Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

help me!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

help me!

Unread postby smophie » February 24th, 2008, 5:37 am

There used to be many popups alerting me to "spyware attacks " on my computer and randomly, there are still internet explorers that open up. My computer is a LOT slower than it was 3 days ago when there were no viruses on my computer. Here is my log..

Thanks!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:15 AM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\AccessManager\Client\sygman.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SXG Advisor - {6FFDE480-14C1-43FC-BEC1-CA97A2541FFD} - C:\WINDOWS\dmdvpnslp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet ×ê?′???÷ - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6225710515
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O21 - SSODL: admgcx - {8838A0C6-7595-4D6F-A185-EC85942513EF} - C:\WINDOWS\admgcx.dll
O21 - SSODL: bdmanager - {6C508BE8-F039-4F7B-9844-ED8DD69615B8} - (no file)
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel? Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10788 bytes
smophie
Active Member
 
Posts: 3
Joined: February 24th, 2008, 5:27 am
Advertisement
Register to Remove

Re: help me!

Unread postby Carolyn » February 24th, 2008, 5:00 pm

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please reply to this thread, do not start another.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

As I am still in training, everything that I post to you must be checked by one of the teachers. Thus, there may be a bit of a delay between posts, but it shouldn't be too long.

If you follow these instructions, everything should go smoothly.

we are currently looking at your log now and will be back as soon as possible with your instructions.
while you are waiting one other thing that can be of good use is an uninstall list so please do the following

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: help me!

Unread postby Carolyn » February 25th, 2008, 9:05 pm

Hi smophie,

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  4. Do the same for each Viewpoint component.


P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitComet

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

I would recommend that you uninstall BitComet, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

STEP 1:
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.


STEP 2:
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Please post the contents of Report.txt, the ComboFix log and a fresh HijackThis log.
Last edited by Carolyn on February 26th, 2008, 7:39 am, edited 1 time in total.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: help me!

Unread postby smophie » February 25th, 2008, 11:26 pm

Hi Carolyn,

Thank you so much for your help!

Here is the Hijack uninstall list:

Access Manager
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.9
Adobe Shockwave Player
Advanced WindowsCare Personal 2.6.0
AIM 6
ALPS Touch Pad Driver
Apple Software Update
Avanquest update
AviSynth 2.5
BitComet 0.96
Bonjour
Broadcom Advanced Control Suite 2
Broadcom ASF Management Applications
Cisco Systems VPN Client 5.0.00.0340
Conexant D110 MDC V.92 Modem
Digital Line Detect
EPSON Printer Software
Google Gmail Notifier
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows XP (KB896344)
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
InterActual Player
Internal Network Card Power Management
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 3
Juniper Networks Secure Application Manager
LimeWire 4.14.10
LiveUpdate 3.1 (Symantec Corporation)
MathType 6
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Communicator 2005
Microsoft Office Live Meeting 2005
Microsoft Office Professional Edition 2003
MIT Kerberos for Windows 2.6.5
mIWA
mIWCA
mLogView
mMHouse
Modem Helper
Motorola Phone Tools
Mozilla Firefox (2.0.0.12)
mPfMgr
mPfWiz
mProSafe
mSSO
mToolkit
mWlsSafe
mXML
mZConfig
NetWaiting
Picasa 2
PowerDVD 5.1
QuickSet
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Skype? 3.6
Sonic DLA
Sonic RecordNow! Plus
Sonic Update Manager
Spybot - Search & Destroy 1.5.2.20
Storm Codec
Symantec AntiVirus
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Viewpoint Media Player
WebEx
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB893086
WinRAR archiver
smophie
Active Member
 
Posts: 3
Joined: February 24th, 2008, 5:27 am

Re: help me!

Unread postby Carolyn » February 26th, 2008, 7:34 am

Hi smophie,

Thank you for posting the uninstall list. Please post the additional logs/reports when ready. I had posted additional instructions prior to your posting the uninstall list...if you missed my second post, you can jump to it using this link.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: help me!

Unread postby smophie » February 26th, 2008, 9:12 pm

Hi Carolyn, here is my Combofix Log

ComboFix 08-02-25.3 - erfeic 2008-02-26 20:00:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.504 [GMT -5:00]
Running from: C:\Documents and Settings\sophie\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\tmp17C.tmp.exe
C:\Documents and Settings\Administrator\Favorites\Error Cleaner.url
C:\Documents and Settings\Administrator\Favorites\Privacy Protector.url
C:\Documents and Settings\Administrator\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\amy.zheng\Application Data\wsnpoem
C:\Documents and Settings\amy.zheng\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\amy.zheng\Application Data\wsnpoem\video.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\drivers\fad.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RUNTIME


((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.

2008-02-26 19:16 . 2008-02-26 19:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-26 19:13 . 2008-02-26 19:57 <DIR> d-------- C:\SDFix
2008-02-22 16:27 . 2008-02-24 02:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-02-22 15:43 . 2008-02-22 15:41 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-22 15:43 . 2008-02-22 15:43 2,550 --a------ C:\WINDOWS\unins000.dat
2008-02-22 02:34 . 2008-02-22 02:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-21 17:58 . 2008-02-24 04:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-21 17:58 . 2008-02-21 17:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-21 16:43 . 2008-02-21 16:43 <DIR> d-------- C:\Documents and Settings\sophie\Application Data\MSNInstaller
2008-02-21 16:33 . 2008-02-23 03:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-21 16:16 . 2008-02-22 15:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-16 12:52 . 2008-02-16 12:52 <DIR> d-------- C:\Program Files\iTunes
2008-02-16 12:52 . 2008-02-16 12:52 <DIR> d-------- C:\Program Files\iPod
2008-02-16 12:51 . 2008-02-16 12:51 <DIR> d-------- C:\Program Files\Bonjour
2008-02-16 00:15 . 2008-02-16 00:15 <DIR> d-------- C:\Program Files\Ringz Studio
2008-02-16 00:15 . 2008-02-16 00:15 <DIR> d-------- C:\Program Files\Common Files\Real
2008-02-16 00:12 . 2008-02-16 00:13 <DIR> d-------- C:\Documents and Settings\sophie\Application Data\DivX
2008-02-16 00:11 . 2008-02-23 20:10 <DIR> d-------- C:\Program Files\DivX
2008-02-11 18:29 . 2004-08-04 05:00 22,528 --a------ C:\WINDOWS\system32\lpdsvc.dll
2008-02-11 18:29 . 2004-08-04 05:00 22,528 --a------ C:\WINDOWS\system32\dllcache\lpdsvc.dll
2008-02-11 18:29 . 2004-08-04 05:00 18,944 --a------ C:\WINDOWS\system32\lprmon.dll
2008-02-11 18:29 . 2004-08-04 05:00 18,944 --a------ C:\WINDOWS\system32\dllcache\lprmon.dll
2008-02-05 00:34 . 2008-02-05 00:34 <DIR> d-------- C:\Documents and Settings\sophie\Application Data\Design Science
2008-02-05 00:33 . 2008-02-05 00:33 <DIR> d-------- C:\Program Files\MathType
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-27 01:03 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-26 03:29 --------- d-----w C:\Program Files\Viewpoint
2008-02-26 03:29 --------- d-----w C:\Program Files\BitComet
2008-02-26 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-25 20:41 --------- d-----w C:\Documents and Settings\sophie\Application Data\LimeWire
2008-02-24 01:09 --------- d-----w C:\Program Files\DVD slideshow GUI
2008-02-23 12:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-23 09:46 --------- d-----w C:\Program Files\Shockwave.com
2008-02-21 21:27 --------- d-----w C:\Program Files\Yahoo! Games
2008-02-18 19:31 --------- d-----w C:\Documents and Settings\sophie\Application Data\Skype
2008-02-18 19:30 --------- d-----w C:\Documents and Settings\sophie\Application Data\skypePM
2008-02-16 17:50 --------- d-----w C:\Program Files\QuickTime
2008-02-16 17:41 --------- d-----w C:\Documents and Settings\sophie\Application Data\Apple Computer
2008-01-15 05:00 --------- d-----w C:\Documents and Settings\sophie\Application Data\Move Networks
2008-01-15 01:04 --------- d-----w C:\Program Files\EPSON
2008-01-13 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-01-13 16:03 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-01-13 15:56 --------- d-----w C:\Program Files\Avanquest update
2008-01-13 15:55 --------- d-----w C:\Documents and Settings\sophie\Application Data\InstallShield
2008-01-13 15:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 15:50 24,192 ----a-w C:\Documents and Settings\sophie\usbsermptxp.sys
2008-01-13 15:50 22,768 ----a-w C:\Documents and Settings\sophie\usbsermpt.sys
2008-01-07 22:27 --------- d-----w C:\Documents and Settings\sophie\Application Data\Oracle
2008-01-07 22:15 --------- d-----w C:\Program Files\Oracle Calendar
2008-01-07 21:02 --------- d-----w C:\Program Files\Yahoo!
2008-01-07 20:42 --------- d-----w C:\Documents and Settings\sophie\Application Data\PlayFirst
2008-01-07 20:40 --------- d-----w C:\Documents and Settings\sophie\Application Data\Flood Light Games
2008-01-07 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flood Light Games
2008-01-05 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-01-04 21:58 43,528 -c----w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-04 03:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-01-04 03:15 --------- d-----w C:\Program Files\IObit
2008-01-03 09:02 --------- d-----w C:\Documents and Settings\sophie\Application Data\ForgottenRiddles
2008-01-03 07:17 --------- d-----w C:\Documents and Settings\sophie\Application Data\Super-Cow
2008-01-03 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-02 23:24 --------- d-----w C:\Documents and Settings\sophie\Application Data\Pirateville
2008-01-01 13:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-12-28 18:26 --------- d-----w C:\Documents and Settings\sophie\Application Data\iWin
2007-12-27 17:26 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-27 17:25 --------- d-----w C:\Program Files\Skype
2007-12-27 17:25 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-27 17:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-27 12:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Legacy Interactive
2007-12-27 11:46 --------- d-----w C:\Documents and Settings\sophie\Application Data\Jane s Hotel
2007-12-27 07:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-12-27 05:46 --------- d-----w C:\Documents and Settings\sophie\Application Data\Media Player Classic
2007-12-27 04:40 --------- d-----w C:\Program Files\AviSynth 2.5
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 16:48 479232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 12:40 4167376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Leash Ticket Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Leash Ticket Manager.lnk
backup=C:\WINDOWS\pss\Leash Ticket Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^sophie^Start Menu^Programs^Startup^Shortcut to Free Sticky Notes.LNK]
path=C:\Documents and Settings\sophie\Start Menu\Programs\Startup\Shortcut to Free Sticky Notes.LNK
backup=C:\WINDOWS\pss\Shortcut to Free Sticky Notes.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AccessManager]
--a--c--- 2004-08-05 10:33 786432 C:\Program Files\AccessManager\Client\AccessMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 10:20 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-09-13 16:33 155648 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-05-29 18:33 52840 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-03-04 11:26 606208 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-12-06 01:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-26 08:04 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C88 Series]
--a------ 2005-01-27 04:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2005-02-15 15:02 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2005-02-15 15:02 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2004-10-30 14:59 385024 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 14:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2007-10-23 16:18 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
C:\Program Files\Network Associates\VirusScan\SHSTAT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-12-07 15:08 21686568 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
C:\Documents and Settings\sophie\Application Data\Smilebox\SmileboxTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]
C:\WINDOWS\Temp\startdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StormCodec_Helper]
--a------ 2005-07-19 05:45 96159 C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2007-06-06 15:25 125632 C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"C:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"18269:TCP"= 18269:TCP:BitComet 18269 TCP
"18269:UDP"= 18269:UDP:BitComet 18269 UDP

R1 NEOFLTR_550_11711;Juniper Networks TDI Filter Driver (NEOFLTR_550_11711);C:\WINDOWS\system32\Drivers\NEOFLTR_550_11711.SYS [2007-04-10 21:24]
R2 AMBroker;Access Manager Configuration Service;"C:\Program Files\AccessManager\Client\AMBroker.exe" [2004-08-05 10:34]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2003-10-08 03:08]
R2 Sygman;SSA Integration Manager;"C:\Program Files\AccessManager\Client\sygman.exe" [2004-08-05 10:38]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 21:26]
S3 DAPlugin;Visual Insight DA Plugin;C:\Program Files\AccessManager\Client\DAPlugin.exe [2004-08-05 10:46]
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2003-09-07 02:50]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2005-06-13 15:16]
S3 sp_spi_da;Visual Insight Dial Analysis;C:\Program Files\AccessManager\SMOC\spi_da.exe [2003-04-17 09:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{874ea339-a9c6-11dc-aad8-00123f1f2842}]
\Shell\AutoRun\command - Installer.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 17:11:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-26 05:38:03 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 20:04:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-02-26 20:07:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-27 01:07:02
.
2008-02-13 08:05:15 --- E O F ---


Here is the SDFix Log


SDFix: Version 1.147

Run by erfeic on 02/26/2008 Tue at 07:18 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Deleted
C:\Documents and Settings\sophie\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\sophie\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\sophie\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\system32\tmp70.tmp.dll - Deleted
C:\WINDOWS\system32\tmp7A.tmp.dll - Deleted
C:\WINDOWS\system32\tmp82.tmp.dll - Deleted
C:\WINDOWS\system32\tmp83.tmp.dll - Deleted
C:\WINDOWS\system32\tmp98.tmp.dll - Deleted
C:\DOCUME~1\sophie\LOCALS~1\Temp\ac8zt2.dat - Deleted
C:\WINDOWS\admgcx.dll - Deleted
C:\WINDOWS\dmdvpnslp.dll - Deleted
C:\WINDOWS\fsxloqf.exe - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\search_res.txt - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 19:54:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Amazing Adventures The Lost Tomb]
"DisplayName"="Amazing Adventures The Lost Tomb?"
"UninstallString"="C:\PROGRA~1\SHOCKW~1.COM\AMAZIN~1\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\AMAZIN~1\INSTALL.LOG"
"DisplayVersion"="32.0.0.0"
"HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
"Publisher"="Shockwave.com"
"URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
"Contact"="Customer Support"
"Comments"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Burger Island]
"DisplayName"="Burger Island?"
"UninstallString"="C:\PROGRA~1\SHOCKW~1.COM\BURGER~3\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\BURGER~3\INSTALL.LOG"
"DisplayVersion"="32.0.0.0"
"HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
"Publisher"="Shockwave.com"
"URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
"Contact"="Customer Support"
"Comments"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fashion Fits!]
"DisplayName"="Fashion Fits!?"
"UninstallString"="C:\PROGRA~1\SHOCKW~1.COM\FASHIO~1\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\FASHIO~1\INSTALL.LOG"
"DisplayVersion"="32.0.0.0"
"HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
"Publisher"="Shockwave.com"
"URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
"Contact"="Customer Support"
"Comments"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Risk]
"DisplayName"="Risk?"
"UninstallString"="C:\PROGRA~1\SHOCKW~1.COM\Risk\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\Risk\INSTALL.LOG"
"DisplayVersion"="32.0.0.0"
"HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
"Publisher"="Shockwave.com"
"URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
"Contact"="Customer Support"
"Comments"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Super Text Twist]
"DisplayName"="Super Text Twist?"
"UninstallString"="C:\PROGRA~1\SHOCKW~1.COM\SUPERT~1\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\SUPERT~1\INSTALL.LOG"
"DisplayVersion"="32.0.0.0"
"HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
"Publisher"="Shockwave.com"
"URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
"Contact"="Customer Support"
"Comments"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\The Office]
"DisplayName"="The Office?"
"UninstallString"="C:\PROGRA~1\SHOCKW~1.COM\THEOFF~1\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\THEOFF~1\INSTALL.LOG"
"DisplayVersion"="32.0.0.0"
"HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
"Publisher"="Shockwave.com"
"URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
"Contact"="Customer Support"
"Comments"=""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\hQ\x9eda]
"\x86ec\x97f9T\x20ac\x9aae???"=dword:00000001
"\x86ec\x97f9\x6439eQ???"=dword:00000001
"\20?n\x884f:y??"=dword:00000001
"\26Y\1x\x884f:y?"=dword:00000001
"\x895dzz<h?"=dword:00000000
"IQ\ah\x9096\x5f47??"=dword:00000001
"<SPACE>"=dword:00000001
"<ENTER>"=dword:00000000
"FC Input"=dword:00000000
"FC aid"=dword:00000000
"GB/GBK"=dword:00000000

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Neoteris\\Secure Application Manager\\gapsvc.exe"="C:\\Program Files\\Neoteris\\Secure Application Manager\\gapsvc.exe:*:Enabled:ASM Proxy"
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"="C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe:*:Disabled:Secure Application Manager Proxy"
"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"="C:\\Program Files\\Microsoft Office Communicator\\communicator.exe:*:Enabled:Microsoft Office Communicator 2005"
"C:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"="C:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Yahoo! Games\\Insaniquarium Deluxe\\InsaniquariumDeluxe.exe"="C:\\Program Files\\Yahoo! Games\\Insaniquarium Deluxe\\InsaniquariumDeluxe.exe:*:Enabled:Insaniquarium"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Neoteris\\Secure Application Manager\\gapsvc.exe"="C:\\Program Files\\Neoteris\\Secure Application Manager\\gapsvc.exe:*:Disabled:ASM Proxy"
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"="C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy"
"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"="C:\\Program Files\\Microsoft Office Communicator\\communicator.exe:*:Enabled:Microsoft Office Communicator 2005"
"C:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"="C:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy"
"C:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE:*:Enabled:OUTLOOK"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 4 Aug 2004 93,184 A.SH. --- "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Fri 21 Dec 2007 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 10 Dec 2007 33,280 ...H. --- "C:\Documents and Settings\sophie\Desktop\~WRL0451.tmp"
Mon 10 Dec 2007 33,792 ...H. --- "C:\Documents and Settings\sophie\Desktop\~WRL0530.tmp"
Mon 10 Dec 2007 33,280 ...H. --- "C:\Documents and Settings\sophie\Desktop\~WRL1226.tmp"
Thu 6 Dec 2007 31,232 ...H. --- "C:\Documents and Settings\sophie\Desktop\~WRL1702.tmp"
Sat 8 Dec 2007 218,624 ...H. --- "C:\Documents and Settings\sophie\Desktop\~WRL1792.tmp"
Fri 7 Dec 2007 36,352 ...H. --- "C:\Documents and Settings\sophie\Desktop\~WRL1922.tmp"
Mon 10 Dec 2007 34,304 ...H. --- "C:\Documents and Settings\sophie\Desktop\~WRL3819.tmp"
Mon 17 Dec 2007 52,224 ...H. --- "C:\Documents and Settings\sophie\Desktop\~WRL4036.tmp"
Wed 19 Dec 2007 326,656 ...H. --- "C:\Documents and Settings\sophie\My Documents\~WRL2776.tmp"
Wed 19 Dec 2007 443,904 ...H. --- "C:\Documents and Settings\sophie\My Documents\~WRL3010.tmp"
Wed 19 Dec 2007 452,608 ...H. --- "C:\Documents and Settings\sophie\My Documents\~WRL3081.tmp"
Sun 18 Nov 2007 209 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti41.tmp"
Sat 23 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT1.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT13.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT17.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT18.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT1F.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT2.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT24.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT2C.tmp"
Sat 23 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT2D.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT2E.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT3.tmp"
Fri 22 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT30.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT36.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT37.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT4.tmp"
Sat 23 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT41.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT46.tmp"
Fri 22 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT48.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT5.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT6.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT67.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BIT9.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BITA.tmp"
Sun 24 Feb 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\BITB.tmp"
Tue 9 Jan 2007 48,640 A..H. --- "C:\Documents and Settings\sophie\Desktop\resumes\~WRL0001.tmp"
Thu 8 Feb 2007 47,616 A..H. --- "C:\Documents and Settings\sophie\Desktop\resumes\~WRL0004.tmp"
Wed 26 Sep 2007 192,512 A..H. --- "C:\Documents and Settings\sophie\My Documents\Kappa Stuff\~WRL0061.tmp"
Tue 26 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT3.tmp"

Finished!

Finally, here is the Hijack this Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:43 PM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\AccessManager\Client\sygman.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6225710515
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel? Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6826 bytes


Thank you
smophie
Active Member
 
Posts: 3
Joined: February 24th, 2008, 5:27 am

Re: help me!

Unread postby Carolyn » February 28th, 2008, 10:35 pm

Hello smophie,

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Please post the contents of the ComboFix log, a fresh HijackThis log and any comments regarding how your computer is behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: help me!

Unread postby Carolyn » March 2nd, 2008, 10:52 am

It's been a few days. Are you still in need of assistance?
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: help me!

Unread postby Elrond » March 9th, 2008, 2:10 pm

Due to lack of response this topic is now closed.

If you still need help open a new thread in the Malware Removal forum and wait for a new helper.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Elrond
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 33 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware