Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virus

Unread postby gruetten » July 12th, 2007, 11:53 pm

I believe I have a virus that has attacked my computer... this pop-up appears every time I open or Send/Recv in my outlook express

Message number 2 could not be retrieved. Account: 'pop.west.cox.net', Server: 'pop.west.cox.net', Protocol: POP3, Server Response: '.', Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800420CD

the same emails populate my inbox everytime. if i dont clear them out, in a few days i will have thousands of the same emails + any new emails that come in.

the computer runs pretty good (speed wise), but just today I looked at the used space on my C: drive and found it to be about 75% used; normally only about 20% used.

I am running XP version 2002 SP2 w/ CA security suite 2007

The above was yesterday 11 Jul 07
after posting the above for the first time, I went into my email through webmail and deleted an email that was popping up everytime from when the problem began. Once I did that my email has been working fine...

I got an email from MWR that advised me to follow the instructions for HJT posting, so here I am trying again. My computer is still adding used something to my used space to my C: drive; slowly.

here is the Hijack file (was not sure how to attach a file, so I just pasted)
Logfile of HijackThis v1.99.1
Scan saved at 8:34:30 PM, on 7/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
C:\WINDOWS\system32\ntvdm.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\qoeapp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe /scan
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: palmOne Registration.lnk = C:\Palm\register.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1452/ ... brkpie.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/ ... Client.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

Thanks for any help,
Greg
gruetten
Active Member
 
Posts: 8
Joined: July 11th, 2007, 1:08 pm
Advertisement
Register to Remove

Unread postby beynac » July 15th, 2007, 5:24 am

Welcome to MalWare Removal! I'm looking through your log now, and will post back very shortly.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby beynac » July 15th, 2007, 8:52 am

The good news is that there is no sign of malware in your HijackThis log. :) There is, however, one line which is suspicious and another which it would be advisable to remove. I think that it would be best to stop the suspicious file from running at startup until we have checked it out.

Run HijackThis and click Scan and then check (tick) the following:

O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1452/ ... brkpie.cab


Close down all programs, browsers and other open windows. Make sure that only the above items are checked and then click on Fix checked.

This file is normally in the C:\Program Files\Microsoft Works\ folder. Do you have Microsoft Works installed? If so, is it installed in the default location?

Please click on Start then Search. Click on All files and folders and then copy/paste WkDetect.exe into the All or part of the file name: box. Click on More advanced options and make sure that Search system folders and Search hidden files and folders are both ticked. Click the Search button. Make a note of the location of any files found. Please let me know the results.

---------------------------------------------------------

Once I did that my email has been working fine...

I take this to mean that you are no longer receiving the same emails every day. I suggest that you delete any unwanted messages in Outlook Express and then empty your Deleted folder. Once you have done this, click on the File menu, select Folders and the click Compact All Folders.

----------------------------------------------------------

ATF Cleaner by Atribune ©

Download ATF Cleaner by Atribune © from here : http://www.atribune.org/ccount/click.php?id=1
This is a stand-alone program that does not need to be installed. Save it to a convenient location and make a shortcut on your desktop. Using this program will remove temporary files, temporary internet files and cookies from your system, which will mean that any scans will run faster.
  • Make sure that all browser windows are closed
  • Double-click the shortcut on your desktop to run the program.
  • Under Main, choose Select All
  • Untick Prefetch
  • Click Empty Selected
  • If you use Firefox browser,
    • Click Firefox at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.
  • If you use Opera browser,
    • Click Opera at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.
-------------------------------------------------------

AVG Anti-Spyware:

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful.
You will need to change the following settings:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
You can now close AVG Anti-Spyware. Do not scan yet.

---------------------------------------------------

Boot to Safe Mode.

You will need to reboot your computer into Safe Mode for the next steps. It would be a good idea for you to print these instructions, as you will not have access to the internet.

Important: If you have an always on connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode. I suggest that you print out these instructions.
  • Restart your computer.
  • Continually tap the F8 button as your computer is booting (a menu appears).
  • Use up-arrow key to select Safe Mode and press Enter.
------------------------------------------------

Run AVG Anti-Spyware:

Close all open windows and then start AVG Anti-Spyware, which you downloaded earlier
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
-----------------------------------------------------------------

Reboot in Normal Mode.

--------------------------------------------------------------

Please post, as a reply to this thread:
  • The AVG Anti-Spyware report
  • A new HijackThis log
  • The result of your search for WkDetect.exe
Please let me know the size of your hard disk and the amount of used space. Have you been able to identify where the space is being taken up?
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby gruetten » July 18th, 2007, 6:26 pm

Beynac,

I apologize for not getting back to you sooner; down and out for a few days.

AVG report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:42:32 PM 7/16/2007

+ Scan result:



C:\Program Files\HijackThis\backups\backup-20070716-190733-432.dll -> Adware.Coupons : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1136\A0105317.ocx -> Adware.Coupons : Cleaned with backup (quarantined).
HKU\S-1-5-21-3138268060-1983019619-1072751822-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).


::Report end


HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:57:20 PM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
C:\WINDOWS\system32\ntvdm.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\qoeapp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: palmOne Registration.lnk = C:\Palm\register.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/ ... Client.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

searched for WkDetect.exe with no results.

the C: drive has 38.2GB cap and 30.3GB used
I searched for any file over 100MB and found nothing I thought suspicious.

I have the full CA security suite and run a virus and antispyware scan every night, why didn't it find the two adwares?

Is CA a good product?

Thanks,
Greg
gruetten
Active Member
 
Posts: 8
Joined: July 11th, 2007, 1:08 pm

Unread postby beynac » July 19th, 2007, 4:25 am

Good morning.

searched for WkDetect.exe with no results.

I note that 'fixing' the line in HijackThis didn't work. I think that we need to look a bit deeper into this.

-------------------------------------------------

the C: drive has 38.2GB cap and 30.3GB used
I searched for any file over 100MB and found nothing I thought suspicious.

Do you have a lot of music, pictures and/or videos on the computer? These can take up a lot of space. I suggest that you download WinDirStat from here.
  • Install the program and then open it.
  • Click Cancel on the message box which pops up.
  • Click on the Options menu
  • Untick Show Treemap
  • Tick Show Unknown
  • Click on the File and select Open...
  • Select Individual Drives and make sure that your C drive is selected.
  • Click OK
The program will scan and build up a picture of the drive. You can use it like Windows Explorer and look at the folders which are taking the most space. This should tell you where the space is being used. Please let me know what you find. We can then get a report on anything suspicious. Do not use the Clean Up function.

------------------------------------------------

I have the full CA security suite and run a virus and antispyware scan every night, why didn't it find the two adwares?

Is CA a good product?

I do not have any personal experience with CA Internet Security but it has a good reputation. All anti-malware programs can miss things. This is why we always try to run scans with more than one. I suggest that you run a regular scan (say weekly) with AVG Anti-Spyware in addition to scanning with CA. Make sure that you always update the program before running a scan. There is no need to run CA scans every day. I run all my scans once a week.

------------------------------------------------

ComboFix by sUBs
  • Download this file - ComboFix.exe
  • Close all open windows.
  • Double click ComboFix.exe and follow the prompts.
  • When finished, it will produce a log for you. Please post that log in your next reply
Important: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

If necessary, please split the log into separate posts to ensure that they don't get cut off. It is important that I see the full log.

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

----------------------------------------------

Please run another HijackThis scan and post the following, as a reply to this thread:
  • The ComboFix log
  • A new HijackThis log
  • The results of your investigations using WinDirStat
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby gruetten » July 19th, 2007, 9:37 pm

beynac,

I removed all of the photos before my last post. the cap was 32+GB.

Combofix report:

"Ruetten" - 2007-07-19 17:51:18 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-20 to 2007-07-20 )))))))))))))))))))))))))))))))


2007-07-19 17:49 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-19 17:22 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-19 17:16 <DIR> d-------- C:\Program Files\WinDirStat
2007-07-18 14:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-07-16 21:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GCR\APPLIC~1\Share-to-Web Upload Folder
2007-07-16 20:09 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1.GCR\NTUSER.DAT
2007-07-16 20:09 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GCR\APPLIC~1\Sonic
2007-07-16 20:09 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GCR\APPLIC~1\Real
2007-07-16 20:09 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GCR\APPLIC~1\Jasc Software Inc
2007-07-16 19:59 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-07-05 00:43 630,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys
2007-07-05 00:43 108,392 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-18 21:46:15 -------- d-----w C:\Program Files\Google
2007-07-18 21:23:46 78,978 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-07-18 21:23:46 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-07-18 21:23:46 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-07-18 21:23:46 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-07-18 21:23:46 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-07-18 21:23:46 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-07-18 21:23:46 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-07-18 21:23:46 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-07-17 04:53:08 -------- d-----w C:\Program Files\Common Files\Real
2007-07-17 04:53:07 -------- d-----w C:\Program Files\Real
2007-07-17 04:52:16 -------- d-----w C:\DOCUME~1\Ruetten\APPLIC~1\Real
2007-06-28 02:55:03 -------- d-----w C:\Program Files\EasyKeys
2007-06-25 04:05:56 -------- d-----w C:\Program Files\Microsoft Picture It! PhotoPub
2007-06-20 14:22:18 299 ----a-w C:\WINDOWS\EReg077.dat
2007-05-31 20:43:36 92,432 ----a-w C:\WINDOWS\system32\drivers\KmxStart.sys
2007-05-31 20:43:36 126,224 ----a-w C:\WINDOWS\system32\drivers\KmxCF.sys
2007-05-31 20:43:36 114,448 ----a-w C:\WINDOWS\system32\drivers\KmxFw.sys
2007-05-28 23:21:34 256,784 ----a-w C:\WINDOWS\system32\UmxSbxw.dll
2007-05-28 23:21:34 117,520 ----a-w C:\WINDOWS\system32\UmxSbxExw.dll
2007-05-28 17:39:07 -------- d-----w C:\Program Files\Common Files\Scanner
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 00:51:12 99,904 ----a-w C:\WINDOWS\system32\isafeif.dll
2007-05-16 00:51:12 79,424 ----a-w C:\WINDOWS\system32\vetredir.dll
2007-05-16 00:51:12 75,280 ----a-w C:\WINDOWS\system32\isafprod.dll
2007-04-26 03:26:12 45,056 ----a-w C:\WINDOWS\system32\HSSICore.dll
2007-04-26 03:26:12 184,320 ----a-w C:\WINDOWS\system32\OESICore.dll
2007-04-26 03:25:21 91,648 ----a-w C:\WINDOWS\gzip.exe
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2004-08-04 07:56:46 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56:42 1,028,096 --sha-w C:\WINDOWS\SYSTEM32\mfc42.dll
2004-08-04 07:56:43 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 07:56:43 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
2004-08-04 07:56:55 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-10-26 11:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2003-08-06 00:04 106548 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-11-09 15:21 440056 --a------ C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 18:47]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-01-20 23:15]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 09:05]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 18:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 23:01]
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-06-14 11:19]
"@"="" []
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-15 17:51]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-06-14 11:19]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-06-14 11:19]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-06-14 11:19]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe" [2007-06-14 11:19]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Microsoft Works Update Detection"="???\WkDetect.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll --a------ 2007-01-31 15:00 79368 C:\WINDOWS\SYSTEM32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{353060d1-510c-11d8-8225-806d6172696f}]
AutoRun\command- D:\start.exe


Contents of the 'Scheduled Tasks' folder
2007-07-19 07:00:38 C:\WINDOWS\tasks\CAAntiSpywareScan_Daily as Ruetten at 12 00 AM.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-19 17:57:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = C:\Program Files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???H???????x???x???????????x???????????x???x??????????????????????????????????????????w????????????j??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-19 18:00:45

--- E O F ---





Logfile of HijackThis v1.99.1
Scan saved at 6:14:48 PM, on 7/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
C:\WINDOWS\system32\ntvdm.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\qoeapp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: palmOne Registration.lnk = C:\Palm\register.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/ ... Client.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe




I hope you dont mind that I added the windirstat report:

28.6 GB C:\
16.2 GB C:\Program Files
9.5 GB C:\Program Files\PIXELA
9.5 GB C:\Program Files\PIXELA\ImageMixer
5.8 GB C:\Program Files\PIXELA\ImageMixer\Capture
3.5 GB C:\Program Files\PIXELA\ImageMixer\Convert
81.2 MB C:\Program Files\PIXELA\ImageMixer\Data
50.7 MB C:\Program Files\PIXELA\ImageMixer\Style
39.3 MB C:\Program Files\PIXELA\ImageMixer\<Files>
21.9 MB C:\Program Files\PIXELA\ImageMixer\AudioSample
19.4 MB C:\Program Files\PIXELA\ImageMixer\Opening
13.3 MB C:\Program Files\PIXELA\ImageMixer\VideoSample
11.4 MB C:\Program Files\PIXELA\ImageMixer\Button
7.9 MB C:\Program Files\PIXELA\ImageMixer\NxtButton
7.9 MB C:\Program Files\PIXELA\ImageMixer\PreButton
4.9 MB C:\Program Files\PIXELA\ImageMixer\help
1.8 MB C:\Program Files\PIXELA\ImageMixer\Userdata
1.1 MB C:\Program Files\PIXELA\ImageMixer\FigThumb
720.0 KB C:\Program Files\PIXELA\ImageMixer\PPGFOLDER0
120.0 KB C:\Program Files\PIXELA\ImageMixer\PPGFOLDER1
60.0 KB C:\Program Files\PIXELA\ImageMixer\PPGFOLDER2
3.2 GB C:\Program Files\Microsoft Games
2.1 GB C:\Program Files\Microsoft Games\Age of Empires III
905.4 MB C:\Program Files\Microsoft Games\Age of Mythology
248.6 MB C:\Program Files\Microsoft Games\Age of Empires II
648.9 MB C:\Program Files\Common Files
429.2 MB C:\Program Files\Maxis
260.2 MB C:\Program Files\Jasc Software Inc
251.8 MB C:\Program Files\Microsoft Picture It! PhotoPub
218.1 MB C:\Program Files\Hewlett-Packard
212.0 MB C:\Program Files\WordPerfect Office 11
184.5 MB C:\Program Files\Dell
166.5 MB C:\Program Files\Microsoft Encarta
156.4 MB C:\Program Files\Java
156.2 MB C:\Program Files\Sonic
118.5 MB C:\Program Files\MUSICMATCH
105.4 MB C:\Program Files\InstallShield Installation Information
84.5 MB C:\Program Files\Microsoft Office
76.2 MB C:\Program Files\CA
72.7 MB C:\Program Files\EasyKeys
62.8 MB C:\Program Files\eBay
60.2 MB C:\Program Files\Ulead Systems
57.5 MB C:\Program Files\NewSoft
36.7 MB C:\Program Files\Yahoo SiteBuilder
36.7 MB C:\Program Files\Palo Alto Software
29.9 MB C:\Program Files\IDI Magic
23.4 MB C:\Program Files\Documents To Go
20.8 MB C:\Program Files\Grisoft
19.9 MB C:\Program Files\Adobe
13.1 MB C:\Program Files\MSN
13.1 MB C:\Program Files\CyberLink
12.9 MB C:\Program Files\hp photosmart
10.7 MB C:\Program Files\Movie Maker
8.3 MB C:\Program Files\MSN Gaming Zone
6.7 MB C:\Program Files\Viewpoint
6.3 MB C:\Program Files\Internet Explorer
6.3 MB C:\Program Files\Windows Media Player
6.0 MB C:\Program Files\Uninstall Information
4.5 MB C:\Program Files\Yahoo!
4.1 MB C:\Program Files\Outlook Express
3.8 MB C:\Program Files\Homestead
3.7 MB C:\Program Files\Windows NT
3.3 MB C:\Program Files\Spybot - Search & Destroy
3.1 MB C:\Program Files\NetMeeting
2.2 MB C:\Program Files\QuickTime
2.1 MB C:\Program Files\Messenger
1.6 MB C:\Program Files\Modem Helper
1.5 MB C:\Program Files\Dell Computer
1.2 MB C:\Program Files\Snowman Game
848.3 KB C:\Program Files\NetWaiting
736.9 KB C:\Program Files\WinDirStat
695.1 KB C:\Program Files\Learn2.com
601.6 KB C:\Program Files\Google
484.0 KB C:\Program Files\CONEXANT
400.0 KB C:\Program Files\McAfee.com
376.9 KB C:\Program Files\Broadcom
230.0 KB C:\Program Files\Digital Line Detect
224.8 KB C:\Program Files\HijackThis
169.8 KB C:\Program Files\Symantec
126.2 KB C:\Program Files\Ringo
93.1 KB C:\Program Files\SymNetDrv
41.6 KB C:\Program Files\WindowsUpdate
30.1 KB C:\Program Files\The Learning Company
6.3 KB C:\Program Files\Broadcom Management Programs
2.4 KB C:\Program Files\Online Services
2.1 KB C:\Program Files\Real
0 C:\Program Files\ComPlus Applications
0 C:\Program Files\DNA
0 C:\Program Files\microsoft frontpage
0 C:\Program Files\MSXML 4.0
0 C:\Program Files\XEROX
0 C:\Program Files\Your Company Name
2.9 GB C:\WINDOWS
2.5 GB C:\<Files>
2.2 GB C:\System Volume Information
1.7 GB C:\Documents and Settings
1.6 GB C:\VSTASCAN
939.7 MB C:\I386
304.2 MB C:<Unknown>
73.5 MB C:\Palm
29.5 MB C:\JTF-GNO
25.8 MB C:\DELL
24.5 MB C:\DPS
17.7 MB C:\DISNEY
17.3 MB C:\DRIVERS
15.6 MB C:\temp
10.7 MB C:\OPLIMIT
5.5 MB C:\My PageManager
4.3 MB C:\PAS
529.8 KB C:\Config.Msi
492.5 KB C:\Z~MSSTFQ.T
417.6 KB C:\found.000
376.0 KB C:\~MSSETUP.T
283.2 KB C:\c674a064f0d23568c4fddce971645c
207.3 KB C:\MWASPI
14.2 KB C:\AAAMNG7
20 Bytes C:\RECYCLER
0 C:\ComboFix
0 C:\My Music
0 C:\QooBox
0 C:\WUTemp

I guess most of the used space is in the image mixer (DVD files) and my games... And all the programs added over time. I just seems like the last time I looked at the usage pie on the C: drive. can a program (spy/virus) put small files in many multiple folders?

Do I need to replace the explorer settings that the combofix altered?

I will start scanning once aweek with both spy ware softwares.

thanks,
Greg
gruetten
Active Member
 
Posts: 8
Joined: July 11th, 2007, 1:08 pm

Unread postby beynac » July 20th, 2007, 6:15 am

Good morning Greg.

The ComboFix report is not showing any problems. :)

I guess most of the used space is in the image mixer (DVD files) and my games... And all the programs added over time. I just seems like the last time I looked at the usage pie on the C: drive. can a program (spy/virus) put small files in many multiple folders?

Your hard disk is not really large enough to store DVDs. I suggest that you look through the largest folders and delete anything that you don't want to keep. I don't know much about Pixela, but it is possible that it is storing more than one version of the same file (look in the 'Capture' and 'Convert' folders). It would be worth looking into buying an extra hard drive, either internal or external, to store your DVDs. External USB drives are now fairly cheap.

Malware can create a lot of small files in multiple folders, but this should show up as the total would need to be quite large for it to have any effect on the available space. Any such files should have been identified by CA Internet Security and/or AVG Anti-Spyware.

Do I need to replace the explorer settings that the combofix altered?

ComboFix resets a number of the settings to a default in order to correct those which may have been changed by malware. You can re-instate any of these provided that you are happy with them.

------------------------------------------------------

We still need to get rid of that line in HijackThis relating to WkDetect.exe. I can't understand why the previous fix didn't work. Let's try it in Safe Mode this time.

Important: If you have an 'always on' connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode. I suggest that you print out these instructions.

Boot to Safe Mode. To do this:
  • Restart your computer.
  • Continually tap the F8 button as your computer is booting a menu appears.
  • Use up-arrow key to select Safe Mode and press Enter.
  • Make sure that you log on as your normal user
Now let's try the fix again. There's a couple of other lines which we need to get rid of as well.

Run HijackThis and click Scan and then check (tick) the following, if present (don't worry if any are missing - but please let me know):

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


Close down all programs, browsers and other open windows. Make sure that only the above items are checked and then click on Fix checked.

Reboot Windows normally.

--------------------------------------------------------

Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6u2.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Click on the link named Java Runtime Environment (JRE) 6u2
  • Click on the radio button to Accept License Agreement
  • Click on Windows Offline Installation, Multi-language and save the downloaded file to your hard disk
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
  • Reboot your computer
---------------------------------------------------

Please run another HijackThis scan and post the log as a reply to this thread. Please also let me know how the computer is running.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby beynac » July 27th, 2007, 9:06 am

Good afternoon Greg.

It's been a few days since I posted. Do you still want help with this?
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby NonSuch » July 30th, 2007, 4:12 am

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27228
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby ChrisRLG » August 1st, 2007, 3:32 pm

re-opened on email request.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby beynac » August 2nd, 2007, 4:33 am

Welcome back Greg. :)

Please post a new HijackThis log and let me know how the computer is running. Are you having any fresh problems?
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby beynac » August 8th, 2007, 2:49 am

It's been a few days since this topic was re-opened, at your request. Do you still want our help with this?
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby gruetten » August 8th, 2007, 3:17 am

beynac,

I apologize for not getting back to this tread quickly; my wife and I are opening a new business and its taking all of my time. thank you and please know I do appreciate all of your help.

I have done the HijackThis in safe mode and found all three lines. I checked all of them and hit fix.

I updated Java as you instructed and the below HiJackThis log was done after the Fix checked in safe mode.

Logfile of HijackThis v1.99.1
Scan saved at 11:57:13 PM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\ntvdm.exe
C:\VSTASCAN\vsaccess.exe
C:\OPLIMIT\ocrawr32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: palmOne Registration.lnk = C:\Palm\register.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/ ... Client.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

The computer seems to be running good.

I think the issue of the space on the hard drive is: I have slowly stored more and more stuff with out noticing.

But I did have the problem with my e-mail that keeps filling up with the same mail. I again went into my web email and deleted everything unwanted and now it is fine.

I do notice that when I go to task manager that a program UPDATE is always running and it has a funny looking S in front of UPDATE.

Thanks,
Greg
gruetten
Active Member
 
Posts: 8
Joined: July 11th, 2007, 1:08 pm

Unread postby beynac » August 8th, 2007, 4:34 am

Good morning.

I apologize for not getting back to this tread quickly; my wife and I are opening a new business and its taking all of my time.

No problem. Good luck with the business.

I do notice that when I go to task manager that a program UPDATE is always running and it has a funny looking S in front of UPDATE.

Your HijackThis log is clean, but this is a bit worrying. Is the "funny looking S" a dollar sign? I think that we had better run ComboFix again to check what's going on.

-------------------------------------------------------

ComboFix by sUBs

Please delete your current version of ComboFix. It is important that you use the up-to-date version.
  • Download this file - ComboFix.exe
  • Close all open windows.
  • Double click ComboFix.exe and follow the prompts.
  • When finished, it will produce a log for you. Please post that log in your next reply
Important: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

If necessary, please split the log into separate posts to ensure that they don't get cut off. It is important that I see the full log.

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

-------------------------------------------------------

Please run HijackThis again and post the following, as a reply to this post:
  • The ComboFix log
  • A new HijackThis log
Please let me know whether the program is named $update.exe.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby gruetten » August 9th, 2007, 12:29 am

Hello,


ComboFix 07-08-09.3 - "Ruetten" 2007-08-08 19:56:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.603 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))


2007-07-24 09:59 <DIR> d-------- C:\WINDOWS\SYSTEM32\Arthur
2007-07-24 09:59 <DIR> d-------- C:\Program Files\Microsoft ActiMates
2007-07-23 03:35 879,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys
2007-07-23 03:35 108,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys
2007-07-19 17:49 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-19 17:22 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-19 17:16 <DIR> d-------- C:\Program Files\WinDirStat
2007-07-18 14:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-07-16 21:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GCR\APPLIC~1\Share-to-Web Upload Folder
2007-07-16 20:09 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1.GCR\NTUSER.DAT
2007-07-16 20:09 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GCR\APPLIC~1\Sonic
2007-07-16 20:09 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GCR\APPLIC~1\Real
2007-07-16 20:09 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GCR\APPLIC~1\Jasc Software Inc
2007-07-16 19:59 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 19:34 86578 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-08-08 19:34 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-08-08 19:34 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-08-08 19:34 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-08-08 19:34 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-08-08 19:34 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-08-08 19:34 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-08-08 19:34 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-08-01 16:09 --------- d-------- C:\Program Files\Microsoft Picture It! PhotoPub
2007-07-27 13:38 --------- d-------- C:\Program Files\EasyKeys
2007-07-22 17:31 --------- d-------- C:\Program Files\Google
2007-07-16 21:53 --------- d-------- C:\Program Files\Real
2007-07-16 21:53 --------- d-------- C:\Program Files\Common Files\Real
2007-07-16 21:52 --------- d-------- C:\DOCUME~1\Ruetten\APPLIC~1\Real
2007-06-20 07:22 299 --a------ C:\WINDOWS\EReg077.dat
2007-05-28 16:21 256784 --a------ C:\WINDOWS\system32\UmxSbxw.dll
2007-05-28 16:21 117520 --a------ C:\WINDOWS\system32\UmxSbxExw.dll
2007-05-16 08:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 08:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 08:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 08:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-15 17:51 99904 --a------ C:\WINDOWS\system32\isafeif.dll
2007-05-15 17:51 79424 --a------ C:\WINDOWS\system32\vetredir.dll
2007-05-15 17:51 75280 --a------ C:\WINDOWS\system32\isafprod.dll
1998-04-27 20:15 570128 --------- C:\WINDOWS\msapps\Dao\DAO350.DLL
1995-09-20 17:16 456976 --------- C:\WINDOWS\msapps\Dao\DAO3032.DLL
2004-08-04 07:56:46 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56:42 1,028,096 --sha-w C:\WINDOWS\SYSTEM32\mfc42.dll
2004-08-04 07:56:43 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 07:56:43 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
2004-08-04 07:56:55 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 18:47]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-01-20 23:15]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 09:05]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 18:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 23:01]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-06-14 11:19]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-15 17:51]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-06-14 11:19]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-06-14 11:19]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-06-14 11:19]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe" [2007-06-14 11:19]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress

C:\Documents and Settings\Ruetten\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 08:00:00]
OCRAWARE.lnk - C:\OPLIMIT\OCRAWARE.EXE [2004-01-30 20:09:55]
palmOne Registration.lnk - C:\Palm\register.exe [2005-03-08 14:55:18]
UMAX VistaAccess.lnk - C:\VSTASCAN\vsaccess.exe [2004-05-05 13:25:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2005-08-08 13:52:26]
DESKTOP.INI [2002-09-03 08:00:00]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-01-20 23:10:13]
HotSync Manager.lnk - C:\Palm\Hotsync.exe [2004-06-09 14:16:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-06-29 16:15:10]
Palo Alto Software Update Manager 8.0.lnk - C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe [2006-03-29 09:47:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-01-31 15:00 79368 C:\WINDOWS\SYSTEM32\UmxWNP.dll

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R0 sonypvl2;sonypvl2;C:\WINDOWS\system32\drivers\sonypvl2.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R1 sonypvf2;sonypvf2;C:\WINDOWS\system32\drivers\sonypvf2.sys
R1 sonypvt2;sonypvt2;C:\WINDOWS\system32\drivers\sonypvt2.sys
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 MASPINT;MASPINT;C:\WINDOWS\system32\drivers\MASPINT.sys
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
R3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
R3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
R3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
R3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
S1 Freedom;Freedom Miniport;C:\WINDOWS\system32\DRIVERS\FREEDOM.SYS
S1 sonypvd2;sonypvd2;C:\WINDOWS\system32\DRIVERS\sonypvd2.sys
S3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINDOWS\system32\DRIVERS\vnet558x.sys
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"


Contents of the 'Scheduled Tasks' folder
2007-08-08 07:08:35 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Ruetten at 12 00 AM.job - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 20:04:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 20:10:07
C:\ComboFix2.txt ... 2007-07-19 18:00

--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 9:24:08 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
C:\WINDOWS\system32\ntvdm.exe
C:\VSTASCAN\vsaccess.exe
C:\OPLIMIT\ocrawr32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\qoeapp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: palmOne Registration.lnk = C:\Palm\register.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/ ... Client.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

here is the error message I get when I open email and yes I am getting multipule emails of the same email.

Message number 6 could not be retrieved. Account: 'pop.west.cox.net', Server: 'pop.west.cox.net', Protocol: POP3, Server Response: '.', Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800420CD


The server responded with an error. Account: 'pop.west.cox.net', Server: 'pop.west.cox.net', Protocol: POP3, Server Response: 'Return-Path: <bo-b0sxba1at6peq8aew0cm4bcakgh54b@b.e.1800flowers.com>', Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800CCC90

The "S" is like a lightening bolt S; I went on properties and it showed "PAS8_Update.exe".

Greg
gruetten
Active Member
 
Posts: 8
Joined: July 11th, 2007, 1:08 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 19 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware