Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

The BIG RED X

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: The BIG RED X

Unread postby conky » March 28th, 2008, 3:10 pm

Every time I try to open hijack this the computer shuts down. Plan B?
conky
Regular Member
 
Posts: 27
Joined: March 24th, 2008, 5:28 pm
Advertisement
Register to Remove

Re: The BIG RED X

Unread postby conky » March 28th, 2008, 4:36 pm

GOT IT!

ComboFix 08-03-22.1 - Administrator 2008-03-28 13:21:07.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.556 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE.tmp
c:\windows\cfgmgr52.ini
c:\windows\system32\bose.ico
C:\WINDOWS\system32\btnetw3_venturahot_246765.exe
c:\windows\system32\eznews5.exe
c:\windows\system32\fleok
C:\WINDOWS\system32\GSM3-0511.exe
C:\WINDOWS\system32\iezset.exe
c:\windows\system32\installerv3.exe
C:\WINDOWS\system32\InstallerV3.exe
C:\WINDOWS\system32\MegasearchBarSetup.dll
C:\WINDOWS\system32\msfdje.gif
C:\WINDOWS\system32\msglji.gif
C:\WINDOWS\system32\msiaih.dll
C:\WINDOWS\system32\msnimk.gif
C:\WINDOWS\system32\redtrsha.dll
c:\windows\system32\richedtr.dll
C:\WINDOWS\system32\utvaypoj.ini
C:\WINDOWS\system320nstDD0
C:\WINDOWS\zpjeuove.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\cfgmgr52.ini
c:\windows\elitetoolbar
c:\windows\system32\bose.ico
C:\WINDOWS\system32\btnetw3_venturahot_246765.exe
c:\windows\system32\eznews5.exe
C:\WINDOWS\system32\GSM3-0511.exe
C:\WINDOWS\system32\iezset.exe
C:\WINDOWS\system32\InstallerV3.exe
C:\WINDOWS\system32\MegasearchBarSetup.dll
C:\WINDOWS\system32\msfdje.gif
C:\WINDOWS\system32\msglji.gif
C:\WINDOWS\system32\msiaih.dll
C:\WINDOWS\system32\msnimk.gif
C:\WINDOWS\system32\redtrsha.dll
c:\windows\system32\richedtr.dll
C:\WINDOWS\system32\utvaypoj.ini
C:\WINDOWS\system320nstDD0
C:\WINDOWS\zpjeuove.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-25 21:47 . 2008-03-25 21:50 <DIR> d----c--- C:\Program Files\Panda Security
2008-03-25 19:48 . 2008-03-25 19:48 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-25 19:48 . 2008-03-25 19:48 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-25 19:48 . 2008-03-25 19:48 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-03-24 15:38 . 2008-03-24 15:38 <DIR> d----c--- C:\Program Files\Trend Micro
2008-03-24 15:01 . 2008-03-24 15:01 <DIR> d----c--- C:\Program Files\CCleaner
2008-03-22 18:57 . 2008-03-22 22:46 250 --a--c--- C:\WINDOWS\gmer.ini
2008-03-17 19:06 . 2008-03-17 19:06 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-17 19:06 . 2008-03-28 11:58 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-17 19:05 . 2008-03-17 19:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-17 19:05 . 2008-03-17 23:15 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 04:45 --------- dc----w C:\Program Files\mIRC
2008-03-23 06:00 --------- dc----w C:\Program Files\Java
2008-03-23 00:45 --------- dc----w C:\Program Files\PowerISO
2008-03-22 22:49 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-03-18 02:03 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-24 07:00 --------- dc----w C:\Program Files\Digital Photo Navigator 1.5
2008-02-24 06:49 --------- dc----w C:\Program Files\Webshots
2008-02-24 06:22 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-24 06:14 --------- dc----w C:\Program Files\CyberLink
2008-02-24 06:13 --------- dc----w C:\Program Files\IrfanView
2008-02-18 20:08 --------- dc----w C:\Program Files\Common Files\Adobe
2008-02-13 02:21 --------- dc----r C:\Documents and Settings\All Users\Application Data\SalesMon
2007-09-02 17:07 256 -c--a-w C:\Documents and Settings\Administrator\pool.bin
2007-03-25 19:55 284,864 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2003-08-27 21:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
2006-05-06 16:42 7,260,160 -c--a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll
2007-03-09 07:12 27,648 -csha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-22_18.25.05.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-21 21:37:26 124,208 -c--a-w C:\WINDOWS\Downloaded Program Files\ascstubie.dll
+ 2007-07-18 21:49:56 12,592 -c--a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2008-03-23 01:57:00 819,200 -c--a-w C:\WINDOWS\gmer.dll
+ 2008-03-04 03:29:06 761,856 -c--a-w C:\WINDOWS\gmer.exe
- 2007-12-04 05:36:43 5,409 -c--a-w C:\WINDOWS\mozver.dat
+ 2008-03-26 04:48:16 6,585 -c--a-w C:\WINDOWS\mozver.dat
+ 2008-03-23 01:57:00 86,097 -c--a-w C:\WINDOWS\system32\drivers\gmer.sys
- 2007-09-25 06:30:28 135,168 -c--a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 08:23:35 135,168 -c--a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 06:30:30 135,168 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 08:23:39 135,168 -c--a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 07:31:42 139,264 -c--a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 09:33:32 139,264 -c--a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2004-02-10 12:19 180224]
"EPSON PictureMate Deluxe (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.exe" [2004-10-17 03:00 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-02-10 00:59 47104 C:\WINDOWS\SOUNDMAN.EXE]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 10:42 69632]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-07-18 10:49 204800]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-21 20:08 185632]
"EPSON PictureMate Deluxe (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.exe" [2004-10-17 03:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-17 19:05 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-17 19:05 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^HotSync Manager.LNK]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HotSync Manager.LNK
backup=C:\WINDOWS\pss\HotSync Manager.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk
backup=C:\WINDOWS\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
--a--c--- 2005-11-03 16:39 230512 C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
--a--c--- 2005-11-03 16:39 185456 C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
-----c--- 2006-11-22 21:10 151552 C:\Program Files\CyberLink\PCM4Everio\EverioService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Proxy Server]
C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2004-09-13 15:49 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-09-11 04:40 218032 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2008-01-15 04:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a--c--- 2007-05-15 17:12 484904 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
--a--c--- 2002-12-10 18:54 127022 C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a--c--- 2004-02-10 12:19 180224 C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a--c--- 2007-04-09 05:23 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-01-10 16:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2007-03-26 07:07 228088 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2005-06-03 07:16 81920 C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2007-10-21 20:08 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2005-08-15 16:24 3092480 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a--c--- 2005-04-22 20:49 397312 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\hpbspsvr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Macromedia\\Contribute 3\\Contribute.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2000-01-08 09:22]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29]
S0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys []
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;C:\WINDOWS\system32\DRIVERS\hpusbwdm.sys []
S3 McAfeePF;McAfee Firewall Network Filter Miniport;C:\WINDOWS\system32\DRIVERS\fw220.sys []
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 10:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e16e5b41-ade1-11dc-a17f-00508d4bb37a}]
\Shell\AutoRun\command - G:\PortableVault.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 03:56:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 13:30:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-28 13:32:35
ComboFix-quarantined-files.txt 2008-03-28 20:31:54
ComboFix2.txt 2008-03-26 01:07:39
ComboFix3.txt 2008-03-24 22:28:01
ComboFix4.txt 2008-03-24 21:10:52
ComboFix5.txt 2008-03-23 05:31:01
.
2008-03-22 22:07:21 --- E O F ---

_____________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:03 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsdownloads.com/success.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON PictureMate Deluxe (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE /P33 "EPSON PictureMate Deluxe (Copy 1)" /O6 "USB004" /M "PictureMate Deluxe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [EPSON PictureMate Deluxe (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE /P33 "EPSON PictureMate Deluxe (Copy 1)" /M "PictureMate Deluxe" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra button: Travelaxe - {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - C:\Program Files\Travelaxe\Travelaxe.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://images.autodesk.com/adsk/files/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3703931719
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

--
End of file - 7767 bytes
conky
Regular Member
 
Posts: 27
Joined: March 24th, 2008, 5:28 pm

Re: The BIG RED X

Unread postby dan12 » March 29th, 2008, 7:32 pm

You appear to be running two Anti virus on your system, which is not good as they don't play nice together and will fight for resources and you will have slow downs.
which one of these are you running and which you want to remove?
CAISafe
AVG7

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
 
  Registry::
    [-hkey_local_machine\software\microsoft\windows\currentversion\internet settings\user agent\post platform\iebar]
    [-hkey_classes_root\clsid\{825cf5bd-8862-4430-b771-0c15c5ca8def}]
    [-hkey_local_machine\software\lycos]
    [-hkey_local_machine\software\searchrelevancy]
    [-hkey_local_machine\software\riched]
    [-hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\richeditor]
    [-HKEY_LOCAL_MACHINE\software\classes\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA8DEF}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30}]
  

    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------

If you can do me a further scan to check I've got the files I wanted.
Thanks :)

TotalScan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> TotalScan << LINK
  • Under Scan Now click the Full Scan button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.


Please include in your next post:
  • Combofix log txt
  • New highjackthis log
  • let me know how things are

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: The BIG RED X

Unread postby conky » March 30th, 2008, 11:05 am

Hello!

Ok here are two logs - every time I try to run hijack this it clicks the computer off, and says Microsoft Windows is recovering from a serious error so I quit trying.

A question - which anti virus should I unload? I don't even know where CAIsafe is. I'm guessing it might be in the SBC yahoo files.

as far as the computer, it starts up quick, runs well, but the big red x is still on the "C" drive.
-----------------------------------

ComboFix 08-03-22.1 - Administrator 2008-03-29 17:02:04.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\cfscripttext.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-29 10:53 . 2008-03-29 10:53 6,144 --ahsc--- C:\WINDOWS\system32\Thumbs.db
2008-03-25 21:47 . 2008-03-25 21:50 <DIR> d----c--- C:\Program Files\Panda Security
2008-03-25 19:48 . 2008-03-25 19:48 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-25 19:48 . 2008-03-25 19:48 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-25 19:48 . 2008-03-25 19:48 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-03-24 15:38 . 2008-03-24 15:38 <DIR> d----c--- C:\Program Files\Trend Micro
2008-03-24 15:01 . 2008-03-24 15:01 <DIR> d----c--- C:\Program Files\CCleaner
2008-03-22 18:57 . 2008-03-22 22:46 250 --a--c--- C:\WINDOWS\gmer.ini
2008-03-17 19:06 . 2008-03-17 19:06 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-17 19:06 . 2008-03-29 08:00 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-17 19:05 . 2008-03-17 19:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-17 19:05 . 2008-03-17 23:15 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-23 15:03 . 2008-02-23 15:07 248 --a--c--- C:\WINDOWS\wininit.ini
2008-02-16 18:22 . 2008-03-28 13:12 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-02-16 18:22 . 2008-02-16 18:22 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-02-12 19:21 . 2008-02-12 19:21 <DIR> dr---c--- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-02-11 14:00 . 2008-02-11 14:00 268 --ah-c--- C:\sqmdata00.sqm
2008-02-11 14:00 . 2008-02-11 14:00 244 --ah-c--- C:\sqmnoopt00.sqm
2008-02-11 10:45 . 2008-02-11 14:00 <DIR> d----c--- C:\Documents and Settings\Administrator\Contacts
2008-02-03 10:28 . 2008-02-03 10:28 <DIR> d----c--- C:\WINDOWS\system32\LogFiles
2008-02-03 10:28 . 2008-02-03 10:30 <DIR> d----c--- C:\WINDOWS\system32\drivers\UMDF
2008-02-03 10:03 . 2008-02-03 10:03 <DIR> d----c--- C:\WINDOWS\Freecorder Toolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 04:45 --------- dc----w C:\Program Files\mIRC
2008-03-23 06:00 --------- dc----w C:\Program Files\Java
2008-03-23 00:45 --------- dc----w C:\Program Files\PowerISO
2008-03-22 22:49 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-03-18 02:03 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-24 07:00 --------- dc----w C:\Program Files\Digital Photo Navigator 1.5
2008-02-24 06:49 --------- dc----w C:\Program Files\Webshots
2008-02-24 06:22 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-24 06:14 --------- dc----w C:\Program Files\CyberLink
2008-02-24 06:13 --------- dc----w C:\Program Files\IrfanView
2008-02-18 20:08 --------- dc----w C:\Program Files\Common Files\Adobe
2007-12-07 01:07 659,456 -c--a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 -c--a-w C:\WINDOWS\system32\oleaut32.dll
2007-09-02 17:07 256 -c--a-w C:\Documents and Settings\Administrator\pool.bin
2007-03-25 19:55 284,864 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2003-08-27 21:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
2006-05-06 16:42 7,260,160 -c--a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll
2007-03-09 07:12 27,648 -csha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-22_18.25.05.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-21 21:37:26 124,208 -c--a-w C:\WINDOWS\Downloaded Program Files\ascstubie.dll
+ 2007-07-18 21:49:56 12,592 -c--a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2008-03-23 01:57:00 819,200 -c--a-w C:\WINDOWS\gmer.dll
+ 2008-03-04 03:29:06 761,856 -c--a-w C:\WINDOWS\gmer.exe
- 2007-12-04 05:36:43 5,409 -c--a-w C:\WINDOWS\mozver.dat
+ 2008-03-26 04:48:16 6,585 -c--a-w C:\WINDOWS\mozver.dat
+ 2008-03-23 01:57:00 86,097 -c--a-w C:\WINDOWS\system32\drivers\gmer.sys
- 2007-09-25 06:30:28 135,168 -c--a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 08:23:35 135,168 -c--a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 06:30:30 135,168 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 08:23:39 135,168 -c--a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 07:31:42 139,264 -c--a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 09:33:32 139,264 -c--a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2004-02-10 12:19 180224]
"EPSON PictureMate Deluxe (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.exe" [2004-10-17 03:00 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-02-10 00:59 47104 C:\WINDOWS\SOUNDMAN.EXE]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 10:42 69632]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-07-18 10:49 204800]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-21 20:08 185632]
"EPSON PictureMate Deluxe (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.exe" [2004-10-17 03:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-17 19:05 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-17 19:05 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^HotSync Manager.LNK]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HotSync Manager.LNK
backup=C:\WINDOWS\pss\HotSync Manager.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk
backup=C:\WINDOWS\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
--a--c--- 2005-11-03 16:39 230512 C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
--a--c--- 2005-11-03 16:39 185456 C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
-----c--- 2006-11-22 21:10 151552 C:\Program Files\CyberLink\PCM4Everio\EverioService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Proxy Server]
C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2004-09-13 15:49 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-09-11 04:40 218032 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2008-01-15 04:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a--c--- 2007-05-15 17:12 484904 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
--a--c--- 2002-12-10 18:54 127022 C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a--c--- 2004-02-10 12:19 180224 C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a--c--- 2007-04-09 05:23 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-01-10 16:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2007-03-26 07:07 228088 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2005-06-03 07:16 81920 C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2007-10-21 20:08 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2005-08-15 16:24 3092480 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a--c--- 2005-04-22 20:49 397312 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\hpbspsvr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Macromedia\\Contribute 3\\Contribute.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2000-01-08 09:22]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29]
S0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys []
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;C:\WINDOWS\system32\DRIVERS\hpusbwdm.sys []
S3 McAfeePF;McAfee Firewall Network Filter Miniport;C:\WINDOWS\system32\DRIVERS\fw220.sys []
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 10:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e16e5b41-ade1-11dc-a17f-00508d4bb37a}]
\Shell\AutoRun\command - G:\PortableVault.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 03:56:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 17:09:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-29 17:11:43
ComboFix-quarantined-files.txt 2008-03-30 00:11:23
ComboFix2.txt 2008-03-28 20:32:37
ComboFix3.txt 2008-03-26 01:07:39
ComboFix4.txt 2008-03-24 22:28:01
ComboFix5.txt 2008-03-24 21:10:52
.
2008-03-22 22:07:21 --- E O F ---

------------------------------

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-03-29 21:43:06
PROTECTIONS: 2
MALWARE: 96
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Anti-Virus - SBC Yahoo! Online Protection 7.0.7.4 Yes No
AVG 7.5.519 7.5.519 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00020302 adware/ncase Adware No 0 Yes No c:\windows\system32\fleok
00040467 adware/elitebar Adware No 1 Yes No hkey_local_machine\software\microsoft\windows\currentversion\internet settings\user agent\post platform\iebar
00046021 adware/megasearch Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30}
00064524 Adware/TVMedia Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295672.dll
00065370 Spyware/BetterInet Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295667.dll
00065370 Spyware/BetterInet Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295666.dll
00065528 Spyware/SafeSurf Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\InstallerV3.exe.vir
00065528 Spyware/SafeSurf Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1529\A0310290.exe
00102241 Adware/Ipend Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\msnimk.gif.vir
00102512 Adware/eZula Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1529\A0310289.exe
00102512 Adware/eZula Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\iezset.exe.vir
00110538 Spyware/ClientMan Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\msglji.gif.vir
00117359 Spyware/ClientMan Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\msiaih.dll.vir
00117359 Spyware/ClientMan Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1529\A0310292.dll
00117363 Spyware/Omi Spyware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\msfdje.gif.vir
00120498 Adware/nCase Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295671.dll
00123310 HackTool/SRunner.B HackTools No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1512\A0290151.exe
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq205.tmp
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B3.tmp
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1AC.tmp
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F.tmp
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq61.tmp
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq29.tmp
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1522\A0299162.exe
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B2.tmp
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq204.tmp
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1FE.tmp
00145433 Cookie/Mammamediasolutions TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq203.tmp
00145433 Cookie/Mammamediasolutions TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4A.tmp
00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13.tmp
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1AE.tmp
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq63.tmp
00145466 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq32.tmp
00145466 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq65.tmp
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33.tmp
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3F.tmp
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B0.tmp
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp
00145770 Cookie/CentrPort TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp
00145770 Cookie/CentrPort TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq76.tmp
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq41.tmp
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1AF.tmp
00149064 Cookie/Maxserving TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq202.tmp
00149064 Cookie/Maxserving TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp
00166757 Adware/eZula Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295663.dll
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq40.tmp
00167733 Cookie/Adserver TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq54.tmp
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq42.tmp
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp
00168069 Cookie/Bilbo.counted TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq46.tmp
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3E.tmp
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp
00168102 Cookie/Falkag TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq200.tmp
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B4.tmp
00170549 Cookie/FortuneCity TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq201.tmp
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq77.tmp
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B1.tmp
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D.tmp
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq79.tmp
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq48.tmp
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5D.tmp
00173557 Spyware/SafeSurf Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1529\A0310294.dll
00173557 Spyware/SafeSurf Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\richedtr.dll.vir
00173701 Adware/BookedSpace Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1529\A0310296.exe
00173701 Adware/BookedSpace Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\zpjeuove.exe.vir
00176013 Spyware/BetterInet Spyware No 1 Yes No C:\QooBox\Quarantine\C\Program Files\Yahoo!\YPSR\Quarantine\ppqE.tmp.vir
00176880 Trj/Clicker.FV Virus/Trojan No 0 No No C:\QooBox\Quarantine\C\WINDOWS\system32\GSM3-0511.exe.vir[QB.exe]
00176880 Trj/Clicker.FV Virus/Trojan No 0 No No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1529\A0310288.exe[QB.exe]
00181758 Spyware/BetterInet Spyware No 1 No No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1529\A0310288.exe[QBUninstaller.exe]
00181758 Spyware/BetterInet Spyware No 1 No No C:\QooBox\Quarantine\C\WINDOWS\system32\GSM3-0511.exe.vir[QBUninstaller.exe]
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14.tmp
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5E.tmp
00192119 Adware/BookedSpace Adware No 0 No No C:\QooBox\Quarantine\C\WINDOWS\system32\bsva-egihsg52.exe.vir[²ÇÇ]
00192119 Adware/BookedSpace Adware No 0 No No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1522\A0297972.exe[²ÇÇ]
00192372 Adware/BigTrafficNet Adware No 0 No No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1529\A0310286.exe[²ÅÇ]
00192372 Adware/BigTrafficNet Adware No 0 No No C:\QooBox\Quarantine\C\WINDOWS\system32\btnetw3_venturahot_246765.exe.vir[²ÅÇ]
00192372 Adware/BigTrafficNet Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system320nstDD0.vir
00192372 Adware/BigTrafficNet Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1512\A0290147.dll
00194387 Adware/Megasearch Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\MegasearchBarSetup.dll.vir
00194387 Adware/Megasearch Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1529\A0310291.dll
00197368 Spyware/SafeSurf Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1529\A0310293.dll
00197368 Spyware/SafeSurf Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\redtrsha.dll.vir
00199983 Cookie/Valueclick TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp
00199983 Cookie/Valueclick TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq78.tmp
00234930 Trj/Downloader.GUM Virus/Trojan No 0 No No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1529\A0310288.exe[QBTool.exe]
00234930 Trj/Downloader.GUM Virus/Trojan No 0 No No C:\QooBox\Quarantine\C\WINDOWS\system32\GSM3-0511.exe.vir[QBTool.exe]
00242112 Trojan Horse.AP3 Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1529\A0310288.exe
00242112 Trojan Horse.AP3 Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\GSM3-0511.exe.vir
00246066 Adware/eZula Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1529\A0310287.exe
00246066 Adware/eZula Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\ezNewS5.exe.vir
00248299 Adware/BookedSpace Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1522\A0297972.exe
00248299 Adware/BookedSpace Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\bsva-egihsg52.exe.vir
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C.tmp
00293079 Spyware/7r7t Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1529\A0310286.exe
00293079 Spyware/7r7t Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\btnetw3_venturahot_246765.exe.vir
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq60.tmp
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp
00371568 Trj/Agent.DZW Virus/Worm No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1512\A0290153.exe
00375179 Trj/SpyForms.AA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1510\A0282142.sys
00375179 Trj/SpyForms.AA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1512\A0290154.sys
00375179 Trj/SpyForms.AA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1510\A0283139.sys
00375179 Trj/SpyForms.AA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1510\A0281162.sys
00375179 Trj/SpyForms.AA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1510\A0284140.sys
00375179 Trj/SpyForms.AA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1510\A0281131.sys
00375179 Trj/SpyForms.AA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1508\A0281021.sys
00375179 Trj/SpyForms.AA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1500\A0274002.sys
00375179 Trj/SpyForms.AA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1507\A0276007.sys
00375179 Trj/SpyForms.AA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1510\A0285139.sys
00375179 Trj/SpyForms.AA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1507\A0280016.sys
00375179 Trj/SpyForms.AA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1499\A0273922.sys
00375179 Trj/SpyForms.AA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1507\A0279004.sys
00375179 Trj/SpyForms.AA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1496\A0272929.sys
00375179 Trj/SpyForms.AA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1507\A0279028.sys
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1522\A0298001.EXE
01259911 Trj/Downloader.PLQ Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295658.exe
01614600 Application/Win-Touch HackTools No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1512\A0290148.exe
02206770 Generic Backdoor Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1515\A0292420.exe
02247403 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1515\A0292432.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1522\A0297993.sys
02891362 Adware/Yazzle Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1512\A0290150.exe
02892536 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1520\A0297849.dll
02892536 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1512\A0290157.dll
02892536 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1518\A0297653.dll
02893893 Trj/Bancos.RQ Virus/Trojan No 0 No No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[327882R2FWJFW\pv.cfexe]
02894086 Adware/AVSystemCare Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1518\A0297674.exe
02896112 Adware/Yazzle Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1512\A0290149.exe
02896636 Adware/Matcash Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295659.exe
02896638 Adware/Matcash Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1515\A0292378.exe
02896639 Adware/Matcash Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1515\A0292377.exe
02898733 Trj/Downloader.SLD Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295657.exe
02899162 Trj/Agent.HYR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295647.exe
02899593 Trj/Downloader.SMN Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1507\A0280018.exe
02899593 Trj/Downloader.SMN Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1506\A0274182.exe
02900418 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1512\A0290155.dll
02900545 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1508\A0281008.dll
02900995 Adware/ErrClean Adware No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1515\A0292383.exe
02901062 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295674.dll
02901509 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1510\A0281133.dll
02901551 Trj/Downloader.SQN Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1520\A0297848.exe
02902098 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295668.dll
02902388 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295670.dll
02902392 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295673.dll
02902684 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295660.dll
02904329 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295661.dll
02904329 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1510\A0281125.dll
02904332 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295669.dll
02904332 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1517\A0295665.dll
02907503 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{43F5BAB5-AE95-4FF1-9201-6E1967C682DD}\RP1518\A0297654.dll
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================


thanks Dan.
conky
Regular Member
 
Posts: 27
Joined: March 24th, 2008, 5:28 pm

Re: The BIG RED X

Unread postby dan12 » March 30th, 2008, 7:44 pm

As for your a\v, go to add and remove programs and find and remove entries that relate to your a\v you want removing.
C:\Program Files\Yahoo!\Antivirus\

Send me a new HJT log when done.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: The BIG RED X

Unread postby dan12 » March 30th, 2008, 8:30 pm

What you mean by the big red x is still on the c: drive?
Is it a screen image your seeing?
dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: The BIG RED X

Unread postby conky » March 30th, 2008, 9:29 pm

Dumped AVG - kept Yahoo antivirus. Below is the new hijack log. in the last total scan I did it said I had over 100 infected files. Do I need to clean them out?

yes, in the "my computer" window the local "C" drive has an big red "X" in it instead of the computer icon. That appeared after my computer got seriously infected.

Thanks Dan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:36 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsdownloads.com/success.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON PictureMate Deluxe (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE /P33 "EPSON PictureMate Deluxe (Copy 1)" /O6 "USB004" /M "PictureMate Deluxe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [EPSON PictureMate Deluxe (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE /P33 "EPSON PictureMate Deluxe (Copy 1)" /M "PictureMate Deluxe" /EF "HKCU"
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://images.autodesk.com/adsk/files/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3703931719
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

--
End of file - 6647 bytes

-----------------------------------------
conky
Regular Member
 
Posts: 27
Joined: March 24th, 2008, 5:28 pm

Re: The BIG RED X

Unread postby dan12 » March 31st, 2008, 4:07 am

Hi, I'm not 100% sure Yahoo antivirus comes bundled with a firewall, is it the free version?
so you might want to use my link to pick yourself one up.
don't worry about what the scan picked up I will deal with them shortly.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: The BIG RED X

Unread postby conky » March 31st, 2008, 2:41 pm

i have SBC yahoo but it doesn't look like there is a firewall installed. What link do I click on to check that out?

Thanks Dan!
conky
Regular Member
 
Posts: 27
Joined: March 24th, 2008, 5:28 pm

Re: The BIG RED X

Unread postby dan12 » March 31st, 2008, 3:18 pm

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    Folder::
c:\windows\system32\fleok

    Registry::
[-hkey_local_machine\software\microsoft\windows\currentversion\internet settings\user agent\post platform\iebar]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30}]


 

    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

__________________

Sorry Conky, I thought I had given you the link.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

There are several possible reasons for the Firewall not showing.
  1. You are using Windows Firewall. This is not recommended as it will only stop incoming material. It permits all outgoing traffic.
  2. You are using a hardware firewall. It should be complemented with a Third Party Software Firewall
  3. You have a firewall, but you disabled it. Please re-enable it.
  4. You don't have a firewall at all.

If you don't have a third party firewall, please get ONE firewall and install it. Restart the computer for changes to take effect.

Online Armor
Comodo Personal Firewall

Please post back a new HijackThis log plus the combo log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: The BIG RED X

Unread postby conky » March 31st, 2008, 10:12 pm

Hi Dan:

Disconnected the windows firewall and added online armor.

ComboFix 08-03-22.1 - Administrator 2008-03-31 18:09:39.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.623 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fleok
c:\windows\system32\fleok\ncmyb.dll.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-03-30 12:01 . 2008-03-30 12:09 <DIR> d----c--- C:\Documents and Settings\Administrator\Incomplete
2008-03-29 10:53 . 2008-03-29 10:53 6,144 --ahsc--- C:\WINDOWS\system32\Thumbs.db
2008-03-25 21:47 . 2008-03-25 21:50 <DIR> d----c--- C:\Program Files\Panda Security
2008-03-25 19:48 . 2008-03-25 19:48 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-25 19:48 . 2008-03-25 19:48 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-25 19:48 . 2008-03-25 19:48 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-03-24 15:38 . 2008-03-24 15:38 <DIR> d----c--- C:\Program Files\Trend Micro
2008-03-24 15:01 . 2008-03-24 15:01 <DIR> d----c--- C:\Program Files\CCleaner
2008-03-22 18:57 . 2008-03-22 22:46 250 --a--c--- C:\WINDOWS\gmer.ini
2008-03-17 19:06 . 2008-03-17 19:06 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-17 19:06 . 2008-03-30 08:00 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-17 19:05 . 2008-03-30 17:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 04:45 --------- dc----w C:\Program Files\mIRC
2008-03-23 06:00 --------- dc----w C:\Program Files\Java
2008-03-23 00:45 --------- dc----w C:\Program Files\PowerISO
2008-03-22 22:49 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-03-18 02:03 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-24 07:00 --------- dc----w C:\Program Files\Digital Photo Navigator 1.5
2008-02-24 06:49 --------- dc----w C:\Program Files\Webshots
2008-02-24 06:22 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-24 06:14 --------- dc----w C:\Program Files\CyberLink
2008-02-24 06:13 --------- dc----w C:\Program Files\IrfanView
2008-02-18 20:08 --------- dc----w C:\Program Files\Common Files\Adobe
2008-02-13 02:21 --------- dc----r C:\Documents and Settings\All Users\Application Data\SalesMon
2007-09-02 17:07 256 -c--a-w C:\Documents and Settings\Administrator\pool.bin
2007-03-25 19:55 284,864 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2003-08-27 21:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
2006-05-06 16:42 7,260,160 -c--a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll
2007-03-09 07:12 27,648 -csha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-22_18.25.05.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-21 21:37:26 124,208 -c--a-w C:\WINDOWS\Downloaded Program Files\ascstubie.dll
+ 2007-07-18 21:49:56 12,592 -c--a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2008-03-23 01:57:00 819,200 -c--a-w C:\WINDOWS\gmer.dll
+ 2008-03-04 03:29:06 761,856 -c--a-w C:\WINDOWS\gmer.exe
- 2007-12-04 05:36:43 5,409 -c--a-w C:\WINDOWS\mozver.dat
+ 2008-03-26 04:48:16 6,585 -c--a-w C:\WINDOWS\mozver.dat
+ 2008-03-23 01:57:00 86,097 -c--a-w C:\WINDOWS\system32\drivers\gmer.sys
- 2007-09-25 06:30:28 135,168 -c--a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 08:23:35 135,168 -c--a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 06:30:30 135,168 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 08:23:39 135,168 -c--a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 07:31:42 139,264 -c--a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 09:33:32 139,264 -c--a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2004-02-10 12:19 180224]
"EPSON PictureMate Deluxe (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.exe" [2004-10-17 03:00 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-02-10 00:59 47104 C:\WINDOWS\SOUNDMAN.EXE]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 10:42 69632]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-07-18 10:49 204800]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-21 20:08 185632]
"EPSON PictureMate Deluxe (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.exe" [2004-10-17 03:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^HotSync Manager.LNK]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HotSync Manager.LNK
backup=C:\WINDOWS\pss\HotSync Manager.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk
backup=C:\WINDOWS\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
--a--c--- 2005-11-03 16:39 230512 C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
--a--c--- 2005-11-03 16:39 185456 C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
-----c--- 2006-11-22 21:10 151552 C:\Program Files\CyberLink\PCM4Everio\EverioService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Proxy Server]
C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2004-09-13 15:49 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-09-11 04:40 218032 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2008-01-15 04:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a--c--- 2007-05-15 17:12 484904 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
--a--c--- 2002-12-10 18:54 127022 C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a--c--- 2004-02-10 12:19 180224 C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a--c--- 2007-04-09 05:23 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-01-10 16:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2007-03-26 07:07 228088 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2005-06-03 07:16 81920 C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2007-10-21 20:08 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2005-08-15 16:24 3092480 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a--c--- 2005-04-22 20:49 397312 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\hpbspsvr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Macromedia\\Contribute 3\\Contribute.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2000-01-08 09:22]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29]
S0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys []
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;C:\WINDOWS\system32\DRIVERS\hpusbwdm.sys []
S3 McAfeePF;McAfee Firewall Network Filter Miniport;C:\WINDOWS\system32\DRIVERS\fw220.sys []
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 10:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e16e5b41-ade1-11dc-a17f-00508d4bb37a}]
\Shell\AutoRun\command - G:\PortableVault.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 03:56:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 18:15:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-31 18:17:10
ComboFix-quarantined-files.txt 2008-04-01 01:16:41
ComboFix2.txt 2008-03-30 00:11:45
ComboFix3.txt 2008-03-28 20:32:37
ComboFix4.txt 2008-03-26 01:07:39
ComboFix5.txt 2008-03-24 22:28:01
.
2008-03-22 22:07:21 --- E O F ---

----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:35 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsdownloads.com/success.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON PictureMate Deluxe (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE /P33 "EPSON PictureMate Deluxe (Copy 1)" /O6 "USB004" /M "PictureMate Deluxe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [EPSON PictureMate Deluxe (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE /P33 "EPSON PictureMate Deluxe (Copy 1)" /M "PictureMate Deluxe" /EF "HKCU"
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://images.autodesk.com/adsk/files/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3703931719
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

--
End of file - 7038 bytes
conky
Regular Member
 
Posts: 27
Joined: March 24th, 2008, 5:28 pm

Re: The BIG RED X

Unread postby dan12 » April 1st, 2008, 3:46 pm

UNINSTALL COMBOFIX

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Image
You can also delete any logs we have produced, and empty your Recycle bin.


Close all windows and try typing this command directly in and see if ComboFix runs.

Remember to use the " marks and there is a space between exe" and /killall

Start > Run > type "%userprofile%\desktop\combofix.exe" /killall

If ComboFix runs, please post the log.

Let me know when this is done.

dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: The BIG RED X

Unread postby conky » April 2nd, 2008, 12:31 am

it is now uninstalled - no log to post.
conky
Regular Member
 
Posts: 27
Joined: March 24th, 2008, 5:28 pm

Re: The BIG RED X

Unread postby dan12 » April 2nd, 2008, 2:31 pm

Create a new System Restore Point
This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.

As we had a fair bit to clean can you do me a further total scan.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: The BIG RED X

Unread postby conky » April 3rd, 2008, 1:12 am

When I get to system restore and click on "create a restore point" it goes to a screen that says"type a description for your restore point in the following text box. Ensure that you choose a description that is easy to identify in case you need to restore your computer later on."

When I go to "Start - Run" and type in 'cleanmgr" it does not have the "more options" box.

Please advise.

Thanks much,

Debbie
conky
Regular Member
 
Posts: 27
Joined: March 24th, 2008, 5:28 pm
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 12 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware