Free Malware Removal Forum

by **jedmed** » January 13th, 2008, 1:05 am

I recently acquired 2 viruses. The HKTL_Prockill.A virus and the PAK_Generic.001 virus.

I have Trend Micro Antivirus. It's scanning abilities have been disabled since I contracted the virus. So I had to use Housecall instead, which tried to remove the HKTL_Prockill.A virus, but could only partially remove the virus. Leaving a file called Terminator.exe inside C:hp\bin\Terminator.exe.

When I came upon the file I opened up the properties. When I did, I seen a description under the Version tab. It said: A serious Killer of Windows.
So I was informed by Trend Micro that I should delete the file to get rid of the virus. That's exactly what I did. But I'm still unable to scan with Trend Micro.

When I entered the C:hp\bin\ to delete the Terminator file, I noticed a lot of weird files. They are as follows:ProcessLogger.exe ( With a picture of a clown as the icon.),Progress.exe ( With a clock icon.), RPCOPY.exe by SoftThinks, RefCount.exe and TransientMessage.exe ( With pictures of a big city as their icon), among some others. A couple of the ones not listed I already permanently deleted called Killwind.exe and KillIt.exe. One of them said in it's description something like this: A file that doesn't in any way do anything harmful to windows. Another file called HPBMI, I believe, (which had a picture of a memory chip as it's icon), I permanently deleted, which said in it's description: This is a file.

Not long after coming upon the files, I noticed Trend Micro had quarantined a file linked up with the PAK_Generic.001 virus. It name is:V4KSFHa01420, which I deleted, because it said it was a virus.

So after coming upon the files inside C:hp\bin\, I deleted what I thought was suspicious to the recycle bin for quarantine. After doing this I ran HijackThis with the files in the Recycle Bin. Then ran another with them out. The first log sheet from HijackThis is with the files out. The second is with them inside Recycle Bin.

My main objective is to make sure I exterminate this virus completely from my system. My next moves, until I hear from you, are pretty much this: Run Housecall again with the System Restore disabled, ReQuarantine the files then try to scan with Trend Micro again. If still unsuccessful I have planned to uninstall Trend Micro then Install, update and try to scan again. I have fought the W32Blaster worm before and won. If you could help me with this, I would be very happy. I can't believe there are people like this group that does this. Thank you. Please help me.

Number 1:
So I ran HijackThis by TrendSecure/TrendMicro and here are the results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:25 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_server.exe
C:\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\LexmarkX63\ACMonitor_X63.exe
C:\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shawneelink.net/users/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.pennfoster.com/StudentPortal/ ... m.jsp?D=pf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shawneelink.net/users/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shawneelink.net/users/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=216.240.66.21:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [checktime] "c:\program files\HPSelect\Frontend\ct.exe"
O4 - HKLM\..\Run: [HPGamesActiveMenu] "C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [mm_server] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_server.exe"
O4 - HKLM\..\Run: [Ulead Memory Card Detector] "C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpiralFrog] C:\SpiralFrog\Spiralfrog.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\hp\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SL Support - {0796CAAF-1B08-4E49-9EEC-B5C2266CE9F2} - http://www.shawneelink.net/support/ (file missing) (HKCU)
O9 - Extra button: SL Users - {21CFF795-D8B1-4CC1-BF81-711A55D6DC67} - http://www.shawneelink.net/users/ (file missing) (HKCU)
O9 - Extra button: SL WebMail - {A10FB4A6-4D2F-475E-9ACB-B4C4CE5D780D} - http://webmail.shawneelink.net (file missing) (HKCU)
O9 - Extra button: SL Home - {D78A743A-34BF-4FB0-B6CF-13AE5476BBC8} - http://www.shawneelink.net (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.shawneelink.net
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ ... rix6ie.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04d0f79b5d3daf8f0d ... xIE601.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol ... 0.84.2.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4017/ ... brkpie.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bu ... eRdxIE.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11168 bytes

Number 2:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:25 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_server.exe
C:\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\LexmarkX63\ACMonitor_X63.exe
C:\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shawneelink.net/users/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.pennfoster.com/StudentPortal/ ... m.jsp?D=pf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shawneelink.net/users/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shawneelink.net/users/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=216.240.66.21:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [checktime] "c:\program files\HPSelect\Frontend\ct.exe"
O4 - HKLM\..\Run: [HPGamesActiveMenu] "C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [mm_server] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_server.exe"
O4 - HKLM\..\Run: [Ulead Memory Card Detector] "C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpiralFrog] C:\SpiralFrog\Spiralfrog.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\hp\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SL Support - {0796CAAF-1B08-4E49-9EEC-B5C2266CE9F2} - http://www.shawneelink.net/support/ (file missing) (HKCU)
O9 - Extra button: SL Users - {21CFF795-D8B1-4CC1-BF81-711A55D6DC67} - http://www.shawneelink.net/users/ (file missing) (HKCU)
O9 - Extra button: SL WebMail - {A10FB4A6-4D2F-475E-9ACB-B4C4CE5D780D} - http://webmail.shawneelink.net (file missing) (HKCU)
O9 - Extra button: SL Home - {D78A743A-34BF-4FB0-B6CF-13AE5476BBC8} - http://www.shawneelink.net (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.shawneelink.net
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ ... rix6ie.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04d0f79b5d3daf8f0d ... xIE601.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol ... 0.84.2.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4017/ ... brkpie.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bu ... eRdxIE.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11168 bytes

by **Katana** » January 16th, 2008, 1:58 pm

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly

I apologize for the delay in responding, but as you can probably see the forums are quite busy
and sometimes a post manages to slip by us.
Unfortunately there are far more people needing help than there are helpers.

If you still require help please post a fresh Hijack This log to this thread.
I will be notified and I will get back to you ASAP.

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

There is no evidence of any malware in your logs,
do you have a HP machine ?

by **jedmed** » January 17th, 2008, 10:33 am

Thank you, Katana. Yes I do have an HP machine. It's an HP Pavilion 7915, running Windows Xp Sp2. I'm also running Webroot Spysweeper 5.5.7 Build 124 and Trend Micro antivirus 2007.

I also have some very funky files, that I mentioned in my last post, I was wondering about. I'm thinking that they have to be malicious by their descriptions and their icons.

I'll await further input from you. I won't give up until you say all clear. ttyl.

by **Katana** » January 17th, 2008, 12:06 pm

First off, I suggest that you re-enable system restore. It is better to have an infected restore point than a dead machine :lol:

The files in the C:\hp\bin folder are most likely safe. Companies such as HP install these files so that when you visit the site to update drivers/software then the tools are ready to complete the installation.
Malware generally brings its own toolkit of nasties as it can't rely on those files being present.

Please do the following so I can see if anything is left.

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

by **jedmed** » January 21st, 2008, 2:19 pm

Sorry it took me so long to reply. I've been very busy. I did manage to scan my computer with Kaspersky, though, and re-enable system restore. I'm a little concerned, though, at the results of the scan. You see, I run Hp Digital Imaging software, Webroot Spysweeper, and Musicmatch Jukebox, on my computer, and these are some of the very things in the list of infected files. I also recently downloaded a program called WebMedia Player for free. It's in the list too, but I don't really trust the program either. FYI Kaspersky also said I have 1 virus and 12 infected objects. Anyway, I wasn't sure if you wanted me to post the results or not, but here's the list below for you to take a look at.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 20, 2008 6:56:20 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/01/2008
Kaspersky Anti-Virus database records: 524414
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 99585
Number of viruses found: 1
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 04:37:27

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS006E978B-2B4D-4146-97A7-169E54C55C14.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS00884BB5-31F4-4234-801F-1DCE1B2E2675.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS07B53883-1D3C-4AEF-AB88-33D4D2C06360.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS09277F73-7BE6-418D-BC76-4697E8169ADF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0C77A67D-3708-4EC5-9532-3C0EF734228F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0F228AFC-D8B5-4840-8D08-1BB114DF7876.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1109EEF9-EB22-4400-A059-24AB468A6AF3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS11550AFF-7AA8-4566-BDDC-0B16C06D0A7D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS121C27B1-BDE1-4977-BD1E-9083F7057E78.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS152E896E-7BBA-4E47-9FFC-8E3FECB5ED63.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1A3FEE2C-473E-42D5-9F7F-6D83B4EF4A91.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1BE7A1B8-B39F-4AA9-A499-D23586E7BF9D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1CB4DC32-F0E3-43DA-AE1A-53DB9E062131.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS27B9153D-EA94-4C64-AF42-60431BD7DC20.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS286A9664-BE72-499A-BB52-5C44070F03BA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2AAA201E-8A34-4244-9CFC-392702BBA121.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2B6269F2-25D3-4C23-806C-4464859230AB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2D07E666-197B-49E9-B3B2-F5886EE0732E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3205146C-EF63-47C1-A680-E463F4F44707.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS34AD7377-4384-4EC5-AA10-F1B3738A5EA0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS381F6F96-6BE8-460A-8BC4-FDC44BB24611.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3878C340-8239-4AA0-A8E3-A3BF9CE02CD0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3EA1C20A-82CE-43BF-A23A-2FD0867A47B6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3F870236-0C68-405B-990F-80C2E383383B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS45AAF58D-9416-4A69-8E0C-14026CB44D44.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4A49D55C-0C3A-4CBE-B6FA-9E6E9583230D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4F910107-3345-4DA5-B108-B15508433581.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4FE40D87-4A2B-44C0-9627-F752EE7297E1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS51028397-87FE-4591-8E5C-FA9921CC1E6D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5209C9A5-22EC-4CF5-B969-7DDFDE902EA7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS55017799-502F-43F3-A1CA-58543709CD34.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5B4649F6-F9ED-4065-B9B7-41336B423ABD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS60978943-177E-4323-9DBA-4EB28CADD4EC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS623CCC05-450A-4BDD-87FD-E7C59308E540.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS63419F91-AA92-49B4-A629-313FF12A1884.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6C4E0426-9025-45A9-95C3-3B71CD081C37.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6EE401AE-9A9A-4D71-A039-AB10067A7615.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS73208A04-39B2-461B-ACA4-6FF8BBE67CC6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS75B8654C-3868-4E0A-8C27-CA36D1258B53.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS75CA3C80-7A35-482F-B47E-3A877DF79431.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS78BE7CA4-662D-4E2E-B7E7-A194DF81C2F4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7A433525-D0F8-4B4E-B0A7-7544F57A33AB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7B3236E0-293B-4550-8C66-B41D03C2A978.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS81C005C5-2520-4B0A-8B05-4F7422095416.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8F012160-DDF6-45EA-AADF-B24DA209A35E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9313FFE2-988B-40C0-BF4D-34D253AF4F23.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS994CFE1C-BD2E-4049-B154-765E85E9511D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9EBAD4A0-076E-4574-A39D-91CD9D53880C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA307EBD9-F4CD-4382-AB73-8ABB3D2B47F7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA7D81712-F9BC-4BAE-8C87-AF117C713078.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA803B17E-E1E7-4F89-9FBB-071D8CDCE200.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSADA4DA3D-99F9-4F7F-842F-B42335F7CD1A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB3E7626D-FF81-436C-B1B9-CC251846DD6F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB7846B42-FF32-4832-BB42-B1C0F6A6A4EE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBB6E49A9-01C8-4A26-9C9E-C841D4D56B6E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBC298E16-7C06-4A1F-80D7-822FB4058BB2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBEE19CE7-E1DE-435A-997C-20CAE44A0F09.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBF5A116A-44FD-41AA-A000-213AE8D9C186.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC20AD949-1CA8-4C5A-B0E3-253E7CDB19C8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC3E5BB9F-C635-4502-B584-212376A60E33.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC70645F5-D243-46B8-9B19-9EDCB8994A99.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC8334591-C709-48FD-A6EB-5FA78C23BA65.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC9A365CF-42B7-4433-9549-31F54A3FC687.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCB110468-A9E7-4324-ACDA-DE7F80933030.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCD4D97BC-8EC1-4458-B770-76ECD8CC9457.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD0FCF0E3-4385-4CD0-BFEF-05C76801E256.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD16F1638-7EFE-432A-BDC7-81B88F62DE25.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD3A8C120-76DC-4540-AB46-9EEF5CA6CCA3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD41630AD-351C-46FC-AB77-4B8C09E0A20B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD7EEA704-0733-42BE-A4B3-4C09795E36EA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD884E352-F900-4560-B672-8CB11A07895B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDA0F82A6-3427-4388-8D1F-32F65EC9EF90.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDAC2BC9B-9BF5-4EA8-8ACA-968C6A45257F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDD73F9AD-ED7A-4F11-9224-9EF59150F29F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDE2F8685-A110-45D8-A002-DBC518D4D121.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE6B0DDC1-6C39-4859-AC0E-B6B66C6C4D9E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE754C2CB-4011-473F-9DBF-C4BEC756D2E9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE88BBC85-15E6-4F16-8BD5-9F38B6D20547.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEA171A9B-A731-4FE0-AB85-448AB6D1885C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSED72D5D4-569E-4BCF-93B3-E2D2A58AB7E4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF1D71557-F3D5-4550-8E79-A7EF24D719FA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF374FA72-7B17-4B04-873B-9F4FD7D45DCE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF6A14ED9-EA7A-4119-8CFF-2F1F850B772C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF6A18206-7BFD-40F7-BC5F-6921142B0835.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF6E945FF-699C-4B7A-8994-D85E09B9186E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF8A22576-4525-4E84-9BC9-E7C829D3538B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF8A8C8D1-1901-445F-90A3-64948E2F9ECF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFA3E3CEB-5016-409F-B4C7-72C425D67CA1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFA5D3729-5089-4A1A-B889-63086A8D79F3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Webroot\Spy Sweeper\Logs\080119234946.ses Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\Desktop Icons\webmediaplayer_setup.exe/data0000.bin/stream/data0006 Infected: not-a-virus:AdWare.Win32.NaviPromo.cc skipped
C:\Documents and Settings\Owner\Desktop\Desktop Icons\webmediaplayer_setup.exe/data0000.bin/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.cc skipped
C:\Documents and Settings\Owner\Desktop\Desktop Icons\webmediaplayer_setup.exe/data0000.bin Infected: not-a-virus:AdWare.Win32.NaviPromo.cc skipped
C:\Documents and Settings\Owner\Desktop\Desktop Icons\webmediaplayer_setup.exe EmbeddedEXE: infected - 3 skipped
C:\Documents and Settings\Owner\Desktop\Desktop Icons\webmediaplayer_setup.exe UPX: infected - 3 skipped
C:\Documents and Settings\Owner\Desktop\Desktop Icons\webmediaplayer_setup.exe PE_Patch.UPX: infected - 3 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.4a8bf74d.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\NSIS_Install_WMP.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.NaviPromo.cc skipped
C:\Documents and Settings\Owner\Local Settings\Temp\NSIS_Install_WMP.exe/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.cc skipped
C:\Documents and Settings\Owner\Local Settings\Temp\NSIS_Install_WMP.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF334D.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP2\change.log Object is locked skipped
C:\WebMediaPlayer\uninst.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.NaviPromo.cc skipped
C:\WebMediaPlayer\uninst.exe/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.cc skipped
C:\WebMediaPlayer\uninst.exe NSIS: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

by **Katana** » January 21st, 2008, 2:47 pm

The WebMediaPlayer is infected with adware, the other items are fine.

Show All Files And Folders
Now you need to show all files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Delete Files and Folders
Find and delete the following Files

C:\Documents and Settings\Owner\Desktop\Desktop Icons\ webmediaplayer_setup.exe <<< This File
C:\Documents and Settings\Owner\Local Settings\Temp\ NSIS_Install_WMP.exe <<< This File
C:\WebMediaPlayer\ uninst.exe <<< This File

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofi ... e-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Installed Programs
Please could you give me a list of the programs that are installed.

Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

by **jedmed** » January 22nd, 2008, 11:54 am

Katana,

I've completed all the tasks you wanted me to do and they are listed below. First will be the combofix log, then the hijackthis log, followed by the hijackthis program list. Thank you again for helping me and looking at all this.
----------------------------------------------------
ComboFix 08-01-21.5 - Owner 2008-01-22 8:48:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.204 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Desktop\webmediaplayer.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer
C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\Privacy Policy.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\Terms and conditions.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\WebMediaPlayer.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\Website.lnk
C:\WINDOWS\system32\nvs2.inf

----- BITS: Possible infected sites -----

hxxp://www.spiralfrog.com
.
((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.

2008-01-22 08:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-20 00:03 . 2008-01-20 00:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-19 23:31 . 2008-01-19 23:31 <DIR> d-------- C:\Program Files\AIPTEK
2008-01-19 23:31 . 2001-04-23 17:00 618,496 --a------ C:\WINDOWS\SYSTEM32\stvcol.dll
2008-01-19 23:31 . 2007-12-16 09:11 466,948 --a------ C:\WINDOWS\unin0c09.exe
2008-01-19 23:31 . 2001-01-26 18:37 331,776 --a------ C:\WINDOWS\SYSTEM32\g2video1.ocx
2008-01-19 23:31 . 2001-11-14 15:56 245,760 --a------ C:\WINDOWS\SYSTEM32\stv680u.dll
2008-01-19 23:31 . 2001-01-30 08:15 105,292 --------- C:\WINDOWS\restart.exe
2008-01-19 23:31 . 2001-11-14 15:56 69,632 --a------ C:\WINDOWS\SYSTEM32\stv680sl.dll
2008-01-19 23:31 . 2000-08-03 15:09 49,152 --a------ C:\WINDOWS\SYSTEM32\stvscale.dll
2008-01-19 23:31 . 2001-11-14 15:56 49,152 --a------ C:\WINDOWS\SYSTEM32\stv680tg.dll
2008-01-19 23:31 . 2001-11-14 15:56 35,388 --a------ C:\WINDOWS\SYSTEM32\stv680u.cfg
2008-01-19 23:20 . 2008-01-19 23:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2008-01-19 19:01 . 2006-11-13 00:02 288,768 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-01-19 19:01 . 2006-11-13 00:02 116,736 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2008-01-19 19:01 . 2006-11-13 00:02 36,352 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-01-15 08:47 . 2008-01-15 08:50 <DIR> d-------- C:\remover
2008-01-13 16:18 . 2007-09-17 14:40 35,856 --a------ C:\WINDOWS\SYSTEM32\drivers\tmpreflt.sys
2008-01-12 15:37 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\SYSTEM32\drivers\tmcomm.sys
2008-01-09 16:51 . 2008-01-09 16:51 <DIR> d-------- C:\Watchtower
2008-01-08 09:57 . 2008-01-08 09:57 <DIR> d-------- C:\WINDOWS\29EJPV05BGLRX27D
2008-01-07 15:32 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\SYSTEM32\drivers\ssidrv.sys
2008-01-07 15:32 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\SYSTEM32\drivers\sskbfd.sys
2008-01-07 15:32 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\SYSTEM32\drivers\sshrmd.sys
2008-01-07 15:32 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\SYSTEM32\drivers\SSFS0BB9.sys
2008-01-07 15:31 . 2008-01-07 15:31 <DIR> d-------- C:\Program Files\AskSBar
2008-01-07 15:31 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-01-07 15:28 . 2008-01-15 08:13 164 --a------ C:\install.dat
2008-01-07 15:11 . 2008-01-07 15:11 <DIR> d-------- C:\Program Files\Webroot
2008-01-06 00:20 . 2008-01-06 00:59 <DIR> d-------- C:\My Recordings
2008-01-06 00:14 . 2008-01-06 00:15 <DIR> d-------- C:\FREE Hi-Q Recorder
2008-01-05 19:51 . 2008-01-05 19:51 <DIR> d-------- C:\Free Audio Pack
2008-01-05 19:51 . 1998-06-16 23:00 516,173 --a------ C:\WINDOWS\SYSTEM32\MSVCP60D.DLL
2008-01-05 19:51 . 1998-06-16 23:00 385,100 --a------ C:\WINDOWS\SYSTEM32\MSVCRTD.DLL
2008-01-05 19:51 . 2004-03-08 23:00 224,016 --a------ C:\WINDOWS\SYSTEM32\TABCTL32.OCX
2008-01-05 19:51 . 1998-06-24 00:00 164,144 --a------ C:\WINDOWS\SYSTEM32\COMCT232.OCX
2008-01-05 19:51 . 1998-07-12 23:00 59,904 --a------ C:\WINDOWS\SYSTEM32\Mscc2fr.dll
2008-01-05 19:51 . 1998-07-12 23:00 21,504 --a------ C:\WINDOWS\SYSTEM32\TABCTFR.DLL
2008-01-05 19:33 . 2005-01-13 16:28 6,832 --a------ C:\WINDOWS\SYSTEM32\PulseSoundTouchForVB.tlb
2008-01-05 19:14 . 2008-01-05 19:14 <DIR> d-------- C:\Efficient WMA MP3 Converter
2007-12-30 16:13 . 2008-01-22 08:05 <DIR> d-------- C:\SpiralFrog
2007-12-30 00:01 . 2007-12-30 00:01 <DIR> d-------- C:\Program Files\Swf2Avi
2007-12-29 20:59 . 2007-12-29 20:59 <DIR> d-------- C:\GeoVid
2007-12-29 13:04 . 2007-12-29 13:47 <DIR> d-------- C:\Earthcomber Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 04:36 --------- d-----w C:\Program Files\PC-Doctor for Windows XP
2008-01-15 20:09 40,960 ----a-w C:\WINDOWS\ltmsg.exe
2008-01-15 20:08 301,568 ----a-w C:\WINDOWS\SYSTEM32\LexBceS.exe
2008-01-15 20:08 15,360 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ctfmon.exe
2008-01-15 20:08 15,360 ----a-w C:\WINDOWS\SYSTEM32\ctfmon.exe
2008-01-14 17:57 --------- d-----w C:\Program Files\Trend Micro
2008-01-12 06:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-12 06:16 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-06 02:45 --------- d-----w C:\Program Files\NCH Swift Sound
2008-01-06 02:45 --------- d-----w C:\Program Files\NCH Software
2007-12-16 15:11 23,616 ----a-w C:\WINDOWS\system32\drivers\nchssvad.sys
2007-12-15 20:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-15 20:31 108,544 ------w C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2007-12-15 20:31 104,960 ------w C:\WINDOWS\SYSTEM32\pxinsi64.exe
2007-12-15 20:24 --------- d-----w C:\Program Files\Real
2007-12-15 20:24 --------- d-----w C:\Program Files\Common Files\xing shared
2007-12-15 20:23 --------- d-----w C:\Program Files\Common Files\Real
2007-12-15 17:08 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2007-10-30 10:16 3,058,688 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2007-10-29 04:55 179 ----a-w C:\handle.dat
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 23:40 222,720 ------w C:\WINDOWS\SYSTEM32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shell32.dll
2006-02-19 08:28 12,288 ----a-w C:\WINDOWS\FONTS\RandFont.dll
2001-07-22 02:45 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 06:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 06:56 1,028,096 --sh--w C:\WINDOWS\SYSTEM32\mfc42.dll
2004-08-04 06:56 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 06:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 06:56 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
2007-05-17 11:28 549,376 --sha-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 06:56 83,456 --sh--w C:\WINDOWS\SYSTEM32\olepro32.dll
2004-08-04 06:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-01-15 09:13 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-07 15:31 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
{F83BE649-1CC3-48EE-B2E2-0826CEF3822A}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-15 18:25 28739]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 06:45 68856]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 03:40 218032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-15 14:08 15360]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2008-01-04 20:56 3572592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 10:04 52736]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 16:34 212992]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 18:25 143360]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 17:36 90112]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-17 16:44 196608]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2001-08-13 21:23 45056]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-21 10:54 36864]
"LexStart"="" []
"lxamsp32.exe"="lxamsp32.exe" [2001-10-21 13:12 45056 C:\WINDOWS\SYSTEM32\lxamsp32.exe]
"mm_server"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_server.exe" [2006-01-17 13:03 86016]
"HP Software Update"="C:\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24 54840]
"LTMSG"="LTMSG.exe" [2008-01-15 14:09 40960 C:\WINDOWS\ltmsg.exe]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 15:44 61440]
"QuickTime Task"="C:\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-15 14:22 185896]
"mmtask"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2006-01-17 13:03 53248]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SpiralFrog"="C:\SpiralFrog\Spiralfrog.exe" [2007-10-15 14:38 163128]
"Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" [2007-07-05 20:09 4609288]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AcBtnMgr_X63.exe.lnk - C:\LexmarkX63\AcBtnMgr_X63.exe [2001-06-06 15:03:10 53248]
ACMonitor_X63.exe.lnk - C:\LexmarkX63\ACMonitor_X63.exe [2001-06-06 15:02:28 40960]
HP Digital Imaging Monitor.lnk - C:\hp\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\hp\Digital Imaging\bin\hpqthb08.exe [2006-02-10 06:56:20 73728]

S3 DCamUSBSvis;Sound Vision Stream Driver;C:\WINDOWS\system32\DRIVERS\svstream.sys [2001-07-18 14:25]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\system32\drivers\PCDRDRV.sys []

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 07:19:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 08:53:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-22 8:55:15
ComboFix-quarantined-files.txt 2008-01-22 14:54:50
.
2008-01-21 19:14:54 --- E O F ---
-----------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:06 AM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_server.exe
C:\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\SpiralFrog\Spiralfrog.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\hp\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.pennfoster.com/StudentPortal/ ... m.jsp?D=pf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shawneelink.net/users
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shawneelink.net/users/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=216.240.66.21:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [checktime] "c:\program files\HPSelect\Frontend\ct.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [mm_server] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_server.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpiralFrog] C:\SpiralFrog\Spiralfrog.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\hp\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SL Support - {0796CAAF-1B08-4E49-9EEC-B5C2266CE9F2} - http://www.shawneelink.net/support/ (file missing) (HKCU)
O9 - Extra button: SL Users - {21CFF795-D8B1-4CC1-BF81-711A55D6DC67} - http://www.shawneelink.net/users/ (file missing) (HKCU)
O9 - Extra button: SL WebMail - {A10FB4A6-4D2F-475E-9ACB-B4C4CE5D780D} - http://webmail.shawneelink.net (file missing) (HKCU)
O9 - Extra button: SL Home - {D78A743A-34BF-4FB0-B6CF-13AE5476BBC8} - http://www.shawneelink.net (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.shawneelink.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04d0f79b5d3daf8f0d ... xIE601.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol ... 0.84.2.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bu ... eRdxIE.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10859 bytes
----------------------------
Here's the program list, of things installed on my computer, from hijackthis.

530TX+
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
Adobe Shockwave Player
AP Guitar Tuner
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Astro Rally
Atomic Pop
Audacity 1.2.6
Baby Names
BlasterBall Wild
DarkOrbit - I don't know what this is. I think it was something that came with my computer.
DC2200 Digital Camera
Detto Migration Kit
D-Link PCI Fast Ethernet Adapter
Earthcomber Updater 2.2.6f
Easy Internet Sign-up
Efficient WMA MP3 Converter v0.99.2
Elasto Mania
Enhanced Multimedia Keyboard Solution
Express Rip
Free FLV Converter V 2.0
FREE Hi-Q Recorder 1.92
Free Mp3 Wma Converter V 1.6.3
Frogs vs Cars
GemMaster
GeoVid Flash Player
getPlus(R)_ocx
Google Earth
Google Toolbar for Internet Explorer
Grey Olltwit's Go Karts
Guitar Guru Supplemental Guitar Skins
Guitar Guru Version 2.2.0
Handmark Solitaire for Palm OS
Handmark® JAMDAT Bowling for Palm OS
Handmark® Magic Dogs(TM) for Palm OS
Handmark® MobileDB(TM) for Palm OS
Hard Truck 18 Wheels of Steel
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
hp center
hp deskjet 845c series (Remove only)
HP Driver Diagnostics
HP Imaging Device Functions 7.0
HP Instant Support
HP Learning Adventure
HP Photo Printing Software
HP Photosmart Cameras 7.0
HP Photosmart Premier Software 6.5
HP Solution Center 7.0
HP Update
Inactive HP Printer Drivers (Remove only)
Inactive HP ScanJet Drivers (Remove only)
iTunes
Kaspersky Online Scanner
KazooStudio
Languages of the World
Languages of the World Bonus CD
Lernout & Hauspie TruVoice American English TTS Engine
LostInTheGrid Demo V1.1
MetroGnome
MGI PhotoSuite 8.1 (Remove Only)
MGI PhotoSuite Mobile Edition (Remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Flight Simulator 98
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2001
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 6.0
Microsoft Works and Money 2001 Setup Launcher
Microsoft World of Flight Version 1.0
ModelDemo
MSXML 4.0 SP2 (KB936181)
Musicmatch® Jukebox
Musicnotes Player V1.23.0
My Photo Center
North American Bird Reference Book
Palm Desktop
PC-Doctor for Windows
PigPen
powerOne Personal v2.1.1 for Handhelds
PS2
Python 1.5 combined Win32 extensions
Python 1.5.2 (final)
Quicken 2001 New User Edition
Quicken Financial Center
QuickTime
RealArcade
RealPlayer
Rhapsody Player Engine
S3 Gamma - I don't know what this is either. I think it was loaded with my machine.
S3 Savage4 Family Display Switch2 Utility - I don't know what that is. I think it was loaded with my pc.
SabreWing 2 - I don't know what that is either. I think it was loaded with my pc.
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
ShawneeLink
ShawneeLink Internet Software
Sierra Utilities
SpeechInstaller
Speedway
SpiralFrog Download Manager 0.8.23
Spy Sweeper
Street Atlas USA
Tcl 8.0.5 for Windows
TEFView 2.65
Trend Micro AntiVirus
Trend Micro TrendProtect for Internet Explorer
Tropico Demo
truball
Ulead COOL 360 1.0
Ulead Photo Explorer 7.0 SE Platinum
Ulead Photo Express 4.0 SE
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Vocabulary for Life
Wal-Mart Music Downloads Store
War Games Virtual Warfare Demo - I don't know what that is. I think it came with my computer.
WavePad Uninstall
WildTangent Web Driver
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2

by **Katana** » January 22nd, 2008, 2:06 pm

Recovery Console
!!!!!! Warning !!!!!!.... Your log shows that Recovery Console is not installed.
Due to the threat that current and future malware poses it is vital that you have some form of recovery console.
Please visit http://www.bleepingcomputer.com/combofi ... e-combofix and follow the instructions for
Windows Recovery Console
or
Creating a bootable CD of NTFS4Dos.
It is important that you do this as soon as you can.

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

You can also delete any logs we have produced, and empty your Recycle bin.

The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.nanoscan.com
http://www.pandasoftware.com/activescan ... ncipal.htm
http://www.kaspersky.com/kos/eng/partne ... bscan.html

AntiSpyware

not

Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
a-squared Free <<< A good "realtime" or "on demand" scanner
AVG Anti-Spyware 7.5 <<< A good "realtime" or "on demand" scanner
superantispyware <<< A good "realtime" or "on demand" scanner
Ad-Aware 2007 Free <<< A good "realtime" or "on demand" scanner

Prevention

Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 3.5.1
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialise and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

FireFox
- With many addons available that make customization easy this is a very popular choice
- NoScript and AdBlockPlus addons are essential
Opera
- Another popular alternative
Netscape
- Another popular alternative
- Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.......So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

by **NonSuch** » January 27th, 2008, 3:40 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Free Malware Removal Forum

I recently aquired some viruses

I recently aquired some viruses

Re: I recently aquired some viruses

Re: I recently aquired some viruses

Re: I recently aquired some viruses

Re: I recently aquired some viruses

Re: I recently aquired some viruses

Re: I recently aquired some viruses

Re: I recently aquired some viruses

Re: I recently aquired some viruses

Who is online