\system32\mmf(5)(2).sys
2005-02-05 00:19 985 --sha-w C:\WINDOWS\system32\mmf(5)(3).sys
2005-09-26 01:25 985 --sha-w C:\WINDOWS\system32\mmf(5)(4).sys
2005-09-11 22:06 985 --sha-w C:\WINDOWS\system32\mmf(5)(5).sys
2005-09-16 17:21 985 --sha-w C:\WINDOWS\system32\mmf(5)(6).sys
2005-04-18 00:57 985 --sha-w C:\WINDOWS\system32\mmf(6)(2).sys
2005-02-01 21:51 985 --sha-w C:\WINDOWS\system32\mmf(6)(3).sys
2005-09-13 19:00 985 --sha-w C:\WINDOWS\system32\mmf(6)(4).sys
2005-09-11 22:06 985 --sha-w C:\WINDOWS\system32\mmf(6)(5).sys
2005-03-04 16:23 985 --sha-w C:\WINDOWS\system32\mmf(7)(2).sys
2005-01-30 01:42 985 --sha-w C:\WINDOWS\system32\mmf(7)(3).sys
2005-01-25 16:31 985 --sha-w C:\WINDOWS\system32\mmf(8)(3).sys
2005-01-22 15:56 985 --sha-w C:\WINDOWS\system32\mmf(9)(3).sys
.
Reply With Quote
  #9  
Old November 22nd, 2007, 09:29 PM
khmoles khmoles is offline
New Member
  
Join Date: Nov 2007
Posts: 23
Combofix part 2
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"RecordNow!"="" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2003-09-02 05:46]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\ms sysmgr.exe" [2004-05-12 12:04]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 06:51]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 03:23]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 03:15]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 08:01]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2003-11-03 16:50]
"VTTimer"="VTTimer.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 19:13]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 10:17]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2002-05-29 00:23]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 20:10]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 04:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-12-05 11:29]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-12 09:24]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 10:12]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-12-19 18:37]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86 \3\hpztsb10.exe" [2006-01-13 16:13]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-01-01 15:58:13]
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2004-01-27 02:26:18]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 00:12:18]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2004-01-26 05:20:47]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE [2004-07-07 15:06:04]
Event Reminder.lnk - C:\Program Files\PrintMaster 16\pmremind.exe [2004-01-20 03:10:38]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 12:19:24]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 02:22:40]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 09:05:56]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 04:49:48]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MCODS]
@=""

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe
R2 PARPEPPY;PARPEPPY;\??\C:\WINDOWS\System32\PARPEPPY .SYS
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINDOWS\system32\DRIVERS\epusbsto.sys
S3 ldiskl;ldiskl;\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\ ldiskl.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{vnfblhfj-iiwo-xjdh-vggg-mrqxmorypytw}]
C:\WINDOWS\system32\uknda.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-14 05:37:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-22 19:23:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-15 09:16:42 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-11-01 08:00:20 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
************************************************** ************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 12:16:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0
Reply With Quote
  #10  
Old November 23rd, 2007, 05:28 AM
Morfeasss Morfeasss is offline
CTH Subscriber
  
Join Date: Feb 2006
O/S: Windows XP Home
Location: Greece
Posts: 5,140
I'm not sure why, but it seems as eLicence Copy Protection has made multiple copies of a file. Nothing that would worry us as it isn't related to malware. I thought you would like to know.

Run HijackThis and place a checkmark next to the following items in bold, close all open windows and click Fix Checked:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - Startup: PowerReg Scheduler V3.exe

And close HijackThis.
~~~~~~~~~~~~~~~~~~~

Download

The Avenger from here to your Desktop and unzip it.

Copy all the text contained in the code box below by highlighting it and right clicking and selecting "Copy"

Code:
Drivers to unload:
ldiskl

Files to delete:
C:\WINDOWS\system32\uknda.exe

Folders to delete:
C:\Documents and Settings\Alex\Local Settings\Temp
C:\Documents and Settings\Owner\Local Settings\Temp

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{vnfblhfj-iiwo-xjdh-vggg-mrqxmorypytw}
Now, start The Avenger program by clicking on its icon on your desktop. Look under "Script file to execute" and click on "Input Script Manually". Next click on the Magnifying Glass icon and a blank dialogue box will open called "View/Edit script". Position your mouse inside the box, rightclick and choose Paste. All the text above in the code box should now appear there. Click Done and click on the Green Light to begin execution of the script. Answer "Yes" twice when prompted.

The Avenger will restart your computer. (if the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)

When you have rebooted, a black command window briefly opens on your desktop, this is normal. A logfile will be created that records all actions that The Avenger performed. This log file is saved to C:\avenger.txt. The deleted files will be backed up and saved to C:\avenger\backup.zip.

Once your computer has rebooted, please post back the contents of C:\avenger.txt

Please post back a new Combofix report, a new HijackThis log and the avenger.txt.
Reply With Quote
  #11  
Old November 23rd, 2007, 06:27 AM
khmoles khmoles is offline
New Member
  
Join Date: Nov 2007
Posts: 23
avenger and Combofix request
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\omjqmmnj

*******************

Script file located at: \??\C:\WINDOWS\cxfxgopn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver ldiskl unloaded successfully.


File C:\WINDOWS\system32\uknda.exe not found!
Deletion of file C:\WINDOWS\system32\uknda.exe failed!

Could not process line:
C:\WINDOWS\system32\uknda.exe
Status: 0xc0000034

Folder C:\Documents and Settings\Alex\Local Settings\Temp deleted successfully.
Folder C:\Documents and Settings\Owner\Local Settings\Temp deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{vnfblhfj-iiwo-xjdh-vggg-mrqxmorypytw} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

ComboFix 07-11-19.3 - Owner 2007-11-22 21:12:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.111 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-25 23:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\McAfee
2007-11-24 20:35 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2007-11-24 20:35 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2007-11-24 20:35 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2007-11-24 19:50 <DIR> d-------- C:\Temp\FixEngine
2007-11-22 10:06 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-19 08:28 <DIR> d-------- C:\d3temp
2007-11-15 17:45 <DIR> d-------- C:\Program Files\Gold Miner Vegas
2007-11-15 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Softdisk LLC
2007-11-12 16:33 <DIR> d-------- C:\Program Files\iTunes
2007-11-12 16:33 <DIR> d-------- C:\Program Files\iPod
2007-11-12 16:30 <DIR> d-------- C:\Program Files\QuickTime
2007-11-12 16:28 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-12 16:27 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-12 16:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-12 16:27 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-11-12 16:16 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-11-12 16:16 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-11-12 16:16 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-10-26 17:37 2 --a------ C:\WINDOWS\system32\RICHTX.DEP
2007-10-26 17:36 <DIR> d-------- C:\Program Files\MP3 WAV Converter
2007-10-26 10:21 <DIR> d-------- C:\Program Files\Netflix
2007-10-25 07:46 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-10-25 07:42 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-24 17:38 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-10-24 07:07 <DIR> d--hs---- C:\USMT.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-26 06:18 --------- d-----w C:\Program Files\HP
2007-11-26 06:18 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-22 08:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-19 16:02 --------- d-----w C:\Documents and Settings\Guest\Application Data\SiteAdvisor
2007-11-19 07:34 --------- d-----w C:\Program Files\Shockwave.com
2007-11-19 07:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-19 07:32 --------- d-----w C:\Program Files\Yahoo! Games
2007-11-19 07:28 --------- d-----w C:\Program Files\MSN Games
2007-11-19 07:28 --------- d-----w C:\Program Files\iWin
2007-11-19 07:26 --------- d-----w C:\Program Files\BitTorrent
2007-11-19 07:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-11-17 18:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-11-16 02:19 --------- d-----w C:\Program Files\McAfee
2007-11-14 21:33 --------- d-----w C:\Program Files\Common Files\McAfee
2007-11-13 01:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-10-28 10:14 --------- d-----w C:\Program Files\MSN Messenger
2007-10-18 16:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-10-10 05:35 --------- d-----w C:\Program Files\FlashGet
2007-10-09 23:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2007-10-08 22:46 --------- d-----w C:\Program Files\Google
2007-10-08 02:09 --------- d-----w C:\Program Files\Disney
2007-09-30 01:01 --------- d-----w C:\Program Files\Microsoft Games
2007-08-15 05:07 92,064 ----a-w C:\Documents and Settings\Owner\mqdmmdm.sys
2007-08-15 05:07 9,232 ----a-w C:\Documents and Settings\Owner\mqdmmdfl.sys
2007-08-15 05:07 79,328 ----a-w C:\Documents and Settings\Owner\mqdmserd.sys
2007-08-15 05:07 66,656 ----a-w C:\Documents and Settings\Owner\mqdmbus.sys
2007-08-15 05:07 6,208 ----a-w C:\Documents and Settings\Owner\mqdmcmnt.sys
2007-08-15 05:07 5,936 ----a-w C:\Documents and Settings\Owner\mqdmwhnt.sys
2007-08-15 05:07 4,048 ----a-w C:\Documents and Settings\Owner\mqdmcr.sys
2007-08-15 05:07 25,600 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-08-15 05:07 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2005-01-12 17:58 1,568 ----a-w C:\Documents and Settings\Owner\Application Data\mpauth.dat
2004-09-29 20:59 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2005-02-05 00:27 985 --sha-w C:\WINDOWS\system32\mmf(10)(2)(2).sys
2005-01-21 19:21 985 --sha-w C:\WINDOWS\system32\mmf(10)(3).sys
2005-01-21 18:59 985 --sha-w C:\WINDOWS\system32\mmf(11)(2).sys
2005-09-26 01:35 985 --sha-w C:\WINDOWS\system32\mmf(11)(3).sys
2005-01-19 21:40 985 --sha-w C:\WINDOWS\system32\mmf(12)(2).sys
2005-01-19 02:49 985 --sha-w C:\WINDOWS\system32\mmf(13)(2).sys
2005-01-15 05:18 985 --sha-w C:\WINDOWS\system32\mmf(14)(2).sys
2005-01-15 05:13 985 --sha-w C:\WINDOWS\system32\mmf(15)(2).sys
2005-01-12 19:11 985 --sha-w C:\WINDOWS\system32\mmf(16)(2).sys
2005-01-07 23:48 985 --sha-w C:\WINDOWS\system32\mmf(17)(2).sys
2005-01-06 18:17 985 --sha-w C:\WINDOWS\system32\mmf(18)(2).sys
2005-01-21 19:21 985 --sha-w C:\WINDOWS\system32\mmf(19)(2).sys
2004-12-29 00:00 985 --sha-w C:\WINDOWS\system32\mmf(2)(2)(2).sys
2005-04-25 03:33 985 --sha-w C:\WINDOWS\system32\mmf(2)(2).sys
2004-12-15 17:05 985 --sha-w C:\WINDOWS\system32\mmf(2)(3).sys
2005-02-07 03:04 985 --sha-w C:\WINDOWS\system32\mmf(2)(4).sys
2005-07-28 17:59 985 --sha-w C:\WINDOWS\system32\mmf(2).sys
2004-12-27 23:52 985 --sha-w C:\WINDOWS\system32\mmf(22)(2).sys
2004-12-26 21:48 985 --sha-w C:\WINDOWS\system32\mmf(23)(2).sys
2004-12-26 21:33 985 --sha-w C:\WINDOWS\system32\mmf(24)(2).sys
2004-12-26 03:54 985 --sha-w C:\WINDOWS\system32\mmf(25)(2).sys
2004-12-24 22:36 985 --sha-w C:\WINDOWS\system32\mmf(26)(2).sys
2004-12-24 11:07 985 --sha-w C:\WINDOWS\system32\mmf(27)(2).sys
2004-12-21 13:35 985 --sha-w C:\WINDOWS\system32\mmf(28)(2).sys
2004-12-18 21:53 985 --sha-w C:\WINDOWS\system32\mmf(29)(2).sys
2005-12-14 17:44 985 --sha-w C:\WINDOWS\system32\mmf(3)(10).sys
2004-12-30 00:02 985 --sha-w C:\WINDOWS\system32\mmf(3)(2)(2).sys
2005-04-25 03:27 985 --sha-w C:\WINDOWS\system32\mmf(3)(2).sys
2005-02-05 15:05 985 --sha-w C:\WINDOWS\system32\mmf(3)(3).sys
2005-09-09 21:18 985 --sha-w C:\WINDOWS\system32\mmf(3)(4).sys
2005-09-28 02:08 985 --sha-w C:\WINDOWS\system32\mmf(3)(5).sys
2005-09-26 01:20 985 --sha-w C:\WINDOWS\system32\mmf(3)(6).sys
2005-09-28 15:14 985 --sha-w C:\WINDOWS\system32\mmf(3)(7).sys
2005-09-22 14:30 985 --sha-w C:\WINDOWS\system32\mmf(3)(8).sys
2005-11-30 19:08 985 --sha-w C:\WINDOWS\system32\mmf(3)(9).sys
2004-12-16 11:07 985 --sha-w C:\WINDOWS\system32\mmf(31)(2).sys
2005-02-05 00:19 985 --sha-w C:\WINDOWS\system32\mmf(32)(2).sys
2005-02-01 21:51 985 --sha-w C:\WINDOWS\system32\mmf(33)(2).sys
2005-01-30 01:42 985 --sha-w C:\WINDOWS\system32\mmf(34)(2).sys
2005-01-25 16:31 985 --sha-w C:\WINDOWS\system32\mmf(35)(2).sys
2005-01-22 15:56 985 --sha-w C:\WINDOWS\system32\mmf(36)(2).sys
2005-04-24 14:39 985 --sha-w C:\WINDOWS\system32\mmf(4)(2).sys
2005-02-05 00:27 985 --sha-w C:\WINDOWS\system32\mmf(4)(3).sys
2005-09-26 15:03 985 --sha-w C:\WINDOWS\system32\mmf(4)(4).sys
2005-09-26 01:20 985 --sha-w C:\WINDOWS\system32\mmf(4)(5).sys
2005-09-26 01:25 985 --sha-w C:\WINDOWS\system32\mmf(4)(6).sys
2005-12-06 07:46 985 --sha-w C:\WINDOWS\system32\mmf(4)(7).sys
2005-02-07 15:49 985 --sha-w C:\WINDOWS\system32\mmf(49)(2).sys
2005-04-18 10:09 985 --sha-w C:\WINDOWS\system32\mmf(5)(2).sys
2005-02-05 00:19 985 --sha-w C:\WINDOWS\system32\mmf(5)(3).sys
2005-09-26 01:25 985 --sha-w C:\WINDOWS\system32\mmf(5)(4).sys
2005-09-11 22:06 985 --sha-w C:\WINDOWS\system32\mmf(5)(5).sys
2005-09-16 17:21 985 --sha-w C:\WINDOWS\system32\mmf(5)(6).sys
2005-04-18 00:57 985 --sha-w C:\WINDOWS\system32\mmf(6)(2).sys
2005-02-01 21:51 985 --sha-w C:\WINDOWS\system32\mmf(6)(3).sys
2005-09-13 19:00 985 --sha-w C:\WINDOWS\system32\mmf(6)(4).sys
2005-09-11 22:06 985 --sha-w C:\WINDOWS\system32\mmf(6)(5).sys
2005-03-04 16:23 985 --sha-w C:\WINDOWS\system32\mmf(7)(2).sys
2005-01-30 01:42 985 --sha-w C:\WINDOWS\system32\mmf(7)(3).sys
2005-01-25 16:31 985 --sha-w C:\WINDOWS\system32\mmf(8)(3).sys
2005-01-22 15:56 985 --sha-w C:\WINDOWS\system32\mmf(9)(3).sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-22_12.20.40.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-22 17:52:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat
+ 2007-11-23 02:52:43 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat
- 2007-11-22 17:52:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-23 02:52:43 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-22 17:52:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-23 02:52:43 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"RecordNow!"="" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2003-09-02 05:46]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\ms sysmgr.exe" [2004-05-12 12:04]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 06:51]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 03:23]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 03:15]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 08:01]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2003-11-03 16:50]
"VTTimer"="VTTimer.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 19:13]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 10:17]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2002-05-29 00:23]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 20:10]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 04:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-12-05 11:29]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-12 09:24]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 10:12]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-12-19 18:37]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86 \3\hpztsb10.exe" [2006-01-13 16:13]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 00:12:18]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2004-01-26 05:20:47]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE [2004-07-07 15:06:04]
Event Reminder.lnk - C:\Program Files\PrintMaster 16\pmremind.exe [2004-01-20 03:10:38]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 12:19:24]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 02:22:40]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 09:05:56]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 04:49:48]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MCODS]
@=""

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe
R2 PARPEPPY;PARPEPPY;\??\C:\WINDOWS\System32\PARPEPPY .SYS
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINDOWS\system32\DRIVERS\epusbsto.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-11-14 05:37:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-23 05:23:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-15 09:16:42 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-11-01 08:00:20 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
************************************************** ************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 21:21:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************
.
Completion time: 2007-11-22 21:24:14
C:\ComboFix2.txt ... 2007-11-22 12:22
.
--- E O F ---
Reply With Quote
  #12  
Old November 23rd, 2007, 06:28 AM
khmoles khmoles is offline
New Member
  
Join Date: Nov 2007
Posts: 23
new Hijackthis file
Logfile of HijackThis v1.99.1
Scan saved at 9:26:24 PM, on 11/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\runservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_3_19_0. dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_3_19_0. dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - http://www.bajabettyssd.com/webcam/VatDec.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) -
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/...lMgr_v01_4.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.25.14/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
Reply With Quote
  #13  
Old November 23rd, 2007, 06:41 AM
Morfeasss Morfeasss is offline
CTH Subscriber
  
Join Date: Feb 2006
O/S: Windows XP Home
Location: Greece
Posts: 5,140
Very good,

Let's go for an online scan now.

Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.

Also let me know how your system is running now please.
Reply With Quote
  #14  
Old November 23rd, 2007, 01:19 PM
khmoles khmoles is offline
New Member
  
Join Date: Nov 2007
Posts: 23
Kaspersky
MY computer seems fine, But Mcafee said there is a pup virus and deleted it while I was in bed and KASPERSKY was running.

KASPERSKY ONLINE SCANNER REPORT
Friday, November 23, 2007 4:15:09 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/11/2007
Kaspersky Anti-Virus database records: 464383


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics
Total number of scanned objects 238263
Number of viruses found 18
Number of infected objects 49
Number of suspicious objects 0
Duration of the scan process 05:11:21

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\logout.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{041985FA-60B3-409B-8F4C-510A064BC45E}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{A6F0ED50-D7E9-4D46-991B-0CCEDFB1A356}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{DE4D068E-84AC-4ACE-9B32-1242DF61AA65}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR4.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnt e-dhncgts.jar-5224d438-1370c0da.zip/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnt e-dhncgts.jar-5224d438-1370c0da.zip/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnt e-dhncgts.jar-5224d438-1370c0da.zip/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnt e-dhncgts.jar-5224d438-1370c0da.zip ZIP: infected - 3 skipped

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\log\plugin150_11.trace Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007112220071 123\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\2632 Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_644.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_dd0.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_f08.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\My Documents\GoldMinerSetup-dm.exe Infected: not-a-virus:AdWare.Win32.Trymedia.a skipped

C:\Documents and Settings\Owner\My Documents\My Deliveries\sinstaller3.exe/data0002 Infected: not-a-virus:AdWare.Win32.Comet.bl skipped

C:\Documents and Settings\Owner\My Documents\My Deliveries\sinstaller3.exe NSIS: infected - 1 skipped

C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped

C:\qoobox\Quarantine\C\Program Files\Screensavers.com\SSSInstaller\bin\SSSInstall er.dll.vir Infected: not-a-virus:AdWare.Win32.Comet.bl skipped

C:\SDFix\apps\Process.exe Object is locked skipped

C:\SDFix\backups\backups.zip/backups/RichVideoCodec.ocx Infected: Trojan.Win32.Agent.cuh skipped

C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075671.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075672.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075673.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075689.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075690.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075691.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075693.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075694.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075695.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075696.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075697.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075698.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075699.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075700.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075701.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075702.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075703.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075705.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075706.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075708.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075710.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075711.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075712.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075714.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075715.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075716.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075717.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075730.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075731.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075732.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075733.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075734.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075735.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075736.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075737.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP270\A0075752.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP292\A0081940.ocx Infected: Trojan.Win32.Agent.cuh skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP292\A0081948.ocx Infected: Trojan.Win32.Agent.cuh skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP293\A0081994.dll Infected: not-a-virus:AdWare.Win32.Comet.bl skipped

C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP293\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\mmf.sys Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\mcafee_AAEZTw0yCIYKpKn Object is locked skipped

C:\WINDOWS\Temp\mcafee_VHowHNmbz6HqReQ Object is locked skipped

C:\WINDOWS\Temp\mcmsc_dQc2wWw1YL15sVW Object is locked skipped

C:\WINDOWS\Temp\mcmsc_e2uWvnSJCzZZU1j Object is locked skipped

C:\WINDOWS\Temp\mcmsc_fasEQtP2W8Fdegh Object is locked skipped

C:\WINDOWS\Temp\mcmsc_mvKVYZi1TOLYr6v Object is locked skipped

C:\WINDOWS\Temp\mcmsc_yzqWKCsyhKZOgJb Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP293\change.log Object is locked skipped

Scan process completed.
Reply With Quote
  #15  
Old November 24th, 2007, 12:02 AM
Morfeasss Morfeasss is offline
CTH Subscriber
  
Join Date: Feb 2006
O/S: Windows XP Home
Location: Greece
Posts: 5,140
If McAfee quarantined or deleted the item it located then it is alright.

No active infection, just some files to be removed. Make sure you can View Hidden Files and Folders and navigate and delete the following files:

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnt e-dhncgts.jar-5224d438-1370c0da.zip
C:\Documents and Settings\Owner\My Documents\GoldMinerSetup-dm.exe
C:\Documents and Settings\Owner\My Documents\My Deliveries\sinstaller3.exe

Navigate and delete the following folders:

C:\qoobox
C:\SDFix
C:\Avenger
~~~~~~~~~~~~~~~~

This is for just some research purpose, if you don't mind to staying with me for a while.

Go here and download, unzip and run the Registry Search Tool. Type vnfblhfj-iiwo-xjdh-vggg-mrqxmorypytw in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them.

Do the same for the following please:

uknda.exe

Please post back both results from the Registry Search Tool.
Reply With Quote
Reply
Page 1 of 2 1 2

Bookmarks

« Previous Topic | Next Topic »
Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
I think I've been Hi-Jacked :( lafrederick Malware Removal 5 June 8th, 2005 09:44 AM
Getting Hi Jacked 1202sam Malware Removal 6 April 16th, 2005 02:04 AM
Win XP = Win 3.1 Jacked? Sinister-wolf Windows XP 2 April 3rd, 2005 10:33 PM
Got Jacked? pcpaintedlyons Malware Removal 2 April 2nd, 2005 05:30 PM
Don't get car-jacked Spider Open Discussion 11 June 11th, 2004 03:45 AM


All times are GMT +1. The time now is 12:28 PM.