Free Malware Removal Forum

[BillyDee]

I was infected with some WoW virus through another person's jumpdrive. As best I could tell, the virus turned off my anti-virus software and attempted to steal tokens. After cleaning as best I could, the only remnants that were visible were that the security balloon popped up at startup saying that my virus software was turned off, and I should click the balloon to fix the problem. The balloon would go away when the virus software automatically turned itself on. Wanting to totally get rid of the virus, I reformatted and attempted to replace files/emails, etc through CD's rather than jump drive. The problem has reappeared. I'm trying to figure out if this is related to the earlier virus or just something that happens on many systems.

Thank you. My hijack this log is below.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:49 PM, on 1/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1769704819
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 3969 bytes

[John B.]

Hi! and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

These rules are good for you to know:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.

These rules are to make my voluntary work more comfortable:

• Please be patient. The work I do is voluntary and I also have a private life (school, work, friends and hobbies).
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• Please reply to this thread. Do not start a new topic.
• Also, don't post logs as attachments. Other helpers like to view the logs as well and opening a lot of attachments is irritating. It can also contain malware.

Finally, please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

• Start HijackThis
• Click on the Open The Misc Tool Section button
• Click on the Open Uninstall Manager button.
• Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop and post the contents in a reply to this topic. Also post a fresh HijackThis log.

Regards,
John.

[BillyDee]

Hi John,
Thanks so much for your response. Here is my uninstall list:

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
ATLAS.ti 5.2
Broadcom Gigabit Integrated Controller
CCleaner (remove only)
Cisco Systems VPN Client 5.0.00.0340
C-Major Audio
Conexant D480 MDC V.9x Modem
Foxit Reader
Foxit Toolbar
FreeMind
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Imaging Device Functions 9.0
hp LaserJet 1010 Series
HP OCR Software 9.0
HP Scanjet 2400 and 3600 series 9.0
HP Solution Center 9.0
Intel(R) Extreme Graphics 2 Driver
Intel(R) PROSet
Java(TM) 6 Update 11
Java(TM) 6 Update 7
LiveUpdate 3.3 (Symantec Corporation)
Mozilla Firefox (3.0.5)
Mozilla Thunderbird (2.0.0.19)
MSXML 4.0 SP2 (KB954430)
OpenOffice.org 3.0
Rhapsody
SecureW2 TTLS Client 3.3.2 for Windows
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
SigmaTel AC97 Audio Drivers
Spybot - Search & Destroy
Symantec Endpoint Protection
Synaptics Pointing Device Driver
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Windows XP Service Pack 3
WinZip



and here is my fresh hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:02 PM, on 1/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Luke\My Documents\Unzipped\TwoFingerScroll_1_0_5\TwoFingerScroll.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Intel\NCS\Sync\NetSvc.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
C:\WINDOWS\system32\javaw.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\OpenOffice.org 3\program\swriter.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Scientific Software\ATLASti\Program\Atlasti.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [TwoFingerScroll] C:\Documents and Settings\Luke\My Documents\Unzipped\TwoFingerScroll_1_0_5\TwoFingerScroll.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1769704819
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 6337 bytes



THANK YOU!

[John B.]

Hi,

Nothing looks wrong at first sight. Let's run another scanner.

Step 1: Disable Teatimer
Please disable Teatimer as it may interfere with the fix.
First:

• Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
• Choose Exit Spybot S&D Resident

Second:

• Open Spybot S&D
• Click Mode, check Advanced Mode
• Go To Left Panel, Click Tools, then also in left panel, click Resident
• If your firewall raises a question, say OK
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings in TeaTimer.

Step 2: Download and Run ComboFix
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to disable your anti virus program please see this:
http://www.bleepingcomputer.com/forums/topic114351.html

If your have Avast as anti virus an additional thing has to be changed to make ComboFix work properly:


Go on with the ComboFix guide when it opens its log please close it.

Remember that the ComboFix log is saved here: C:\ComboFix.txt

Step 3: Post logs
Please post the following logs in a reply to this topic:

• Let me know if you still have the initial problem
• Fresh HijackThis log
• ComboFix log

Regards,
John.

[BillyDee]

John,
Did everything that you said... Only one thing, there was no checkbox for resident tea-timer to uncheck, so I didn't do that. Spybot popped up after Combofix was done saying that it detected changes in the registry. I allowed all except the first two which seemed to be changing my default search page. Also, when I restarted, IE was my default browser and I had to reset it to be firefox. Why this change?

Here is my fresh hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:39 AM, on 1/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Luke\My Documents\Unzipped\TwoFingerScroll_1_0_5\TwoFingerScroll.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [TwoFingerScroll] C:\Documents and Settings\Luke\My Documents\Unzipped\TwoFingerScroll_1_0_5\TwoFingerScroll.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1769704819
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 5636 bytes




and my combofix log

ComboFix 09-01-21.04 - Luke 2009-01-27 7:52:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1142.751 [GMT -5:00]
Running from: c:\documents and settings\Luke\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_006018_.tmp.dll
c:\windows\system32\_006019_.tmp.dll
c:\windows\system32\_006020_.tmp.dll
c:\windows\system32\_006021_.tmp.dll
c:\windows\system32\_006028_.tmp.dll
c:\windows\system32\_006029_.tmp.dll
c:\windows\system32\_006030_.tmp.dll
c:\windows\system32\_006031_.tmp.dll
c:\windows\system32\_006033_.tmp.dll
c:\windows\system32\_006034_.tmp.dll
c:\windows\system32\_006037_.tmp.dll
c:\windows\system32\_006038_.tmp.dll
c:\windows\system32\_006041_.tmp.dll
c:\windows\system32\_006042_.tmp.dll
c:\windows\system32\_006044_.tmp.dll
c:\windows\system32\_006047_.tmp.dll
c:\windows\system32\_006048_.tmp.dll
c:\windows\system32\_006053_.tmp.dll
c:\windows\system32\_006055_.tmp.dll
c:\windows\system32\_006058_.tmp.dll
c:\windows\system32\_006060_.tmp.dll
c:\windows\system32\_006061_.tmp.dll
c:\windows\system32\_006062_.tmp.dll
c:\windows\system32\_006063_.tmp.dll
c:\windows\system32\_006064_.tmp.dll
c:\windows\system32\_006067_.tmp.dll
c:\windows\system32\_006068_.tmp.dll
c:\windows\system32\_006069_.tmp.dll
c:\windows\system32\_006070_.tmp.dll
c:\windows\system32\_006071_.tmp.dll
c:\windows\system32\_006076_.tmp.dll
c:\windows\system32\_006078_.tmp.dll
c:\windows\system32\_006079_.tmp.dll
c:\windows\system32\w70n5msg.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

2009-01-27 07:15 . 2009-01-27 07:15 <DIR> d-------- c:\program files\Roxio
2009-01-27 07:14 . 2009-01-27 07:15 <DIR> d-------- c:\program files\Common Files\Adaptec Shared
2009-01-27 07:04 . 2009-01-27 07:04 57,344 --a------ c:\windows\uneng.exe
2009-01-23 18:51 . 2009-01-24 13:18 <DIR> d-------- c:\documents and settings\Luke\Application Data\Move Networks
2009-01-23 14:32 . 2009-01-23 14:32 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-01-23 14:31 . 2009-01-23 14:32 <DIR> d-------- c:\documents and settings\Luke\Application Data\SystemRequirementsLab
2009-01-23 09:45 . 2009-01-23 09:45 <DIR> d-------- c:\documents and settings\Luke\Application Data\InterVideo
2009-01-23 09:44 . 2009-01-23 09:44 <DIR> d-------- c:\program files\InterVideo
2009-01-16 10:28 . 2009-01-16 10:28 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-16 10:28 . 2009-01-16 10:28 45,056 --a------ c:\windows\NCUNINST.EXE
2009-01-16 00:18 . 2001-08-17 13:47 12,928 --a------ c:\windows\system32\drivers\Dot4Prt.sys
2009-01-16 00:18 . 2001-08-17 13:47 12,928 --a--c--- c:\windows\system32\dllcache\dot4prt.sys
2009-01-16 00:17 . 2008-04-13 13:39 206,976 --a------ c:\windows\system32\drivers\Dot4.sys
2009-01-16 00:17 . 2008-04-13 13:39 206,976 --a--c--- c:\windows\system32\dllcache\dot4.sys
2009-01-16 00:17 . 2001-08-17 13:47 23,808 --a------ c:\windows\system32\drivers\Dot4usb.sys
2009-01-16 00:17 . 2001-08-17 13:47 23,808 --a--c--- c:\windows\system32\dllcache\dot4usb.sys
2009-01-16 00:15 . 2009-01-16 00:15 <DIR> d-------- c:\program files\Common Files\SWF Studio
2009-01-16 00:15 . 2009-01-16 00:18 245,691 --a------ c:\windows\hplj1010.his
2009-01-16 00:15 . 2009-01-16 00:18 17,542 --a------ c:\windows\hplj1010.ini
2009-01-16 00:11 . 2009-01-16 00:11 <DIR> d-------- C:\lj1010seriesprintsys
2009-01-15 14:15 . 2009-01-15 14:15 <DIR> d-------- c:\program files\SecureW2
2009-01-15 14:15 . 2009-01-15 14:15 <DIR> d-------- c:\program files\Penn Netapps 2007
2009-01-14 22:50 . 2009-01-14 22:50 <DIR> d-------- c:\program files\Synaptics
2009-01-14 22:50 . 2008-10-16 16:19 231,808 --a------ c:\windows\system32\drivers\SynTP.sys
2009-01-14 22:50 . 2008-10-16 16:23 200,704 --a------ c:\windows\system32\SynCtrl.dll
2009-01-14 22:50 . 2008-10-16 16:22 163,840 --a------ c:\windows\system32\SynCOM.dll
2009-01-14 22:50 . 2008-10-16 16:38 155,648 --a------ c:\windows\system32\SynTPAPI.dll
2009-01-14 22:50 . 2008-10-16 16:57 114,688 --a------ c:\windows\system32\SynTPCo4.dll
2009-01-14 11:41 . 2009-01-14 11:41 <DIR> d-------- c:\windows\Sun
2009-01-14 11:24 . 2009-01-14 11:24 <DIR> d-------- c:\program files\Softi Software
2009-01-14 11:24 . 2009-01-14 11:24 <DIR> d-------- c:\documents and settings\Luke\Application Data\Softi Software
2009-01-14 10:55 . 2009-01-14 11:01 <DIR> d-------- C:\UniScan
2009-01-14 10:55 . 2007-01-17 02:19 438,272 -ra------ c:\windows\system32\hp2436co.dll
2009-01-14 10:55 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-01-14 10:55 . 2008-04-13 13:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-01-14 10:53 . 2009-01-14 10:53 <DIR> d-------- c:\documents and settings\Luke\Application Data\HP
2009-01-14 10:52 . 2009-01-14 10:52 <DIR> d-------- c:\program files\Common Files\HP
2009-01-14 10:51 . 2009-01-14 10:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-01-14 10:51 . 2009-01-14 10:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2009-01-14 10:50 . 2009-01-14 10:51 <DIR> d-------- c:\program files\HP
2009-01-14 10:50 . 2009-01-16 00:17 <DIR> d-------- c:\program files\Hewlett-Packard
2009-01-14 10:50 . 2009-01-14 10:50 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-01-14 10:47 . 2009-01-14 10:53 127,736 --a------ c:\windows\hpgins24.dat
2009-01-14 10:47 . 2007-04-23 12:04 308 --------- c:\windows\hpgmdl24.dat
2009-01-13 22:04 . 2009-01-26 12:33 4,197,414 --a------ c:\windows\pfirewall.log.old
2009-01-13 15:36 . 2009-01-13 15:36 <DIR> d-------- c:\program files\AskBarDis
2009-01-13 15:35 . 2009-01-13 15:35 <DIR> d-------- c:\documents and settings\Luke\Application Data\Foxit
2009-01-13 08:09 . 2009-01-13 08:09 <DIR> d-------- c:\documents and settings\Luke\Application Data\OpenOffice.org
2009-01-13 07:59 . 2009-01-13 07:59 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-01-13 07:59 . 2009-01-13 07:59 <DIR> d-------- c:\program files\JRE
2009-01-13 07:58 . 2009-01-13 07:58 <DIR> d-------- c:\program files\Common Files\Java
2009-01-12 18:40 . 2009-01-12 18:40 <DIR> d-------- c:\program files\CCleaner
2009-01-12 18:27 . 2009-01-12 18:28 <DIR> d-------- c:\program files\Symantec
2009-01-12 18:27 . 2007-03-21 20:33 503,808 --a------ c:\windows\system32\MSVCP71.DLL
2009-01-12 18:27 . 2007-03-21 20:33 348,160 --a------ c:\windows\system32\MSVCR71.DLL
2009-01-12 18:27 . 2009-01-12 18:28 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-12 18:27 . 2009-01-12 18:28 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2009-01-12 18:27 . 2009-01-12 18:28 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-12 18:27 . 2009-01-12 18:28 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-01-12 18:26 . 2009-01-12 18:32 <DIR> d-------- c:\program files\Symantec Endpoint Protection
2009-01-12 15:35 . 2009-01-12 16:40 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-12 15:35 . 2009-01-12 16:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-12 15:13 . 2009-01-12 15:13 <DIR> d-------- c:\program files\Trend Micro
2009-01-12 13:42 . 2009-01-12 14:45 <DIR> d-------- c:\program files\Foxit Software
2009-01-12 12:53 . 2009-01-12 14:47 <DIR> d-------- c:\documents and settings\Luke\Application Data\.purple
2009-01-12 12:52 . 2009-01-24 15:47 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-01-12 12:52 . 2009-01-12 14:47 <DIR> d-------- c:\program files\Pidgin
2009-01-12 12:51 . 2009-01-12 12:51 <DIR> d-------- c:\program files\Common Files\GTK
2009-01-12 12:48 . 2009-01-12 12:50 <DIR> d-------- c:\program files\Common Files\Real
2009-01-12 12:47 . 2008-10-15 20:00 666,112 -----c--- c:\windows\system32\dllcache\wininet.dll
2009-01-12 12:47 . 2008-12-11 05:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-01-12 12:47 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-01-12 12:47 . 2008-08-14 05:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2009-01-12 12:46 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-12 12:46 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-12 12:46 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-01-12 12:46 . 2008-10-15 20:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll
2009-01-12 12:46 . 2008-10-15 20:00 619,520 -----c--- c:\windows\system32\dllcache\urlmon.dll
2009-01-12 12:45 . 2008-12-12 12:01 3,067,904 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-01-12 12:45 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-12 12:45 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-12 12:45 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-01-12 12:45 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-12 12:45 . 2008-05-01 09:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-01-12 12:45 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-01-12 12:44 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-01-12 12:44 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-01-12 12:42 . 2008-04-13 19:12 221,184 --a------ c:\windows\system32\wmpns.dll
2009-01-12 12:38 . 2009-01-12 13:18 <DIR> d-------- c:\program files\Rhapsody
2009-01-12 12:34 . 2009-01-12 12:34 <DIR> d-------- c:\documents and settings\Luke\Application Data\Scientific Software
2009-01-12 12:33 . 2009-01-12 12:33 <DIR> d-------- c:\program files\Scientific Software
2009-01-12 12:33 . 2009-01-12 12:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Scientific Software
2009-01-12 12:29 . 2009-01-12 12:29 <DIR> d-------- c:\windows\system32\scripting
2009-01-12 12:29 . 2009-01-12 12:29 <DIR> d-------- c:\windows\system32\en
2009-01-12 12:29 . 2009-01-12 12:29 <DIR> d-------- c:\windows\l2schemas
2009-01-12 11:56 . 2008-09-09 20:14 1,307,648 --------- c:\windows\system32\msxml6.dll
2009-01-12 11:55 . 2006-10-18 21:47 991,744 -----c--- c:\windows\system32\dllcache\drmv2clt.dll
2009-01-12 11:20 . 2009-01-21 10:59 <DIR> d-------- c:\documents and settings\Luke\.freemind
2009-01-12 11:18 . 2009-01-12 11:18 <DIR> d-------- c:\program files\FreeMind
2009-01-12 11:10 . 2009-01-13 07:59 <DIR> d-------- c:\program files\Java
2009-01-12 11:10 . 2009-01-12 11:10 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-12 11:10 . 2009-01-12 11:10 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-12 10:53 . 2009-01-27 07:33 <DIR> d-------- c:\program files\Mozilla Thunderbird
2009-01-12 10:53 . 2009-01-12 10:53 <DIR> d-------- c:\documents and settings\Luke\Application Data\Thunderbird
2009-01-12 10:53 . 2009-01-12 10:53 <DIR> d-------- c:\documents and settings\Luke\Application Data\Talkback
2009-01-12 10:47 . 2009-01-12 10:47 0 --a------ c:\windows\nsreg.dat
2009-01-12 10:25 . 2009-01-24 15:47 316,640 --a------ c:\windows\WMSysPr9.prx
2009-01-12 10:24 . 2009-01-12 10:24 <DIR> d-------- c:\windows\provisioning
2009-01-12 10:24 . 2009-01-12 12:29 <DIR> d-------- c:\windows\peernet
2009-01-12 10:21 . 2009-01-12 12:31 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-12 10:13 . 2009-01-12 12:10 <DIR> d-------- c:\windows\EHome
2009-01-12 10:01 . 2002-04-15 21:11 67,866 --------- c:\windows\system32\drivers\netwlan5.img
2009-01-12 10:01 . 2008-04-14 05:42 11,264 --------- c:\windows\system32\spnpinst.exe
2009-01-12 10:01 . 2004-08-02 14:20 7,208 --------- c:\windows\system32\secupd.sig
2009-01-12 10:01 . 2004-08-02 14:20 4,569 --------- c:\windows\system32\secupd.dat
2009-01-12 09:43 . 2009-01-12 18:30 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-12 09:43 . 2009-01-12 18:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-01-12 09:43 . 2007-03-21 20:39 1,060,864 --a------ c:\windows\system32\MFC71.DLL
2009-01-12 09:38 . 2009-01-23 00:39 <DIR> d-------- c:\windows\Internet Logs
2009-01-12 09:38 . 2009-01-12 09:38 <DIR> d-------- c:\program files\Common Files\Deterministic Networks
2009-01-12 09:38 . 2009-01-12 09:38 <DIR> d-------- c:\program files\Cisco Systems
2009-01-12 09:38 . 2007-01-31 13:45 127,376 --a------ c:\windows\system32\drivers\dne2000.sys
2009-01-12 09:38 . 2007-01-31 13:45 101,904 --a------ c:\windows\system32\dneinobj.dll
2009-01-12 09:38 . 2009-01-12 09:38 1,593 --a------ c:\windows\VPNInstall.MIF
2009-01-12 09:34 . 2009-01-12 09:34 <DIR> d-ah----- c:\program files\Penn Netapps 2008

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 12:15 30,630 ----a-w c:\windows\system32\drivers\Mmc_2k.sys
2009-01-27 12:15 25,898 ----a-w c:\windows\system32\drivers\Dvd_2k.sys
2009-01-27 12:15 206,464 ----a-w c:\windows\system32\drivers\udfreadr_xp.sys
2009-01-27 12:15 143,834 ----a-w c:\windows\system32\drivers\pwd_2K.sys
2009-01-23 14:44 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-12 17:28 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-12 14:09 --------- d-----w c:\program files\SigmaTel
2009-01-12 14:00 --------- d-----w c:\program files\Intel
2009-01-12 13:59 --------- d-----w c:\program files\Broadcom
2009-01-12 13:58 --------- d-----w c:\program files\CONEXANT
2009-01-12 13:44 --------- d-----w c:\program files\microsoft frontpage
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"TwoFingerScroll"="c:\documents and settings\Luke\My Documents\Unzipped\TwoFingerScroll_1_0_5\TwoFingerScroll.exe" [2008-10-23 305664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmaTel StacMon"="c:\program files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2004-04-29 90169]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 86016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-18 115560]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-16 1347584]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2008-04-13 208896]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 06:55 110592 c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-02-25 16:38 118784 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 21:34 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-02-25 16:42 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
--a------ 2002-12-16 16:51 36864 c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-01-12 11:10 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
--a------ 2003-03-31 19:28 155648 c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-12 99376]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-12-18 23888]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\Luke\Application Data\Mozilla\Firefox\Profiles\lqsz8882.default\
FF - plugin: c:\documents and settings\Luke\Application Data\Mozilla\Firefox\Profiles\lqsz8882.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000005.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 07:54:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1332)
c:\windows\System32\LgNotify.dll
.
Completion time: 2009-01-27 7:56:25
ComboFix-quarantined-files.txt 2009-01-27 12:56:09

Pre-Run: 24,459,042,816 bytes free
Post-Run: 24,844,783,616 bytes free

274 --- E O F --- 2009-01-27 12:39:10


thanks
Luke

[John B.]

Hi,

I allowed all except the first two which seemed to be changing my default search page. Also, when I restarted, IE was my default browser and I had to reset it to be firefox. Why this change?

ComboFix is a pretty aggressive program and sometimes it changes things which 'could' be a vulnerability for computer novices. These things, like the ones you mentioned, are very easy to change back. If you really want to know why it does this, I can ask the developer of the tool. The tool did find some things, so you haven't run it for nothing.

Why didn't you install the Recovery Console? With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Step 1: Upload malware for scanning
I'd like you to check a file for malware.

• Go to VirusTotal or Jotti's

C:\WINDOWS\inf\unregmp2.exe

• Copy/Paste the file into the white Upload a file box.
• Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
• After a while, a window will open, with details of what the scans found.
• Save the complete results in a Notepad/Word document on your desktop.

Step 2: Download and Run ComboFix
Download a new version of ComboFix from one of these locations:
Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Download the file & save it as it's originally named.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

• Drag the setup package onto ComboFix.exe and drop it.
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
• When the tool is finished, it will produce a report for you. Close it for now. This will also be saved at C:\ComboFix.txt

Step 3: Reboot computer
Just to make sure ComboFix is totally done reboot your computer another time.

Step 4: Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

• Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
• Then select the items you wish to clean up.
  
  • In the Windows Tab:
    
    • Clean all entries in the Internet Explorer section except Cookies
    • Clean all the entries in the Windows Explorer section
    • Clean all entries in the System section
    • Clean all entries in the Advanced section
    • Clean any others that you choose
  • In the Applications Tab:
    
    • Clean all except cookies in the Firefox/Mozilla section if you use it
    • Clean all in the Opera section if you use it
    • Clean Sun Java in the Internet Section
    • Clean any others that you choose
• Click the Run Cleaner button.
• A pop up box will appear advising this process will permanently delete files from your system.
• Click OK and it will scan and clean your system.
• Click exit when done.
• If it asks you to reboot at the end, click NO

CCleaner should be run with the above settings for each User Account!

Step 5: Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Close the Notepad file.
• The log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Step 6: Post logs
Please post the following logs in a reply to this topic (use multiple posts if needed):

• Let me know how your computer is running now and if your problems are solved
• Fresh HijackThis log
• VirusTotal/Jotti log
• ComboFix log
• MalwareBytes' Anti-Malware log

Regards,
John.

[BillyDee]

Hi,
Didn't install the recovery console because I don't need it. I've got everything backed up on CD so would rather not take the extra chance of connecting while my virus software is down. Will probably install later but would rather do it from Microsoft site rather than having another program do that for me.
I did the virustotal check on that file, the log file is here:

File unregmp2.exe received on 12.08.2008 18:17:47 (CET)
Current status: finished
Result: 0/36 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.12.6.0 2008.12.06 -
AntiVir 7.9.0.42 2008.12.08 -
Authentium 5.1.0.4 2008.12.08 -
Avast 4.8.1281.0 2008.12.08 -
AVG 8.0.0.199 2008.12.07 -
BitDefender 7.2 2008.12.07 -
CAT-QuickHeal 10.00 2008.12.08 -
ClamAV 0.94.1 2008.12.07 -
Comodo 708 2008.12.08 -
DrWeb 4.44.0.09170 2008.12.07 -
eSafe 7.0.17.0 2008.12.08 -
eTrust-Vet 31.6.6246 2008.12.05 -
Ewido 4.0 2008.12.07 -
F-Prot 4.4.4.56 2008.12.04 -
Fortinet 3.117.0.0 2008.12.07 -
GData 19 2008.12.07 -
Ikarus T3.1.1.45.0 2008.12.08 -
K7AntiVirus 7.10.548 2008.12.08 -
Kaspersky 7.0.0.125 2008.12.07 -
McAfee 5456 2008.12.06 -
McAfee+Artemis 5456 2008.12.06 -
Microsoft 1.4205 2008.12.08 -
NOD32 3670 2008.12.08 -
Norman 5.80.02 2008.12.05 -
Panda 9.0.0.4 2008.12.07 -
PCTools 4.4.2.0 2008.12.08 -
Prevx1 V2 2008.12.08 -
Rising 21.07.02.00 2008.12.08 -
SecureWeb-Gateway 6.7.6 2008.12.08 -
Sophos 4.36.0 2008.12.07 -
Sunbelt 3.1.1832.2 2008.12.01 -
Symantec 10 2008.12.07 -
TheHacker 6.3.1.2.179 2008.12.06 -
TrendMicro 8.700.0.1004 2008.12.08 -
ViRobot 2008.12.6.1504 2008.12.06 -
VirusBuster 4.5.11.0 2008.12.08 -
Additional information
File size: 208896 bytes
MD5...: 0a429c99cae89cbd00d0451a5402c3a1
SHA1..: 2abf1ea432480317c6e0e97def9e1bba76c6160d
SHA256: 056a7c104a68827bf26b92d5978d8df4abc31bdc8da70f96e723adef17aaf00e
SHA512: 035098f050ba8846281cf3dd5a711fae6d9994a098fcecc0e45c2169f09bfe79
852a324110e213bde75bf86e20ffc32d34728ffa2868792755594184115d59ee
ssdeep: 3072:xtkwP3n314oNx0iJKmmzuVaVvOTwl/lAwSLRjhRx/hrulRBTH7PLC6m:x+w
P3nzql/uNRjhR7uRB71
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x101641e
timedatestamp.....: 0x4802530e (Sun Apr 13 18:38:06 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2cb22 0x2d000 5.94 10fe5df729f9c429fef09b24e70a9687
.data 0x2e000 0x362c 0x1000 3.19 7c99287d6e7d460c411ff44b84066d39
.rsrc 0x32000 0x3de8 0x4000 3.52 04550e582ff0b4648af6103d057b58be

( 9 imports )
> msvcrt.dll: iswalnum, strstr, strchr, memmove, malloc, _itow, _wtol, strncpy, iswalpha, _wtoi, _vsnprintf, _wcsicmp, wcslen, __3@YAXPAX@Z, __2@YAPAXI@Z, wcsstr, wcsrchr, _wcslwr, _wcsupr, strncat, wcsncmp, _wcsnicmp, wcschr, wcscmp, mbstowcs, free, wcsncat, wcsncpy, swscanf, _onexit, __dllonexit, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _vsnwprintf
> ADVAPI32.dll: RegCreateKeyExW, RegEnumKeyExW, RegEnumKeyExA, RegQueryValueExW, RegSetValueExW, RegSetValueExA, RegQueryInfoKeyW, RegQueryInfoKeyA, RegOpenKeyExW, RegDeleteValueW, RegDeleteValueA, RegDeleteKeyW, RegDeleteKeyA, RegEnumValueW, RegEnumValueA, RegEnumKeyW, RegEnumKeyA, RegCreateKeyExA, SetNamedSecurityInfoW, GetSecurityDescriptorControl, GetSecurityDescriptorDacl, RegCloseKey, RegOpenKeyExA, RegQueryValueExA
> KERNEL32.dll: CreateProcessW, CreateProcessA, GetShortPathNameW, GetShortPathNameA, GetWindowsDirectoryW, GetCurrentThreadId, CreateFileMappingW, CreateFileMappingA, GetVersionExW, WritePrivateProfileStringW, WritePrivateProfileStringA, SetFileAttributesW, SetFileAttributesA, IsBadWritePtr, MoveFileW, MoveFileA, MoveFileExW, MoveFileExA, LoadLibraryExW, LoadLibraryExA, LoadLibraryA, GetTempPathW, GetTempPathA, GetPrivateProfileStringW, GetPrivateProfileStringA, lstrcpynW, GetModuleHandleW, GetFileAttributesW, GetCurrentDirectoryW, GetCurrentDirectoryA, FindNextFileW, FindNextFileA, FindFirstFileW, FindFirstFileA, GetProfileStringA, GetProfileStringW, GetSystemDirectoryA, ExpandEnvironmentStringsW, ExpandEnvironmentStringsA, DeleteFileW, DeleteFileA, CreateFileW, CreateDirectoryW, CopyFileW, CopyFileA, lstrlenW, MultiByteToWideChar, WideCharToMultiByte, WriteFile, MapViewOfFile, UnmapViewOfFile, GetTickCount, QueryPerformanceCounter, FreeLibrary, FindClose, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetLastError, GetModuleHandleA, GetProcAddress, SetLastError, LocalFree, GetSystemDirectoryW, RemoveDirectoryA, RemoveDirectoryW, SetCurrentDirectoryA, SetCurrentDirectoryW, WriteProfileStringA, WriteProfileStringW, GetStartupInfoA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, LoadLibraryW, GetCurrentProcessId, CloseHandle, GetFileAttributesA, GetVersionExA, GetTimeZoneInformation, GetFileTime, GetExitCodeProcess, WaitForMultipleObjects, GetCommandLineW, GetFileSize, CreateFileA, GetWindowsDirectoryA, CreateDirectoryA, SetEndOfFile, SetFilePointer
> ole32.dll: CoCreateGuid, CoUninitialize, CoInitialize, OleUninitialize, OleInitialize, CoCreateInstance, StringFromGUID2
> OLEAUT32.dll: -, -
> SHELL32.dll: SHGetSpecialFolderLocation, SHChangeNotify, SHGetPathFromIDListA, ShellExecuteA, ShellExecuteW, SHGetSpecialFolderPathA, SHGetMalloc
> SHLWAPI.dll: PathRemoveBlanksW, PathAppendW, PathRemoveFileSpecW, PathIsDirectoryW
> USER32.dll: LoadStringA, LoadStringW, PostMessageA, PostMessageW, RegisterWindowMessageA, SendMessageA, IsWindow, CharNextA
> VERSION.dll: VerQueryValueW, GetFileVersionInfoSizeA, GetFileVersionInfoW, GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeW

( 0 exports )


As for the anti-malware program, it would help me to know a little bit more about what I'm doing, or what the purpose of installing another program is. Forgive me for being cautious!


Thank you so much for your help, I really appreciate it.

[John B.]

Hi,

Didn't install the recovery console because I don't need it. I've got everything backed up on CD so would rather not take the extra chance of connecting while my virus software is down. Will probably install later but would rather do it from Microsoft site rather than having another program do that for me.

As you can see from my above post, it is actually downloaded from the Microsoft site but just helps you installing it nice and easily. Anyway, it is your choice and I will have to respect that.

As for the anti-malware program, it would help me to know a little bit more about what I'm doing, or what the purpose of installing another program is. Forgive me for being cautious!

Not a problem at all, better be too cautious than not cautious enough. From your installed programs list I saw that you only have Norton and Spybot S&D installed. As you probably know, there is no anti-malware/virus program that catches everything and your programs are even ones that catch a little less than some others.

ComboFix is one of the programs, although a dangerous one which should only be used under supervision, which really catches a lot. You could have seen that from the log because it found some malicious things which were not caught by your programs earlier. MalwareBytes' Anti-Malware is another very popular program at the moment. This is used by lots and lots of people, also without supervision. The developers are part of this malware removal community, just like the developer of ComboFix, and update their program a lot. That is why I thought we'd run one more scanner to see if everything is really gone, keeping in mind that ComboFix will also not be able to catch everything.

If you do not want to install MalwareBytes' Anti-Malware, which really is a good program for prevention of future infection as well, you can also run Kaspersky Online Scanner. You will only need to download its definitions (file with list of infections) and you can just run it online.

If you want to run MalwareBytes' Anti-Malware:

Step 1: Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

• Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
• Then select the items you wish to clean up.
  
  • In the Windows Tab:
    
    • Clean all entries in the Internet Explorer section except Cookies
    • Clean all the entries in the Windows Explorer section
    • Clean all entries in the System section
    • Clean all entries in the Advanced section
    • Clean any others that you choose
  • In the Applications Tab:
    
    • Clean all except cookies in the Firefox/Mozilla section if you use it
    • Clean all in the Opera section if you use it
    • Clean Sun Java in the Internet Section
    • Clean any others that you choose
• Click the Run Cleaner button.
• A pop up box will appear advising this process will permanently delete files from your system.
• Click OK and it will scan and clean your system.
• Click exit when done.
• If it asks you to reboot at the end, click NO

CCleaner should be run with the above settings for each User Account!

Step 2: Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Close the Notepad file.
• The log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Step 3: Post log
Post the MBAM log together with some information on any problems you still have.

For Kaspersky Online Scanner:

Step 1: Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

• Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
• Then select the items you wish to clean up.
  
  • In the Windows Tab:
    
    • Clean all entries in the Internet Explorer section except Cookies
    • Clean all the entries in the Windows Explorer section
    • Clean all entries in the System section
    • Clean all entries in the Advanced section
    • Clean any others that you choose
  • In the Applications Tab:
    
    • Clean all except cookies in the Firefox/Mozilla section if you use it
    • Clean all in the Opera section if you use it
    • Clean Sun Java in the Internet Section
    • Clean any others that you choose
• Click the Run Cleaner button.
• A pop up box will appear advising this process will permanently delete files from your system.
• Click OK and it will scan and clean your system.
• Click exit when done.
• If it asks you to reboot at the end, click NO

CCleaner should be run with the above settings for each User Account!

Step 2: Run Kaspersky Online Scan
Please go to Kaspersky website to perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to your desktop by changing the Files of type to Text file (.txt) before clicking on the Save button.
• Now close the window.

Step 3: Post log
Post the MBAM log together with some information on any problems you still have.

Regards,
John.

[Elrond]

Due to lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.