Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

New Year starts as a victim of usrqp - just won't stay dead

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

New Year starts as a victim of usrqp - just won't stay dead

Unread postby bison7120 » January 1st, 2008, 4:33 pm

Hi guys,

I sure hope you can help me. I've been trying for the past 3 days to get rid of 4 files that VundoFix finds - and deletes - but they keep coming back - instantly.

I'm not sure that I should be putting in so much effort to get rid of these files - even though they are bad - I don't really have any symptoms, that I can tell.

In the past three days, I've run VundoFix.exe many, many times, as well as TrojanHunter and SpyBot and SDFix and AutoRuns. I've also run HiJackThis, and saved many logs, but have never used it to make any changes. And have come to the conclusion that I need your help.

My primary concern right now, is that Outlook Express now takes 25 seconds to start and Norton Anti Virus no longer runs in auto protect mode. I suspect that I may have some how caused this while using AutoRuns to uncheck or delete certain items.

Happy New Year,
Victim
PS second thought - don't like starting the year as a victim - you can call me a patient.

Here is my freshest HijackThis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:20 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Me-XP\Downloads\malware\AdAware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Me-XP\Util\cvsnt\cvsservice.exe
D:\Me-XP\Util\cvsnt\cvslock.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\SK9910DM.EXE
D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe
D:\Me-XP\mysql\bin\mysqld-nt.exe
D:\Me-XP\Util\ZoneAlarm\zonealarm.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://gateway1200/home/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\ursqp.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Me-XP\Downloads\malware\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: ZoneAlarm.lnk = Util\ZoneAlarm\zonealarm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01112303-3E00-11D2-8470-0060089874ED} -

http://www.comcastsupport.com/sdccommon ... gctlch.cab
O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} -

http://www.comcastsupport.com/sdccommon ... d/tgrc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) -

http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftup ... 1175352714

408
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB -

D:\Me-XP\Downloads\malware\AdAware\aawservice.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache

Group\Apache2\bin\Apache.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: CVSNT (CVS) - GNU - D:\Me-XP\Util\cvsnt\cvsservice.exe
O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - D:\Me-XP\Util\cvsnt\cvslock.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - D:\Me-XP\Util\ISORecorder\ImapiHelper.exe
O23 - Service: MySql - Unknown owner - D:/Me-XP/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation -

C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7133 bytes
bison7120
Active Member
 
Posts: 12
Joined: January 1st, 2008, 3:36 pm
Advertisement
Register to Remove

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby markamus » January 2nd, 2008, 12:05 pm

Hi bison7120,

Welcome to Malware Removal!

I go by markamus here. I will be glad to assist you with your computer problems. HijackThis logs can take a while to research, so please be patient with me. I know that you want your problems solved quickly, and I will work hard to help you.

Please observe these rules while we work:
  1. I will be working on your malware issues. This may or may not solve other issues with your machine.
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please reply to this thread. Do not start a new topic.
  4. The fixes are specific to your problem and should only be used for the issues on this machine.
  5. Please continue to review my answers until I tell you your machine is clear. Absense of symptoms does not mean everything is clear!
If you can do these things, everything should go smoothly :)

I am currently reviewing your log and will have a reply shortly.

Thanks,

markamus
User avatar
markamus
Regular Member
 
Posts: 696
Joined: August 9th, 2006, 9:28 pm
Location: Alabama

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby bison7120 » January 2nd, 2008, 2:04 pm

Hi markamus,

I appreciate the help. Looking forward to your analysis.

Thanks,
bison7120
bison7120
Active Member
 
Posts: 12
Joined: January 1st, 2008, 3:36 pm

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby markamus » January 2nd, 2008, 2:16 pm

Hi bison7120,

Please go to Start, Run... and type notepad.exe
Hit OK
Click on Format and uncheck WordWrap
Close Notepad
-------------------------------------------------------------------------

Using Windows Explorer
    (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Navigate to your Hijackthis folder:
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on HijackThis.exe. Select Rename, and rename it to scanner.exe. Re-run HijackThis using scanner.exe, and post a fresh log for me to review.
--------------------------------------------------------------------------

1. Download this file - combofix.exe and save it to your Desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

In your next reply, please include the following:
  1. The Combofix log
  2. A fresh HijackThis log
  3. A description of how the PC is running.
Thanks,

markamus
User avatar
markamus
Regular Member
 
Posts: 696
Joined: August 9th, 2006, 9:28 pm
Location: Alabama

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby bison7120 » January 2nd, 2008, 4:44 pm

Markamus,

I did as requested:
Turned off wordwrap in notepad
Renamed Hijackthis to scanner and ran it and saved the log file (posted just below).

I then ran Combofix, and it did it’s thing - rebooted and had several scary minutes because Norton had popped up a Malicious script alert and I had a hard time getting the dropdown box to work so I could select ‘Authorize script’ - but got it done and combo fix produced the log file below.

NOTE: I also ran a second hijackthis (as scanner) after the combo fix and that is posted at the bottom.

How is my PC running? - Well OutLook Express started instantly - instead of taking 25+ seconds. So that is terrific.

Concerns:

1) Should I be concerned that Norton Auto Protect doesn’t startup on boot and can not be turned on? Starting one or two days ago, I now get a Windows Firewall alert that says my anti virus software isn’t running. As I stated in my initial post, it could have been caused by me messing around with SystemInternals AutoRuns program - I may have unchecked - or very likely - deleted something that I shouldn’t.

I probably shouldn’t worry because Norton was a 2003 program and I paid for my last subscription update in 2005 - and yet, to this day, it still runs a full scan every night, and every morning I see that it never finds anything. (And besides - even though I don’t think it is running, it popped up the malicious script alert when combofix rebooted - so maybe it IS still alive?)

Do you recommend that I pay for some professional virus software, or now that I have Trojan Hunter and Spybot running, that I’m pretty well covered? (I did try Trend Micro’s HouseCall 6.5 yesterday, and it did find 50+ problems, but the browser crashed before it fixed anything - I might try it again, now that you got rid of several problems.

2) Should I be concerned ‘About:blank’ an R1 entry in hijackthis log - I thought I read that it may be a problem.

3) Since combofix deleted C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe - does that mean I will need to do manual updates to Java? Not a real big concern, but I do Java development, and at some point will want to update - and probably re-enable the auto updates.

4) Question, with SpyBot running in the last couple days, I’ve seen this alert - just saw it again after rebooting a second time after ComboFix finished:

Category: System Startup global entry
Change: value added
Entry: KernelFaultCheck
New data: %systemroot%\system32\dumprep 0 -k

Should I allow or deny this change?

I’m very happy right now - you got rid of those pesky ursqp files.

Thank you,
bison7120

PS Requested logs follow:

First HijackThis log (before ComboFix was run):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:55 PM, on 1/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Me-XP\Downloads\malware\AdAware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\SK9910DM.EXE
D:\Me-XP\Util\cvsnt\cvsservice.exe
D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe
D:\Me-XP\Util\cvsnt\cvslock.exe
D:\Me-XP\Util\ZoneAlarm\zonealarm.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
D:\Me-XP\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
d:\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gateway1200/home/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\ursqp.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8ADA7DAA-E59B-4A9B-BF09-59381CA9ED24} - (no file)
O2 - BHO: (no name) - {A8A24DB7-E097-46B7-8E9D-0D46BFF6AF3C} - C:\WINDOWS\system32\ursqp.dll
O2 - BHO: (no name) - {B8A0A86E-E3F6-4D26-BB68-B46573EB27FB} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: ZoneAlarm.lnk = Util\ZoneAlarm\zonealarm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01112303-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon ... gctlch.cab
O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon ... d/tgrc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5352714408
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Me-XP\Downloads\malware\AdAware\aawservice.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: CVSNT (CVS) - GNU - D:\Me-XP\Util\cvsnt\cvsservice.exe
O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - D:\Me-XP\Util\cvsnt\cvslock.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - D:\Me-XP\Util\ISORecorder\ImapiHelper.exe
O23 - Service: MySql - Unknown owner - D:/Me-XP/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7843 bytes

ComboFix log:

ComboFix 08-01-03.1 - Admin 2008-01-02 12:39:33.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.183 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\#SharedObjects\8CN7Z9K4\www.broadcaster.com
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\#SharedObjects\8CN7Z9K4\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\#SharedObjects\8CN7Z9K4\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\Symantec Shared\ccRegVfy .exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\DNA\btdna .exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\start.exe
C:\WINDOWS\SYSTEM32\pqsru.ini
C:\WINDOWS\SYSTEM32\pqsru.ini2
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\ursqp.dll
C:\WINDOWS\system32\ursqp.exe
C:\WINDOWS\system32\windows.scr

Code: Select all
"C:\Program Files\Common Files\Symantec Shared\ccRegVfy .exe" moved to QooBox
"C:\Program Files\Messenger\msmsgs .exe" moved to QooBox
"C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe" moved to QooBox
"C:\Program Files\QuickTime\qttask .exe" moved to QooBox
"C:\Program Files\DNA\btdna .exe" moved to QooBox

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-02 12:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 13:48 . 2008-01-01 13:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-01 10:46 . 2008-01-01 10:45 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-01 10:45 . 2008-01-01 10:45 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2007-12-31 15:34 . 2007-12-31 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-31 15:30 . 2007-12-31 15:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 09:31 . 2007-12-31 09:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 18:05 . 2007-12-30 18:06 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\TrojanHunter
2007-12-30 13:21 . 2007-12-30 13:21 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-30 12:09 . 2007-12-30 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 12:09 . 2007-12-30 12:09 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\PrevxCSI
2007-12-29 09:19 . 2007-12-29 09:19 <DIR> d-------- C:\VundoFix Backups
2007-12-28 23:51 . 2007-12-28 23:51 1,031,139 ---hs---- C:\WINDOWS\SYSTEM32\nrwglgiu.ini
2007-12-23 07:58 . 2007-12-23 07:58 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\BitTorrent
2007-12-23 07:55 . 2007-12-23 07:55 <DIR> d-------- C:\Program Files\DNA
2007-12-12 10:03 . 2007-12-12 10:06 23,110 --a------ C:\WINDOWS\SYSTEM32\productregistry
2007-12-12 09:44 . 2007-12-12 09:44 <DIR> d-------- C:\Documents and Settings\Admin\.SunDownloadManager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-11-09 19:49 --------- d-----w C:\Documents and Settings\Admin\Application Data\Logitech
2007-11-09 19:48 --------- d-----w C:\Program Files\Common Files\Logitech
2007-11-09 19:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-11-09 19:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\InstallShield
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\SYSTEM32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\SYSTEM32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2000-09-30 00:58 271 --sh--w C:\Program Files\desktop.ini
2000-09-30 00:58 23,357 ---h--w C:\Program Files\folder.htt
2003-04-05 08:34 32 --sha-w C:\WINDOWS\{BD87A5DA-1009-49DF-9D29-FB5B1C8F6293}.dat
2003-04-05 08:34 32 --sha-w C:\WINDOWS\SYSTEM32\{0DD7D738-E8C6-4952-85BB-B54480BC28BB}.dat
.
Code: Select all
----a-w            54,296 2007-12-30 15:48:02  C:\Program Files\Common Files\Symantec Shared\ccApp .exe



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ADA7DAA-E59B-4A9B-BF09-59381CA9ED24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8A0A86E-E3F6-4D26-BB68-B46573EB27FB}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"SpybotSD TeaTimer"="D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"THGuard"="D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31 1046688]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 14:50 66048 C:\WINDOWS\SYSTEM32\SK9910DM.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ZoneAlarm.lnk - D:\Me-XP\Util\ZoneAlarm\zonealarm.exe [2003-04-10 00:44:56]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"BCMDMMSG"=BCMDMMSG.exe
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"UpdReg"=C:\WINDOWS\Updreg.exe
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"nwiz"=nwiz.exe /install
"Hot Key Kbd 9910 Daemon"=SK9910DM.EXE
"GRA"=C:\CABS\grainstall\GRA.exe
"Corel Reminder"="C:\PROGRAM FILES\COREL\GRAPHICS10\REGISTER\NAVBROWSER.EXE" /r /i "C:\PROGRAM FILES\COREL\GRAPHICS10\REGISTER\NavLoad.ini"
"QAGENT"=C:\PROGRAM FILES\QUICKENW\QAGENT.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 18:20:02 C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-01-02 13:36:52 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-01-02 18:34:18 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 12:46:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"="\"d:\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQLEXPRESS"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="D:/Me-XP/mysql/bin/mysqld-nt.exe"
.
Completion time: 2008-01-03 13:03:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-03 19:03:16
.
2007-12-12 09:04:05 --- E O F ---


Second HijackThis log (after ComboFix was run):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:36 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Me-XP\Downloads\malware\AdAware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Me-XP\Util\cvsnt\cvsservice.exe
D:\Me-XP\Util\cvsnt\cvslock.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
D:\Me-XP\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\SK9910DM.EXE
D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
D:\Me-XP\Util\ZoneAlarm\zonealarm.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\wpwin9.exe
d:\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gateway1200/home/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: ZoneAlarm.lnk = Util\ZoneAlarm\zonealarm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {01112303-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon ... gctlch.cab
O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon ... d/tgrc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5352714408
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Me-XP\Downloads\malware\AdAware\aawservice.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: CVSNT (CVS) - GNU - D:\Me-XP\Util\cvsnt\cvsservice.exe
O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - D:\Me-XP\Util\cvsnt\cvslock.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - D:\Me-XP\Util\ISORecorder\ImapiHelper.exe
O23 - Service: MySql - Unknown owner - D:/Me-XP/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7584 bytes
bison7120
Active Member
 
Posts: 12
Joined: January 1st, 2008, 3:36 pm

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby markamus » January 6th, 2008, 4:48 pm

Hi bison7120,

P2P Warning!
Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
Additional information on the safety of Peer to Peer programs themselves is here :
Clean/Infected P2P Programs
Please decide if you want to keep using P2P so I can put it in my next speech of you don't want to keep it.
-------------------------------------------------------------------------------------

Let's delete your current version of Combofix. It has been updated already. Get the new version from here. Use this version in the following instructions.

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File::
C:\WINDOWS\SYSTEM32\nrwglgiu.ini


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ADA7DAA-E59B-4A9B-BF09-59381CA9ED24}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8A0A86E-E3F6-4D26-BB68-B46573EB27FB}]


RenV::
C:\Program Files\Common Files\Symantec Shared\ccApp .exe




Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Include the new Combofix log in your next reply.
--------------------------------------------------------------------------

Please download a free version of CCleaner from here.


To install:
  • Select a language.
  • Click Next.
  • Click I Agree.
  • Select your Destination Folder and click Next. The default is set to C:\Program Files\CCleaner. This is OK to use, unless you would prefer it installed to another permanent folder.
  • Choose your Install Options.
  • Click Install.
  • Click Finish when prompted.


To run:
  • Before first use, check under Options, Advanced, and UNCHECK "Only delete files in Windows Temp folder older than 48 hours".
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Then select the items you wish to clean up. (See note below)
In the Windows Tab:
  • Clean all entries in the "Internet Explorer" except Cookies. Uncheck the Cookies entry. Deleting cookies will require re-entry of user names and passwords on next visit to sites that require users log in.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.
In the Applications Tab:
  • Clean all (optionally, except cookies) in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
  • Then click the "Run Cleaner" button and it will scan and clean your system.
  • Click exit.
----------------------------------------------------------------------------------------------

Kaspersky Online Scanner

Using Internet Explorer, click on Kaspersky Online Scanner
  • You will be prompted to install an ActiveX component from Kaspersky, Click 'Yes'.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click 'Next'.
  • Now click on 'Scan Settings'
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
    • Scan Options: 'Scan Archives' and 'Scan Mail Bases'
  • Click 'OK'
  • Now under 'Select a target to scan' select 'My Computer'
  • The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
  • Now click on the 'Save as Text' button:
  • Save the file to your desktop.
Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.
----------------------------------------------------------------------------------------------

In your next reply, please include the following:
  1. The new Combofix log.
  2. The Kaspersky Online Scan.
  3. A description of how the PC is running.
Thanks,

markamus
User avatar
markamus
Regular Member
 
Posts: 696
Joined: August 9th, 2006, 9:28 pm
Location: Alabama

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby bison7120 » January 7th, 2008, 9:09 pm

Hi markamus,

Before I follow your latest instructions, I should let you know that I have been busy trying to do what I can to clean up this PC. I’ve been generally following some of the guidelines suggested in various forum topics on this site (such as “So how did I get infected in the first place page”). I hope that I have not done anything that has wasted your time.

Things I’ve done after my last post and prior to your last post:

(Since I started (Dec 27th) on this ‘clean up my PC quest’, I’ve been keeping a log of major actions I’ve taken - I’m now on page 38 of that document! So please forgive me if I get too verbose - just like to write everything down.)

1) I uninstalled Norton Anti-Virus 2003 and all of the several Norton and Symantec components that were listed in Add//Remove Programs.

2) I installed Avast Anti-Virus Home Edition 4.7 on Jan 3. It did a boot time scan and found: TrojanHunter.exe was infected with win32:Delf-HHG [Trj]. I was given 9 choices as to what to do (delete, delete all, move, move all, repair, repair all, a few others, I chose Exit - and assume I did nothing. I suspect that this was a false infection - but don’t know.

3) NOTE: When I ran ComboFix the first time on Jan 2nd, it changed the system date to the 3rd. I did not notice till the 4th (actually the next day - so the 3rd) - caused a lot of confusion for me since I had written many log entries to my log doc, that all had the wrong date stamp, and the Avast install was also confused because after I installed it, I fixed the date back one day, so it thought that updates were already up to date....

4) I uninstalled the P2P programs. Will not use them again.

5) I ran the online Java version of TrendMicro HouseCall 6.5. It found 67 problems in several categories. All were removed and a second run was clean. (NOTE: The very fisrt time I tried to use version 6.6 of HouseCall - it crashed the browser while installing the components. On a second try, I used 6.5, and it found plenty f problems, but it crashed just as the scan completed. Third try of 6.5 worked fine - odd thing is I have a C:\Documents and Settings\Admin\.housecall6.6 that seems to be where the 6.5 version quarantined the files it found. I'd like to get rid of that whole folder.

5) I installed and ran ATF Cleaner on Jan 4th. I hoped it would delete two index.dat files in C:\Documents and Settings\Admin\Cookies and in C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5 - but both were not deleted. I tried to delete them manually in Safe Mode - but no luck. I suspect they are bad things simple because I can not delete then - and I routinely delete all these files several times a week.

6) I ran Ad-Aware - found nothing.
I ran SpyBot - found nothing.
I ran Avast - it found 4 Trojans - all were from previous, other fix programs - Three were from restore points.

So, based on the above and what I’ve learned so far, I think I can go ahead with all of your instructions.

So, I got the latest ComboFix and ran it! Oops! I forgot that I was supposed to drag in the CFScript file. Hope that was not a really bad thing. The log for that run of ComboFix is just below. I see this run of ComboFix removed the nrwglgiu.ini file, and I already removed all the Symantec files, but I’m still going to drag in the CFScript as is - and post a second log from that down below.

Here is the first combo fix log (run without dropping CFScript.txt):

ComboFix 08-01-07.4 - Admin 2008-01-06 21:26:24.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.210 [GMT -6:00]
Running from: D:\Me-XP\Downloads\malware\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\nrwglgiu.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-04 12:37 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-01-04 12:37 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2008-01-04 12:37 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-01-04 12:37 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-01-04 12:37 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-01-04 12:37 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-01-04 12:37 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-01-04 12:37 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-01-02 12:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 13:48 . 2008-01-01 13:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-01 10:45 . 2008-01-01 10:45 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2007-12-31 15:34 . 2007-12-31 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-31 15:30 . 2007-12-31 15:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 09:31 . 2007-12-31 09:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 18:05 . 2007-12-30 18:06 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\TrojanHunter
2007-12-30 13:21 . 2007-12-30 13:21 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-30 12:09 . 2007-12-30 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 12:09 . 2007-12-30 12:09 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\PrevxCSI
2007-12-29 09:19 . 2007-12-29 09:19 <DIR> d-------- C:\VundoFix Backups
2007-12-23 07:58 . 2007-12-23 07:58 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\BitTorrent
2007-12-23 07:55 . 2007-12-23 07:55 <DIR> d-------- C:\Program Files\DNA
2007-12-12 10:03 . 2007-12-12 10:06 23,110 --a------ C:\WINDOWS\SYSTEM32\productregistry
2007-12-12 09:44 . 2007-12-12 09:44 <DIR> d-------- C:\Documents and Settings\Admin\.SunDownloadManager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-11-09 19:49 --------- d-----w C:\Documents and Settings\Admin\Application Data\Logitech
2007-11-09 19:48 --------- d-----w C:\Program Files\Common Files\Logitech
2007-11-09 19:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-11-09 19:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\InstallShield
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\SYSTEM32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\SYSTEM32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2000-09-30 00:58 271 --sh--w C:\Program Files\desktop.ini
2000-09-30 00:58 23,357 ---h--w C:\Program Files\folder.htt
.
Code: Select all
<pre>
----a-w            54,296 2007-12-30 15:48:02  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
</pre>



((((((((((((((((((((((((((((( snapshot@2008-01-03_12.47.02.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2008-01-07 01:40:34 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_3c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"THGuard"="D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31 1046688]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 14:50 66048 C:\WINDOWS\SYSTEM32\SK9910DM.EXE]
"avast!"="D:\Me-XP\UTILAV~1\ashDisp.exe" [2007-12-04 07:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ZoneAlarm.lnk - D:\Me-XP\Util\ZoneAlarm\zonealarm.exe [2003-04-10 00:44:56]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"BCMDMMSG"=BCMDMMSG.exe
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"UpdReg"=C:\WINDOWS\Updreg.exe
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"nwiz"=nwiz.exe /install
"Hot Key Kbd 9910 Daemon"=SK9910DM.EXE
"GRA"=C:\CABS\grainstall\GRA.exe
"Corel Reminder"="C:\PROGRAM FILES\COREL\GRAPHICS10\REGISTER\NAVBROWSER.EXE" /r /i "C:\PROGRAM FILES\COREL\GRAPHICS10\REGISTER\NavLoad.ini"
"QAGENT"=C:\PROGRAM FILES\QUICKENW\QAGENT.EXE

R2 CVS;CVSNT;D:\Me-XP\Util\cvsnt\cvsservice.exe [2004-10-29 14:03]
R2 IOPort;IOPort;C:\WINDOWS\system32\DRIVERS\IOPORT.SYS [1998-11-27 15:57]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);"d:\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 []
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\system32\DRIVERS\HCWBT8XX.sys [2002-03-01 00:35]
S4 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 14:40:34 C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 21:29:05
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"="\"d:\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQLEXPRESS"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="D:/Me-XP/mysql/bin/mysqld-nt.exe"
.
Completion time: 2008-01-06 21:29:42
ComboFix-quarantined-files.txt 2008-01-07 03:29:40
ComboFix2.txt 2008-01-03 19:03:22
.
2007-12-12 09:04:05 --- E O F ---


Here is the second combo fix log (run with dropping CFScript.txt):

ComboFix 08-01-07.4 - Admin 2008-01-07 10:20:23.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\SYSTEM32\nrwglgiu.ini
.

((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-04 12:37 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-01-04 12:37 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2008-01-04 12:37 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-01-04 12:37 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-01-04 12:37 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-01-04 12:37 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-01-04 12:37 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-01-04 12:37 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-01-02 12:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 13:48 . 2008-01-01 13:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-01 10:45 . 2008-01-01 10:45 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2007-12-31 15:34 . 2007-12-31 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-31 15:30 . 2007-12-31 15:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 09:31 . 2007-12-31 09:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 18:05 . 2007-12-30 18:06 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\TrojanHunter
2007-12-30 13:21 . 2007-12-30 13:21 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-30 12:09 . 2007-12-30 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 12:09 . 2007-12-30 12:09 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\PrevxCSI
2007-12-29 09:19 . 2007-12-29 09:19 <DIR> d-------- C:\VundoFix Backups
2007-12-23 07:58 . 2007-12-23 07:58 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\BitTorrent
2007-12-23 07:55 . 2007-12-23 07:55 <DIR> d-------- C:\Program Files\DNA
2007-12-12 10:03 . 2007-12-12 10:06 23,110 --a------ C:\WINDOWS\SYSTEM32\productregistry
2007-12-12 09:44 . 2007-12-12 09:44 <DIR> d-------- C:\Documents and Settings\Admin\.SunDownloadManager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-11-09 19:49 --------- d-----w C:\Documents and Settings\Admin\Application Data\Logitech
2007-11-09 19:48 --------- d-----w C:\Program Files\Common Files\Logitech
2007-11-09 19:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-11-09 19:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\InstallShield
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\SYSTEM32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\SYSTEM32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2000-09-30 00:58 271 --sh--w C:\Program Files\desktop.ini
2000-09-30 00:58 23,357 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@2008-01-03_12.47.02.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2008-01-07 01:40:34 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_3c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2005-03-04 22:05 1073152 --a------ D:\Me-XP\Util\TortoiseCVS\TrtseShl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"THGuard"="D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31 1046688]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 14:50 66048 C:\WINDOWS\SYSTEM32\SK9910DM.EXE]
"avast!"="D:\Me-XP\UTILAV~1\ashDisp.exe" [2007-12-04 07:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ZoneAlarm.lnk - D:\Me-XP\Util\ZoneAlarm\zonealarm.exe [2003-04-10 00:44:56]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"BCMDMMSG"=BCMDMMSG.exe
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"UpdReg"=C:\WINDOWS\Updreg.exe
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"nwiz"=nwiz.exe /install
"Hot Key Kbd 9910 Daemon"=SK9910DM.EXE
"GRA"=C:\CABS\grainstall\GRA.exe
"Corel Reminder"="C:\PROGRAM FILES\COREL\GRAPHICS10\REGISTER\NAVBROWSER.EXE" /r /i "C:\PROGRAM FILES\COREL\GRAPHICS10\REGISTER\NavLoad.ini"
"QAGENT"=C:\PROGRAM FILES\QUICKENW\QAGENT.EXE

R2 CVS;CVSNT;D:\Me-XP\Util\cvsnt\cvsservice.exe [2004-10-29 14:03]
R2 IOPort;IOPort;C:\WINDOWS\system32\DRIVERS\IOPORT.SYS [1998-11-27 15:57]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);"d:\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 []
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\system32\DRIVERS\HCWBT8XX.sys [2002-03-01 00:35]
S4 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 14:40:34 C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 10:22:46
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"="\"d:\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQLEXPRESS"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="D:/Me-XP/mysql/bin/mysqld-nt.exe"
.
Completion time: 2008-01-07 10:23:40
ComboFix-quarantined-files.txt 2008-01-07 16:23:38
ComboFix3.txt 2008-01-03 19:03:22
ComboFix2.txt 2008-01-07 03:29:44
.
2007-12-12 09:04:05 --- E O F ---

I then ran CCleaner (and wish I had a log, just because), but it sure did delete a ton of crap - some 665MB!

I then ran the Kaspersky Online Scanner - but, I should say that I had a hard time finding it. Your link to http://www.kaspersky.com/virusscanner brought me to the site ok, but there was no clear indication of how or where to start an online scan. I even did a search of the Kaspersky site for 'Online scanner' and only got hits on news articles about the top 20 infections found with online scanner - but not a clue as to where or how to start the online scanner. But Google led me to http://www.kaspersky.com/kos/eng/partne ... bscan.html and the scan took over 5 hours, and found 5 viruses and 22 infected objects.

The Kaspersky log is below: (NOTE, I redacted the email names of me and my sister who I now see sent me a bad joke virus many years ago. All the crap from the pclink.com email account are very old junk.)

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 07, 2008 5:40:36 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/01/2008
Kaspersky Anti-Virus database records: 503726
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
T:\
U:\

Scan Statistics:
Total number of scanned objects: 201089
Number of viruses found: 5
Number of infected objects: 22
Number of suspicious objects: 0
Duration of the scan process: 05:17:17

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_3bc.dat Object is locked skipped
C:\WINDOWS\TEMP\ZLT07be8.TMP Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\GATEWAY1200.ldb Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9532B7DF-E6EF-41E4-B65E-013C9C1E22BE}.bin Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\Program Files\Corel\WordPerfect Office 2000\programs\pfdtlr.dat Object is locked skipped
C:\Program Files\Corel\WordPerfect Office 2000\programs\pfdtlr.ndx Object is locked skipped
C:\Program Files\Corel\WordPerfect Office 2000\template\Custom WP Templates\qw9en.wpt Object is locked skipped
C:\Program Files\Corel\WordPerfect Office 2000\template\Custom WP Templates\XML\XML.wpt Object is locked skipped
C:\Program Files\Corel\WordPerfect Office 2000\template\Custom WP Templates\wp9US.wpt Object is locked skipped
C:\Program Files\Apache Group\Apache2\logs\access.log Object is locked skipped
C:\Program Files\Apache Group\Apache2\logs\error.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_7a0.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012008010720080108\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\wt95FF.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\wt9600.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DF4E75.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DF4E7F.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\wt9A.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\wt9B.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\wt9C.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\wt9D.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\wt9E.tmp Object is locked skipped
C:\Documents and Settings\Admin\My Documents\Corel User Files\WT9US.UWL Object is locked skipped
C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\opnnkkl.dll.bad.bac_a02948 Infected: not-a-virus:AdWare.Win32.Virtumonde.clz skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\msmetvfy.dll.bad.bac_a02948 Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\backups.zip.bac_a02948/backups/Yazzle1552OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\backups.zip.bac_a02948 ZIP: infected - 1 skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\backups.zip.bac_a02948 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\ursqp.exe.vir.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211503.EXE.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211599.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211617.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211626.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211739.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211807.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211819.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211856.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211865.EXE.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\A0211888.exe.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Admin\.housecall6.6\Quarantine\ursqp.exe.bad.bac_a02948 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{DCA9B734-B7CB-4718-A8C0-CB56CC72EB4E}\RP1658\change.log Object is locked skipped
D:\Me-XP\My WordPerfect\Trojan.wpd Object is locked skipped
D:\Me-XP\My Saved Files\Nec266\Mozilla\Profiles\-----@pclink-1.com\8zqr0fc3.slt\Mail\pclink.com\Inbox.sbd\Personal/[From -----@msi-insurance.com][Date Mon, 4 Mar 2002 14:58:27 -0600]/text/[From -----@msi-insurance.com][Date Wed, 13 Mar 2002 12:10:33 -0600]/text/[From -----@msi-insurance.com][Date Wed, 15 Jan 2003 12:36:10 -0600]/text/[From ----- ----- <-----@mm.com>][Date Thu, 22 Jan 1998 15:19:07 -0600]/small.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
D:\Me-XP\My Saved Files\Nec266\Mozilla\Profiles\-----@pclink-1.com\8zqr0fc3.slt\Mail\pclink.com\Inbox.sbd\Personal/[From -----@msi-insurance.com][Date Mon, 4 Mar 2002 14:58:27 -0600]/text/[From -----@msi-insurance.com][Date Wed, 13 Mar 2002 12:10:33 -0600]/text/[From -----@msi-insurance.com][Date Wed, 15 Jan 2003 12:36:10 -0600]/text Infected: not-virus:BadJoke.Win16.Stupid.a skipped
D:\Me-XP\My Saved Files\Nec266\Mozilla\Profiles\mzappa@pclink-1.com\8zqr0fc3.slt\Mail\pclink.com\Inbox.sbd\Personal/[From -----@msi-insurance.com][Date Mon, 4 Mar 2002 14:58:27 -0600]/text/[From -----@msi-insurance.com][Date Wed, 13 Mar 2002 12:10:33 -0600]/text Infected: not-virus:BadJoke.Win16.Stupid.a skipped
D:\Me-XP\My Saved Files\Nec266\Mozilla\Profiles\-----@pclink-1.com\8zqr0fc3.slt\Mail\pclink.com\Inbox.sbd\Personal/[From -----@msi-insurance.com][Date Mon, 4 Mar 2002 14:58:27 -0600]/text Infected: not-virus:BadJoke.Win16.Stupid.a skipped
D:\Me-XP\My Saved Files\Nec266\Mozilla\Profiles\-----@pclink-1.com\8zqr0fc3.slt\Mail\pclink.com\Inbox.sbd\Personal Mail Berkeley mbox: infected - 4 skipped
D:\Me-XP\mysql\data\mysql.err Object is locked skipped
D:\Me-XP\UtilAvast\DATA\log\nshield.log Object is locked skipped
D:\Me-XP\UtilAvast\DATA\aswResp.dat Object is locked skipped
D:\Me-XP\UtilAvast\DATA\Avast4.db Object is locked skipped
D:\System Volume Information\_restore{DCA9B734-B7CB-4718-A8C0-CB56CC72EB4E}\RP1658\change.log Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_68.trc Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
D:\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped

Scan process completed.


How is my PC running? Pretty good (thanks to you) for a 5 year old XP install on a 7 year old computer.

Thanks for your help,
bison7120
bison7120
Active Member
 
Posts: 12
Joined: January 1st, 2008, 3:36 pm

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby markamus » January 9th, 2008, 11:13 am

Hi bison7120,

The infected mail is being kept in some Mozilla profiles.
D:\Me-XP\My Saved Files\Nec266\Mozilla\Profiles\-----@pclink-1.com
D:\Me-XP\My Saved Files\Nec266\Mozilla\Profiles\mzappa@pclink-1.com

Are these old unneeded profiles? Do you have anything in them that does not need to be deleted? Or can the entire profiles be deleted?
User avatar
markamus
Regular Member
 
Posts: 696
Joined: August 9th, 2006, 9:28 pm
Location: Alabama

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby bison7120 » January 9th, 2008, 2:18 pm

Hi markamus,

Yes, that old junk can be deleted.

Bison7120
bison7120
Active Member
 
Posts: 12
Joined: January 1st, 2008, 3:36 pm

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby markamus » January 9th, 2008, 4:50 pm

Hi bison7120,

Using Windows Explorer
    (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following folder
    C:\Documents and Settings\Admin\.housecall6.6\Quarantine
    D:\Me-XP\My Saved Files\Nec266\Mozilla\Profiles\-----@pclink-1.com
    D:\Me-XP\My Saved Files\Nec266\Mozilla\Profiles\mzappa@pclink-1.com
----------------------------------------------------------------------------------------------

Download and Install SuperAntiSpyware Free

  • Launch SuperAntiSpyware
  • Click Check for Updates and update to the latest definitions.
  • Click Scan your Computer
    • Check all boxes in the Scan Location box.
    • Check the Complete Scan radio button.
    • Click Scanning Preferences/Control Centre button.
      • Uncheck Ignore files larger than 4MB (recommended)
      • Check Scan Alternate Data Streams.
      • Click Close.
    • Click Next
  • SuperAntiSpyware will now scan your computer for infection. (This could take in excess of an hour depending on the number of files scanned)
  • When finished it will present you with a summary of its findings.
  • Click OK.
  • The Removal Screen will open.
    • Check the items in the list to mark them for Quarantine.
    • Click Next and SAS will Quarantine them.
Please send me the log.
  • Click the Preferences button.
    • Click the Statistics/Logs tab.
      • Logs are listed by date and time, click on the latest one to highlight it (at the top).
      • Click View log.
    • This will open a log page.
    • Copy/Paste the contents in your next post please.


CAUTION: SuperAntiSpyware comes with a programme called Bootsafe, do not for any reason use this programme, if used on an infected computer it could render it UNBOOTABLE.
----------------------------------------------------------------------

In your next reply, please include the following:
  1. The SuperAntiSpyware report.
  2. A fresh HijackThis log.
  3. Again, update me on how the PC is running.
Thanks,

markamus
User avatar
markamus
Regular Member
 
Posts: 696
Joined: August 9th, 2006, 9:28 pm
Location: Alabama

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby bison7120 » January 10th, 2008, 12:08 am

Hi markamus,

I deleted the old files and ran SUPERAntiSpyware. It found nothing. I assume that is a good thing. The log is below. Plus a new HiJackThis log.

The PC is running free and clear. The only thing I’d like to clean up is two index.dat files in C:\Documents and Settings\Admin\Cookies and in C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5. I saw (using SystemInternals ProcessExplorer) back on Jan 2 that they were open by ursqp.exe. I’ve tried to delete them in Safe Mode, tried ATF Cleaner and CCLeaner, but they remain. I can’t find any process that has them open now, but I still can’t delete them. I suspect that the files themselves are no longer a real issue, but I’d still like to get rid of them.

The System Tray in the right corner is now chock full of protection: SpyBot SD Resident, ZoneAlarm, SUPERAntiSpyware, avast! Virus Recovery Database, avast! On Access Scanner and TrojanHunter Guard.

SUPERAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/09/2008 at 08:24 PM

Application Version : 3.9.1008

Core Rules Database Version : 3377
Trace Rules Database Version: 1371

Scan type : Complete Scan
Total Scan Time : 04:24:01

Memory items scanned : 452
Memory threats detected : 0
Registry items scanned : 6743
Registry threats detected : 0
File items scanned : 198353
File threats detected : 0

Latest HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:13 PM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Me-XP\Downloads\malware\AdAware\aawservice.exe
D:\Me-XP\UtilAvast\aswUpdSv.exe
D:\Me-XP\UtilAvast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
D:\Me-XP\Util\cvsnt\cvsservice.exe
D:\Me-XP\Util\cvsnt\cvslock.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
D:\Me-XP\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
D:\Me-XP\UtilAvast\ashMaiSv.exe
D:\Me-XP\UtilAvast\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\devldr32.exe
D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\SK9910DM.EXE
D:\Me-XP\UTILAV~1\ashDisp.exe
D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe
D:\Me-XP\bin\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Me-XP\Util\ZoneAlarm\zonealarm.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gateway1200/home/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [THGuard] "D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [avast!] D:\Me-XP\UTILAV~1\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Me-XP\bin\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: ZoneAlarm.lnk = Util\ZoneAlarm\zonealarm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {01112303-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon ... gctlch.cab
O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon ... d/tgrc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5352714408
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O20 - Winlogon Notify: !SASWinLogon - D:\Me-XP\bin\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Me-XP\Downloads\malware\AdAware\aawservice.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Me-XP\UtilAvast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Me-XP\UtilAvast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Me-XP\UtilAvast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Me-XP\UtilAvast\ashWebSv.exe
O23 - Service: CVSNT (CVS) - GNU - D:\Me-XP\Util\cvsnt\cvsservice.exe
O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - D:\Me-XP\Util\cvsnt\cvslock.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - D:\Me-XP\Util\ISORecorder\ImapiHelper.exe
O23 - Service: MySql - Unknown owner - D:/Me-XP/mysql/bin/mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6853 bytes

Thanks for the help,
bison7120
bison7120
Active Member
 
Posts: 12
Joined: January 1st, 2008, 3:36 pm

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby markamus » January 15th, 2008, 8:33 am

Hi bison7120,

Sorry for the delay. Regarding index.dat, CCleaner does delete the file. However, it is a Windows system file that keeps up with visited web pages, search criteria, etc. When deleted, it will regenerate itself from a fresh start. This is what you are seeing. It won't cause any harm.

Just a couple of things to tidy up here.
Open HJT by navigating to your HijackThis folder and double clicking on HijackThis.exe. Select the second button entitled "Do a system scan only".
Now select the followng entries by placing a tick in the left hand check box

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O24 - Desktop Component 0: (no name) - (no file)


Once you have selected all entries, close all running programs then click once on the "fix checked" button to clear the entries from your log.
----------------------------------------------------------------------------------------------

Reboot your PC, then post back with another fresh HijackThis log.

Thanks,

markamus
User avatar
markamus
Regular Member
 
Posts: 696
Joined: August 9th, 2006, 9:28 pm
Location: Alabama

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby bison7120 » January 16th, 2008, 10:28 am

Hi markamus,

I checked and fixed the hijack this items and rebooted. Below is the latest hjt log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:42 AM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Me-XP\Downloads\malware\AdAware\aawservice.exe
D:\Me-XP\UtilAvast\aswUpdSv.exe
D:\Me-XP\UtilAvast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
D:\Me-XP\Util\cvsnt\cvsservice.exe
D:\Me-XP\Util\cvsnt\cvslock.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
D:\Me-XP\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
D:\Me-XP\UtilAvast\ashMaiSv.exe
D:\Me-XP\UtilAvast\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wuauclt.exe
D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\SK9910DM.EXE
D:\Me-XP\UTILAV~1\ashDisp.exe
C:\WINDOWS\system32\devldr32.exe
D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe
D:\Me-XP\bin\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Me-XP\Util\ZoneAlarm\zonealarm.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gateway1200/home/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [THGuard] "D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [avast!] D:\Me-XP\UTILAV~1\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Me-XP\bin\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: ZoneAlarm.lnk = Util\ZoneAlarm\zonealarm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {01112303-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon ... gctlch.cab
O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon ... d/tgrc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5352714408
O20 - Winlogon Notify: !SASWinLogon - D:\Me-XP\bin\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Me-XP\Downloads\malware\AdAware\aawservice.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Me-XP\UtilAvast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Me-XP\UtilAvast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Me-XP\UtilAvast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Me-XP\UtilAvast\ashWebSv.exe
O23 - Service: CVSNT (CVS) - GNU - D:\Me-XP\Util\cvsnt\cvsservice.exe
O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - D:\Me-XP\Util\cvsnt\cvslock.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - D:\Me-XP\Util\ISORecorder\ImapiHelper.exe
O23 - Service: MySql - Unknown owner - D:/Me-XP/mysql/bin/mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6770 bytes

Thank you,
bison7120
PS I see that “O24 - Desktop Component 0: (no name) - (no file)” didn’t go away.
bison7120
Active Member
 
Posts: 12
Joined: January 1st, 2008, 3:36 pm

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby markamus » January 16th, 2008, 12:56 pm

Hi bison7120,

This should take care of that last line in the HijackThis log.
Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")

When this is done, reboot and post a fresh HijackThis log.

Thanks,

markamus
User avatar
markamus
Regular Member
 
Posts: 696
Joined: August 9th, 2006, 9:28 pm
Location: Alabama

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby bison7120 » January 17th, 2008, 1:59 am

Hi markamus,

I did as instructed. That did the trick and got rid of the 024 line. The latest HJT log is below.

The PC is running fine. I think it is really pretty clean right now. I really appreciate all your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:55 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Me-XP\Downloads\malware\AdAware\aawservice.exe
D:\Me-XP\UtilAvast\aswUpdSv.exe
D:\Me-XP\UtilAvast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
D:\Me-XP\Util\cvsnt\cvsservice.exe
D:\Me-XP\Util\cvsnt\cvslock.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\Explorer.EXE
D:\Me-XP\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\SK9910DM.EXE
D:\Me-XP\UTILAV~1\ashDisp.exe
C:\WINDOWS\system32\devldr32.exe
D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe
D:\Me-XP\bin\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Me-XP\Util\ZoneAlarm\zonealarm.exe
D:\Me-XP\UtilAvast\ashMaiSv.exe
D:\Me-XP\UtilAvast\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gateway1200/home/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [THGuard] "D:\Me-XP\Downloads\malware\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [avast!] D:\Me-XP\UTILAV~1\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Me-XP\Downloads\malware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Me-XP\bin\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: ZoneAlarm.lnk = Util\ZoneAlarm\zonealarm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Me-XP\DOWNLO~1\malware\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {01112303-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon ... gctlch.cab
O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon ... d/tgrc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5352714408
O20 - Winlogon Notify: !SASWinLogon - D:\Me-XP\bin\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Me-XP\Downloads\malware\AdAware\aawservice.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Me-XP\UtilAvast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Me-XP\UtilAvast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Me-XP\UtilAvast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Me-XP\UtilAvast\ashWebSv.exe
O23 - Service: CVSNT (CVS) - GNU - D:\Me-XP\Util\cvsnt\cvsservice.exe
O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - D:\Me-XP\Util\cvsnt\cvslock.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - D:\Me-XP\Util\ISORecorder\ImapiHelper.exe
O23 - Service: MySql - Unknown owner - D:/Me-XP/mysql/bin/mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 6687 bytes

Thanks,
bison7120
bison7120
Active Member
 
Posts: 12
Joined: January 1st, 2008, 3:36 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 47 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware