Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijackthis notepad info. Malware problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijackthis notepad info. Malware problems

Unread postby gem » January 11th, 2008, 8:38 pm

This is a copy of the hijackthis notepad. I hope this is the correct item to post.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:07:05, on 12/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MPS\mps.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [PCMM2007RT] "C:\Program Files\PC MightyMax 2007\pcmm2007.exe" /R
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.15-3.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9616893832
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/M ... loader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11947 bytes

I am getting pop ups trying to sell ringtones, games, fake windows messages and the like.
I have been infected with adaware-hotbar, RemAdmin-pskill and microbillsystems.
I have run the Mcafee scanner, adaware free scanner, windows defender and I still get the pop ups.
I also can't remove antivirus pro (I think this is a false programme) and when I boot the pc up there is an error message asking me to run a programme 'ctfmona.exe' is the name.
CELLDORADO is a name that pops up offering ringtones.
I think I got the Microbill system when I downloaded games for my kid and I have had email wanting money.
If you can offer any suggestions then I would be grateful.
Gem
gem
Regular Member
 
Posts: 17
Joined: January 11th, 2008, 8:12 pm
Advertisement
Register to Remove

Re: Hijackthis notepad info. Malware problems

Unread postby Bob4 » January 15th, 2008, 9:19 am

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!

  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.


Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!

________________________________

Go to
Start/control panel/add remove programs ;
And Uninstall

My web search
PC MightyMax 2007 << rogue program.


This one was listed once as a rogue program but is no longer.
SpyNoMore
In my opinion there are better choices out there. I'll leave it to you weather to keep it or not.


______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [PCMM2007RT] "C:\Program Files\PC MightyMax 2007\pcmm2007.exe" /R
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.15-3.cab

_____________________________


Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\ctfmona.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
  • Close OTMoveIt
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")


_________________________________



______________________________

Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button.
    Check "Only delete files in Windows Temp folders older than 48 hours".


    Now run the program and click on Run Cleaner
    ( Do not use the Registry function to clean anything with this program. Having anything auto clean your regisrty is risky).


AVG Anti-Spyware:
________________________________________
Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).



    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    • Open up AVG anti Malware
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
Close all open windows.
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
  • Make sure that Set all elements to: shows Quarantine
  • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
  • When the program has finished, it will display the message All actions have been applied.
  • Then click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
  • Reboot in normal mode.
_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from OTMOVEIT
  • The report from AVG anti Spyware
  • Is your McAfee up to date with a subscription ?

User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Hijackthis notepad info. Malware problems

Unread postby gem » January 16th, 2008, 8:32 pm

Hi there,
Thanks for looking in to this problem.
The OTMOVEIT could not locate the file you highlighted.
I have a years subscription with Mcafee and it is up to date.
I had uninstalled mcafee and run the free Kaspersky scanner and it found a few problems. I have installed the free month trial with this and this is the result of the scan;
It detected the file you asked me to try in the moveit programme(ctfmona...) and I think this is how it could not be found.
SCANNER REPORT
Monday, January 14, 2008 9:01:11 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/01/2008
Kaspersky Anti-Virus database records: 511384


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\STEWAR~1\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 24916
Number of viruses found 5
Number of infected objects 11
Number of suspicious objects 0
Duration of the scan process 00:34:59

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped

C:\WINDOWS\Motive\btbb\UninstallHelper.exe/WISE0004.BIN Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped

C:\WINDOWS\Motive\btbb\UninstallHelper.exe WiseSFX: infected - 1 skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{09D70B02-264C-4672-9322-415C78CB52F8}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{4554B088-70A2-470B-B58A-31B17E7CA9F3}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped

C:\WINDOWS\system32\ctfmona.exe Infected: Trojan.Win32.Agent.dnv skipped

C:\WINDOWS\system32\f3PSSavr.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\mcafee_QC8qpOgHBzPIrCC Object is locked skipped

C:\WINDOWS\Temp\NSIS_Install_igb.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.NaviPromo.ce skipped

C:\WINDOWS\Temp\NSIS_Install_igb.exe/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.ce skipped

C:\WINDOWS\Temp\NSIS_Install_igb.exe NSIS: infected - 2 skipped

C:\WINDOWS\Temp\Perflib_Perfdata_568.dat Object is locked skipped

C:\WINDOWS\Temp\TMP00000036B39A39E8B920D51C Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\DOCUME~1\STEWAR~1\LOCALS~1\Temp\.tt17A.tmp/stream/data0011 Infected: not-a-virus:FraudTool.Win32.AntiVirPro.b skipped

C:\DOCUME~1\STEWAR~1\LOCALS~1\Temp\.tt17A.tmp/stream/data0013 Infected: not-a-virus:FraudTool.Win32.AntiVirPro.b skipped

C:\DOCUME~1\STEWAR~1\LOCALS~1\Temp\.tt17A.tmp/stream Infected: not-a-virus:FraudTool.Win32.AntiVirPro.b skipped

C:\DOCUME~1\STEWAR~1\LOCALS~1\Temp\.tt17A.tmp NSIS: infected - 3 skipped

C:\DOCUME~1\STEWAR~1\LOCALS~1\Temp\JET353F.tmp Object is locked skipped

C:\DOCUME~1\STEWAR~1\LOCALS~1\Temp\~DFE961.tmp Object is locked skipped

Scan process completed.
This is the AVG report;
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 00:54:40 16/01/2008

+ Scan result:



C:\Documents and Settings\Wendy Clark\Cookies\wendy_clark@7search[2].txt -> TrackingCookie.7search : No action taken.
C:\Documents and Settings\Wendy Clark\Cookies\wendy_clark@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : No action taken.
C:\Documents and Settings\Stewart Gemmell\Cookies\stewart_gemmell@adrevolver[1].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\Stewart Gemmell\Cookies\stewart_gemmell@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Stewart Gemmell\Cookies\stewart_gemmell@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : No action taken.


::Report end

I ran a new scan and there was nothing found.
This is the new HJT log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:29:29, on 17/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\documents and settings\stewart gemmell\local settings\application data\srlhfqi.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [srlhfqi] c:\documents and settings\stewart gemmell\local settings\application data\srlhfqi.exe srlhfqi
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9616893832
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/M ... loader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9761 bytes
I hope this helps.
I still get the CELDORADO and false windows warnings popping up frequently. They happen whenever I open my browser and happen every 30 seconds or so.
Thanks,
Gem
gem
Regular Member
 
Posts: 17
Joined: January 11th, 2008, 8:12 pm

Re: Hijackthis notepad info. Malware problems

Unread postby Bob4 » January 16th, 2008, 9:25 pm

______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O4 - HKCU\..\Run: [srlhfqi] c:\documents and settings\stewart gemmell\local settings\application data\srlhfqi.exe srlhfqi





_____________________________________________
1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

2. Click start/run and copy and Paste this in exactly using the picture below for reference:

"%userprofile%\desktop\combofix.exe" /killall


Image

3. Combo will begin to run DO NOTING while this is happeneing.
  • It will kill a few processes and disconnect you from the internet.
  • If by chance it stops prematurly you can re-establish your internet connection by restarting your computer.
  • This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.

If when it's completed you can not get on the internet just reboot the computer

Post the log from comboFix for me located in
c:\comboFix.txt





_____________________________________________
You need to update SunJava for security reasons.
Updating Java:
Download the latest version of
Java Runtime Environment (JRE) 6 Update 4

  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 4
    ... allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe
    to install the newest version.



_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from ComboFix

User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Hijackthis notepad info. Malware problems

Unread postby gem » January 17th, 2008, 7:56 pm

This is the combo fix log;
ComboFix 08-01-18.1 - Stewart Gemmell 2008-01-18 22:28:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1512 [GMT 0:00]
Running from: C:\Documents and Settings\Stewart Gemmell\desktop\combofix.exe
Command switches used :: /killall

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-17 22:07 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 23:36 . 2008-01-15 23:36 <DIR> d-------- C:\Documents and Settings\Stewart Gemmell\Application Data\Grisoft
2008-01-15 23:36 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-15 23:30 . 2008-01-16 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-14 21:09 . 2008-01-14 21:09 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-14 21:09 . 2008-01-14 21:09 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-14 21:08 . 2008-01-14 21:08 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-14 21:08 . 2008-01-18 22:37 6,470,944 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-14 21:08 . 2008-01-18 22:34 87,716 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-14 21:08 . 2008-01-18 22:37 36,640 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-14 21:08 . 2008-01-18 22:34 4,412 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-14 20:05 . 2008-01-14 20:05 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-14 20:05 . 2008-01-18 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-13 22:54 . 2008-01-13 22:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-13 22:54 . 2008-01-13 22:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 22:38 . 2008-01-10 22:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-10 22:25 . 2008-01-10 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-09 22:26 . 2008-01-09 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-01-09 21:03 . 2008-01-09 21:03 <DIR> d-------- C:\Documents and Settings\Wendy Clark\Application Data\Anti-Virus-Pro.com
2008-01-09 20:32 . 2008-01-09 20:33 125 --a------ C:\ioSpecial.ini
2008-01-09 19:59 . 2008-01-09 19:59 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-09 00:39 . 2008-01-09 20:09 <DIR> d-------- C:\Program Files\Error Expert
2008-01-08 20:33 . 2008-01-09 15:08 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-08 02:40 . 2008-01-09 00:17 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-08 00:35 . 2008-01-10 01:41 <DIR> d-------- C:\Program Files\AntiVirusPro
2008-01-08 00:35 . 2008-01-08 00:35 <DIR> d-------- C:\Documents and Settings\Stewart Gemmell\Application Data\Anti-Virus-Pro.com
2008-01-08 00:34 . 2008-01-08 00:34 269,334 --a------ C:\WINDOWS\system32\lgjmp.bmp
2008-01-08 00:20 . 2008-01-09 00:28 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-08 00:14 . 2008-01-08 00:14 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-01-08 00:01 . 2008-01-08 00:01 72,423 --a------ C:\bfu.zip
2008-01-07 23:57 . 2008-01-07 23:58 3,011 --a------ C:\BFU.bfu
2008-01-07 23:55 . 2007-10-28 15:46 75,776 --a------ C:\Documents and Settings\Stewart Gemmell\BFU.exe
2008-01-04 22:41 . 2008-01-04 22:41 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-01-04 22:41 . 2008-01-04 22:41 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-01-03 13:40 . 2008-01-03 15:26 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-03 13:38 . 2008-01-03 13:38 <DIR> d-------- C:\Program Files\bfgclient
2008-01-03 13:38 . 2008-01-03 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-12-28 00:51 . 2008-01-04 18:59 738 --a------ C:\WINDOWS\system32\D4F87A2D.inf
2007-12-25 23:36 . 2007-12-25 23:36 <DIR> d-------- C:\Program Files\Live_TV
2007-12-25 15:35 . 2007-12-25 17:08 <DIR> d-------- C:\Program Files\PC MightyMax 2007
2007-12-18 00:44 . 2007-12-18 00:44 219,664 --a------ C:\WINDOWS\system32\klogon.dll
2007-12-18 00:43 . 2007-12-18 00:43 23,396 --a------ C:\WINDOWS\system32\drivers\klopp.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 10:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-15 21:40 --------- d-----w C:\Program Files\Napster
2008-01-14 23:43 --------- d-----w C:\Program Files\Dl_cats
2008-01-14 22:41 --------- d-----w C:\Program Files\Common Files\McAfee
2008-01-14 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-14 22:40 --------- d-----w C:\Program Files\McAfee.com
2008-01-14 22:40 --------- d-----w C:\Program Files\McAfee
2008-01-09 22:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-08 00:03 --------- d-----w C:\Documents and Settings\Stewart Gemmell\Application Data\Yahoo!
2007-12-27 00:08 --------- d-----w C:\Program Files\Dell Photo AIO Printer 944
2007-12-13 21:43 --------- d-----w C:\Documents and Settings\Stewart Gemmell\Application Data\Sonic
2007-12-13 13:28 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
2007-12-12 23:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-10 21:20 --------- d--h--w C:\Program Files\Creative Installation Information
2007-12-10 21:20 --------- d-----w C:\Program Files\Creative
2007-12-10 21:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-10 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2007-11-29 00:47 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 1
2007-11-27 19:33 --------- d-----w C:\Program Files\BT Broadband Desktop Help
2007-11-26 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2007-05-21 18:43 6,376 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2007-03-18 08:54 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-3-18-2007_8-54-37_3706041.dnp
2007-03-18 08:50 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-3-18-2007_8-49-55_2757251.dnp
2007-03-18 08:49 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item1-3-18-2007_8-48-45_5731338.dnp
2006-06-21 07:54 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-18_22.21.31.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-07-15 01:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_aspnet_isapi.dll
+ 2004-07-15 00:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_CORPerfMonExt.dll
+ 2004-07-15 00:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_fusion.dll
+ 2004-07-15 00:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_mscorjit.dll
+ 2004-07-15 14:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_mscorlib.dll
+ 2003-02-20 19:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_mscorsn.dll
+ 2004-07-15 00:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_mscorsvr.dll
+ 2004-07-15 00:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_mscorwks.dll
+ 2003-02-21 04:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_msvcr71.dll
+ 2004-07-15 00:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_PerfCounter.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 11:03 868352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 11:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25 49152]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2006-02-24 15:12 73728]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 19:45 430080]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 17:05 282624]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-10-31 15:32 2250104]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]

C:\Documents and Settings\Stewart Gemmell\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-07-01 20:47:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk
backup=C:\WINDOWS\pss\Digimax Viewer 2.1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionBackup.lnk]
backup=C:\WINDOWS\pss\VersionBackup.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VersionBackup.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--------- 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-02-21 22:26 43008 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
--a--c--- 2006-11-30 10:51 935936 C:\Program Files\btbb_wcm\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 17:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-10 11:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--------- 2005-08-08 06:10 16384 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE]
-----c--- 2005-02-23 15:57 57344 C:\Program Files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
--------- 2007-07-17 11:03 868352 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--------- 2005-08-08 06:10 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 20:57 395776 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
-----c--- 2005-05-31 04:33 122941 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcdmon.exe]
--a------ 2005-07-22 19:45 430080 C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-04-28 13:34 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-06-21 21:10 168960 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
-----c--- 2005-06-17 07:56 139264 C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--------- 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--------- 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaPipe P2P Loader]
C:\Program Files\p2pnetworks\mpp2pl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2006-05-24 13:20 458839 C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MskAgentexe]
C:\Program Files\McAfee\MSK\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
--a------ 2007-01-12 18:36 323216 C:\Program Files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--------- 2005-07-08 18:57 7110656 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Booster]
--------- 2005-12-28 10:39 5967942 C:\Program Files\inKline Global\PC Booster\pcbooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2006-12-12 00:36 366400 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-22 22:46 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-05-17 23:38 208941 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Toolkit]
C:\Program Files\Registry Toolkit\RegToolkit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-17 23:38 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
-----c--- 2005-07-11 11:34 122880 C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
--a------ 2005-09-08 19:49 1363968 C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XPRepairPro2007]
C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--------- 2005-08-31 17:11 2478080 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YPC]
--------- 2005-06-03 16:32 352256 C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
c:\program files\zango\zango.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"IAANTMon"=2 (0x2)
"dlcd_device"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"Netman"=3 (0x3)
"mnmsrvc"=3 (0x3)
"YPCService"=3 (0x3)
"MSK80Service"=2 (0x2)
"McSysmon"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McrdSvc"=2 (0x2)
"McProxy"=2 (0x2)
"mcpromgr"=2 (0x2)
"McODS"=2 (0x2)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"mcmispupdmgr"=3 (0x3)
"McAfee HackerWatch Service"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"SiteAdvisor Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
"Windows Media Player"=C:\Program Files\Windows Media Player\wmplayer.exe
"Run a DLL as an App"=C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Yahoo!\Common\ymmapi.dll,OpenInboxHandler
"Run a DLL as an App606"=C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Yahoo!\Common\ymmapi.dll,OpenInboxHandler
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"YBrowser"=C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
"YPC"=C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

R0 hotcore;hotcore;C:\WINDOWS\system32\drivers\hotcore.sys [2005-04-29 00:47]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" [2007-02-10 05:29]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys [2005-01-13 14:22]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-08 05:54]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 13:05]
S4 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2007-01-16 22:34]

*Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER
*Newly Created Service* - AD-WATCH_REGISTRY_FILTER
.
Contents of the 'Scheduled Tasks' folder
"2006-06-07 14:44:54 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-01-11 18:30:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (OWNER-21BA3FD68-Administrator).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-06-06 19:19:59 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe%Scan -RestrictPrivileges -ScanType 1
"2008-01-18 22:38:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 22:36:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-18 22:43:09 - machine was rebooted [Stewart Gemmell]
ComboFix-quarantined-files.txt 2008-01-18 22:43:04
ComboFix2.txt 2008-01-18 22:22:18
.
2008-01-18 22:34:05 --- E O F ---

This in the latest HJT log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:52:15, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9616893832
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/M ... loader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9471 bytes
.
Thanks for the help so far.
I have not had any of the pop ups since I followed the latest actions.

Should I remove the Kaspersky(month trial), windows defender, Ad-aware and AVG anti-spy then re-install Mcafee as my computer is going a bit slow?

Thanks,
Gem
gem
Regular Member
 
Posts: 17
Joined: January 11th, 2008, 8:12 pm

Re: Hijackthis notepad info. Malware problems

Unread postby Bob4 » January 17th, 2008, 10:10 pm

________________________________

Go to
Start/control panel/add remove programs ;
And Uninstall

Anti Virus Pro



________________________________________
Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\Temp\NSIS_Install_igb.exe
C:\documents and settings\stewart gemmell\Temp\.tt17A.tmp
c:\documents and settings\stewart gemmell\local settings\application data\srlhfqi.exe




NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.



_______________________________________________



Go to start /run and type in Msconfig. Hit enter.
Go to the services tab

Look through that for me and make sure anything related to McAfee is turned on by placing a check mark next to it. Having these turned off/altered is not advisable.

Here's what I see that has been altered by you or Malware.

MSK80Service
McSysmon
McShield
McRedirector
McrdSvc
McProxy
mcpromgr
McODS
McNASvc
mcmscsvc
mcmispupdmgr
McAfee HackerWatch Service
SiteAdvisor Service


______________________________________________


You may remove kasperskys if you like. It was intended that you did an online scan was all. Not install it. So many directions it's easy to misread something.
You may also remove anything you think is slowing your PC down through add/remove programs.

BE SURE you have McAfee reinstalled.
DO NOT REMOVE anything else I have asked you to download yet.


_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from ComboFix
  • Does your McAfee have a firewall ?
  • How are things running.?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Hijackthis notepad info. Malware problems

Unread postby Bob4 » January 20th, 2008, 8:48 pm

Still with me ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Hijackthis notepad info. Malware problems

Unread postby gem » January 21st, 2008, 4:07 am

Stil here. Will run through your suggestions on Monday. Been very busy over the weekend.
Thanks for your patience.
Gem
gem
Regular Member
 
Posts: 17
Joined: January 11th, 2008, 8:12 pm

Re: Hijackthis notepad info. Malware problems

Unread postby gem » January 21st, 2008, 7:32 pm

I can't find Anti Virus Pro on the change/remove list. It appears in the All Programs list in the start menu but I tried to uninstall it here and all that happens is a box appears stating that 'AVP has encountered a problem and needs to close.'
What do you mean by 'notepad' What programme is this?
I have reinstalled Mcafee and ticked all the boxes in the services list.
I have Mcafee firewall running.
The pc seems to be fine with the odd slowdown. So far I have not had any more popups.
gem
Regular Member
 
Posts: 17
Joined: January 11th, 2008, 8:12 pm

Re: Hijackthis notepad info. Malware problems

Unread postby Bob4 » January 21st, 2008, 7:59 pm

Don't worry about win anti virus pro. It's probably gone already . ;)

Note pad Is actually a text document. This can be done a few different ways. I will show you 2.

right click anywhere in an empty area on the desktop and choose
new/text document. A new document will appear on your desktop.
double click to open and copy and past the following into it.

This is going to remove a few more bad files and should help improve your comp some.

File::
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\Temp\NSIS_Install_igb.exe
C:\documents and settings\stewart gemmell\Temp\.tt17A.tmp
c:\documents and settings\stewart gemmell\local settings\application data\srlhfqi.exe




NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.
_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from comboFix
  • Things improved ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Hijackthis notepad info. Malware problems

Unread postby gem » January 21st, 2008, 8:27 pm

This is the CF log;
ComboFix 08-01-18.1 - Stewart Gemmell 2008-01-23 0:14:33.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1304 [GMT 0:00]
Running from: C:\Documents and Settings\Stewart Gemmell\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Stewart Gemmell\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
c:\documents and settings\stewart gemmell\local settings\application data\srlhfqi.exe
C:\documents and settings\stewart gemmell\Temp\.tt17A.tmp
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\Temp\NSIS_Install_igb.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-19 09:40 . 2008-01-22 23:17 1,406 --a------ C:\WINDOWS\system32\Config.MPF
2008-01-19 09:38 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-01-19 09:37 . 2006-12-22 16:02 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-19 09:37 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-01-19 09:37 . 2006-12-22 16:02 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-19 09:37 . 2006-12-22 16:02 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-01-19 09:37 . 2006-12-22 16:02 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-19 09:37 . 2006-12-22 16:02 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-01-19 09:10 . 2008-01-22 18:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 09:10 . 2008-01-19 09:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-19 00:29 . 2008-01-19 00:29 <DIR> d-------- C:\Program Files\Dell Support
2008-01-19 00:29 . 2004-08-11 16:48 1,458,176 --a------ C:\WINDOWS\system32\qdiagd.ocx
2008-01-19 00:29 . 2004-07-14 12:50 184,320 --a------ C:\WINDOWS\system32\GTDownDE_87.ocx
2008-01-19 00:29 . 2004-06-14 13:26 19,033 --a------ C:\WINDOWS\system32\DAntivirus.cfg
2008-01-19 00:29 . 2004-06-17 11:56 7,626 --a------ C:\WINDOWS\system32\GPCIEnu.sys
2008-01-19 00:29 . 2004-06-09 14:31 6,144 --a------ C:\WINDOWS\system32\DLPT.sys
2008-01-18 23:41 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-18 23:40 . 2008-01-18 23:40 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 22:07 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 23:36 . 2008-01-15 23:36 <DIR> d-------- C:\Documents and Settings\Stewart Gemmell\Application Data\Grisoft
2008-01-15 23:36 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-15 23:30 . 2008-01-16 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-14 21:08 . 2008-01-14 21:08 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-13 22:54 . 2008-01-13 22:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-13 22:54 . 2008-01-13 22:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 22:38 . 2008-01-10 22:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-10 22:25 . 2008-01-10 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-09 22:26 . 2008-01-09 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-01-09 21:03 . 2008-01-09 21:03 <DIR> d-------- C:\Documents and Settings\Wendy Clark\Application Data\Anti-Virus-Pro.com
2008-01-09 20:32 . 2008-01-09 20:33 125 --a------ C:\ioSpecial.ini
2008-01-09 19:59 . 2008-01-09 19:59 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-09 00:39 . 2008-01-09 20:09 <DIR> d-------- C:\Program Files\Error Expert
2008-01-08 20:33 . 2008-01-19 00:21 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-08 02:40 . 2008-01-09 00:17 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-08 00:35 . 2008-01-10 01:41 <DIR> d-------- C:\Program Files\AntiVirusPro
2008-01-08 00:35 . 2008-01-08 00:35 <DIR> d-------- C:\Documents and Settings\Stewart Gemmell\Application Data\Anti-Virus-Pro.com
2008-01-08 00:34 . 2008-01-08 00:34 269,334 --a------ C:\WINDOWS\system32\lgjmp.bmp
2008-01-08 00:20 . 2008-01-09 00:28 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-08 00:14 . 2008-01-08 00:14 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-01-08 00:01 . 2008-01-08 00:01 72,423 --a------ C:\bfu.zip
2008-01-07 23:57 . 2008-01-07 23:58 3,011 --a------ C:\BFU.bfu
2008-01-07 23:55 . 2007-10-28 15:46 75,776 --a------ C:\Documents and Settings\Stewart Gemmell\BFU.exe
2008-01-04 22:41 . 2008-01-04 22:41 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-01-04 22:41 . 2008-01-04 22:41 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-01-03 13:40 . 2008-01-03 15:26 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-28 00:51 . 2008-01-04 18:59 738 --a------ C:\WINDOWS\system32\D4F87A2D.inf
2007-12-25 23:36 . 2007-12-25 23:36 <DIR> d-------- C:\Program Files\Live_TV
2007-12-25 15:35 . 2007-12-25 17:08 <DIR> d-------- C:\Program Files\PC MightyMax 2007

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 08:02 --------- d-----w C:\Program Files\McAfee
2008-01-19 09:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-19 09:38 --------- d-----w C:\Program Files\Common Files\McAfee
2008-01-19 09:37 --------- d-----w C:\Program Files\McAfee.com
2008-01-19 01:08 --------- d-----w C:\Program Files\Dl_cats
2008-01-18 23:41 --------- d-----w C:\Program Files\Java
2008-01-16 10:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-15 21:40 --------- d-----w C:\Program Files\Napster
2008-01-09 22:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-08 00:03 --------- d-----w C:\Documents and Settings\Stewart Gemmell\Application Data\Yahoo!
2007-12-27 00:08 --------- d-----w C:\Program Files\Dell Photo AIO Printer 944
2007-12-13 21:43 --------- d-----w C:\Documents and Settings\Stewart Gemmell\Application Data\Sonic
2007-12-12 23:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-10 21:20 --------- d--h--w C:\Program Files\Creative Installation Information
2007-12-10 21:20 --------- d-----w C:\Program Files\Creative
2007-12-10 21:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-10 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2007-11-29 00:47 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 1
2007-11-27 19:33 --------- d-----w C:\Program Files\BT Broadband Desktop Help
2007-11-26 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-05-21 18:43 6,376 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2007-03-18 08:54 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-3-18-2007_8-54-37_3706041.dnp
2007-03-18 08:50 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-3-18-2007_8-49-55_2757251.dnp
2007-03-18 08:49 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item1-3-18-2007_8-48-45_5731338.dnp
2006-06-21 07:54 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-18_22.21.31.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-17 22:07:34 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-23 00:14:14 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-17 22:07:34 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-23 00:14:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-17 22:07:34 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-23 00:14:14 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-17 22:07:34 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-23 00:14:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-17 22:07:34 5,292,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-23 00:14:15 5,193,728 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-17 22:07:34 241,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 00:14:15 270,336 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2004-07-15 01:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_aspnet_isapi.dll
+ 2004-07-15 00:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_CORPerfMonExt.dll
+ 2004-07-15 00:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_fusion.dll
+ 2004-07-15 00:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_mscorjit.dll
+ 2004-07-15 14:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_mscorlib.dll
+ 2003-02-20 19:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_mscorsn.dll
+ 2004-07-15 00:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_mscorsvr.dll
+ 2004-07-15 00:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_mscorwks.dll
+ 2003-02-21 04:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_msvcr71.dll
+ 2004-07-15 00:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3988\_PerfCounter.dll
+ 2004-07-15 01:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4548\_aspnet_isapi.dll
+ 2004-07-15 00:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4548\_CORPerfMonExt.dll
+ 2004-07-15 00:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4548\_fusion.dll
+ 2004-07-15 00:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4548\_mscorjit.dll
+ 2004-07-15 14:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4548\_mscorlib.dll
+ 2003-02-20 19:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4548\_mscorsn.dll
+ 2004-07-15 00:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4548\_mscorsvr.dll
+ 2004-07-15 00:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4548\_mscorwks.dll
+ 2003-02-21 04:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4548\_msvcr71.dll
+ 2004-07-15 00:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4548\_PerfCounter.dll
+ 2004-07-15 01:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4604\_aspnet_isapi.dll
+ 2004-07-15 00:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4604\_CORPerfMonExt.dll
+ 2004-07-15 00:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4604\_fusion.dll
+ 2004-07-15 00:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4604\_mscorjit.dll
+ 2004-07-15 14:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4604\_mscorlib.dll
+ 2003-02-20 19:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4604\_mscorsn.dll
+ 2004-07-15 00:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4604\_mscorsvr.dll
+ 2004-07-15 00:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4604\_mscorwks.dll
+ 2003-02-21 04:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4604\_msvcr71.dll
+ 2004-07-15 00:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4604\_PerfCounter.dll
+ 2004-07-15 01:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4968\_aspnet_isapi.dll
+ 2004-07-15 00:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4968\_CORPerfMonExt.dll
+ 2004-07-15 00:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4968\_fusion.dll
+ 2004-07-15 00:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4968\_mscorjit.dll
+ 2004-07-15 14:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4968\_mscorlib.dll
+ 2003-02-20 19:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4968\_mscorsn.dll
+ 2004-07-15 00:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4968\_mscorsvr.dll
+ 2004-07-15 00:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4968\_mscorwks.dll
+ 2003-02-21 04:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4968\_msvcr71.dll
+ 2004-07-15 00:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4968\_PerfCounter.dll
- 2008-01-17 20:53:29 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-19 09:08:43 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-17 20:53:29 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-19 09:08:43 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-17 20:53:29 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-19 09:08:43 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-06-09 07:29:56 6,977 ----a-w C:\WINDOWS\system32\DDMI2.sys
+ 2004-06-09 08:29:56 6,977 ----a-w C:\WINDOWS\system32\DDMI2.sys
- 2005-11-10 11:27:06 49,248 ------w C:\WINDOWS\system32\java.exe
+ 2007-12-14 00:57:22 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-11-10 11:27:16 49,250 ------w C:\WINDOWS\system32\javaw.exe
+ 2007-12-14 00:57:24 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-11-10 13:03:54 127,078 ------w C:\WINDOWS\system32\javaws.exe
+ 2007-12-14 01:59:16 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 11:03 868352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 11:00 15360]
"DellSupport"="C:\PROGRA~1\DELLSU~2\DSAgnt.exe" [2004-07-19 07:51 306688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25 49152]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2006-02-24 15:12 73728]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 17:05 282624]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-10-31 15:32 2250104]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 17:30 152144]

C:\Documents and Settings\Stewart Gemmell\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-07-01 20:47:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk
backup=C:\WINDOWS\pss\Digimax Viewer 2.1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionBackup.lnk]
backup=C:\WINDOWS\pss\VersionBackup.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VersionBackup.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--------- 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-02-21 22:26 43008 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
--a--c--- 2006-11-30 10:51 935936 C:\Program Files\btbb_wcm\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 17:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-10 11:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--------- 2005-08-08 06:10 16384 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE]
-----c--- 2005-02-23 15:57 57344 C:\Program Files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
--------- 2007-07-17 11:03 868352 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--------- 2005-08-08 06:10 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 07:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
-----c--- 2005-05-31 04:33 122941 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcdmon.exe]
--a------ 2005-07-22 19:45 430080 C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-04-28 13:34 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-06-21 21:10 168960 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
-----c--- 2005-06-17 07:56 139264 C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--------- 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--------- 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaPipe P2P Loader]
C:\Program Files\p2pnetworks\mpp2pl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2006-05-24 13:20 458839 C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MskAgentexe]
--a------ 2007-01-17 17:30 152144 C:\Program Files\McAfee\MSK\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
--a------ 2007-01-12 18:36 323216 C:\Program Files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--------- 2005-07-08 18:57 7110656 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Booster]
--------- 2005-12-28 10:39 5967942 C:\Program Files\inKline Global\PC Booster\pcbooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2006-12-12 00:36 366400 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-22 22:46 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-05-17 23:38 208941 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Toolkit]
C:\Program Files\Registry Toolkit\RegToolkit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-17 23:38 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
-----c--- 2005-07-11 11:34 122880 C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
--a------ 2005-09-08 19:49 1363968 C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XPRepairPro2007]
C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--------- 2005-08-31 17:11 2478080 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YPC]
--------- 2005-06-03 16:32 352256 C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
c:\program files\zango\zango.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"IAANTMon"=2 (0x2)
"dlcd_device"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"Netman"=3 (0x3)
"mnmsrvc"=3 (0x3)
"YPCService"=3 (0x3)
"McrdSvc"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"SiteAdvisor Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
"Windows Media Player"=C:\Program Files\Windows Media Player\wmplayer.exe
"Run a DLL as an App"=C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Yahoo!\Common\ymmapi.dll,OpenInboxHandler
"Run a DLL as an App606"=C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Yahoo!\Common\ymmapi.dll,OpenInboxHandler
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"YBrowser"=C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
"YPC"=C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

R0 hotcore;hotcore;C:\WINDOWS\system32\drivers\hotcore.sys [2005-04-29 00:47]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" [2007-02-10 05:29]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-08 05:54]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 13:05]
S4 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2007-01-16 22:34]

*Newly Created Service* - AD-WATCH_REGISTRY_FILTER
.
Contents of the 'Scheduled Tasks' folder
"2006-06-07 14:44:54 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-01-11 18:30:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (OWNER-21BA3FD68-Administrator).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-01-19 09:37:33 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-19 09:37:32 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-06-06 19:19:59 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe%Scan -RestrictPrivileges -ScanType 1
"2008-01-22 19:00:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 00:18:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-23 0:19:08
ComboFix-quarantined-files.txt 2008-01-23 00:19:05
ComboFix2.txt 2008-01-18 22:43:09
ComboFix3.txt 2008-01-18 22:22:18
.
2008-01-22 20:01:55 --- E O F ---

Here's the HJT log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:21:57, on 23/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\DELLSU~2\DSAgnt.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~2\DSAgnt.exe" /startup
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9616893832
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/M ... loader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10973 bytes
Have I done your requests correct as I can still see a file with 'WINDOWS\system32\ctfmona.exe' at 04
So far the pc seems great! You are a genious!!!
Does it look clear now?
Gem
gem
Regular Member
 
Posts: 17
Joined: January 11th, 2008, 8:12 pm

Re: Hijackthis notepad info. Malware problems

Unread postby Bob4 » January 21st, 2008, 9:36 pm

you wrote: I can still see a file with 'WINDOWS\system32\ctfmona.exe' at 04


Look again please.
I think you see this

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

Which is safe.

________________________________________
Two last things to do:
We are going to use combofix twice now in 2 different ways. After you do the first one it will create a report as will the second one.
Save them both to your desktop as default names given so I can see both logs, once in a while people get confused with all these logs.
I know I do !.


______________________________________________________
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem
after an attempted removal of malware.


Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Image

Download the file & save it as it's originally named, to your desktop along with ComboFix.exe.


Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted,
agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open.
Please post the contents of that log .

Please do not reboot your machine until we have reviewed the log.





________________________________________
Open notepad and copy/paste the text in the quotebox below into it:


File::

C:\Documents and Settings\Wendy Clark\Application Data\Anti-Virus-Pro.com
C:\Program Files\AntiVirusPro
C:\Documents and Settings\Stewart Gemmell\Application Data\Anti-Virus-Pro.com



NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.


___________________________________________






_________________________
In your next reply I would like to see:
  • The report from combofix (CF_RC.txt)
  • The report from combofix
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Hijackthis notepad info. Malware problems

Unread postby gem » January 23rd, 2008, 5:39 pm

This is the first save;
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=5
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

I will post the second in a moment.
gem
Regular Member
 
Posts: 17
Joined: January 11th, 2008, 8:12 pm

Re: Hijackthis notepad info. Malware problems

Unread postby gem » January 23rd, 2008, 6:00 pm

This is the second saved log;

ComboFix 08-01-18.1 - Stewart Gemmell 2008-01-24 21:40:02.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1454 [GMT 0:00]
Running from: C:\Documents and Settings\Stewart Gemmell\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Stewart Gemmell\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-24 21:30 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-24 21:30 . 2008-01-22 17:58 209 --a------ C:\Boot.bak
2008-01-19 09:40 . 2008-01-24 21:07 3,990 --a------ C:\WINDOWS\system32\Config.MPF
2008-01-19 09:38 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-01-19 09:37 . 2006-12-22 16:02 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-19 09:37 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-01-19 09:37 . 2006-12-22 16:02 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-19 09:37 . 2006-12-22 16:02 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-01-19 09:37 . 2006-12-22 16:02 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-19 09:37 . 2006-12-22 16:02 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-01-19 09:10 . 2008-01-24 21:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 09:10 . 2008-01-19 09:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-19 00:29 . 2008-01-19 00:29 <DIR> d-------- C:\Program Files\Dell Support
2008-01-19 00:29 . 2004-08-11 16:48 1,458,176 --a------ C:\WINDOWS\system32\qdiagd.ocx
2008-01-19 00:29 . 2004-07-14 12:50 184,320 --a------ C:\WINDOWS\system32\GTDownDE_87.ocx
2008-01-19 00:29 . 2004-06-14 13:26 19,033 --a------ C:\WINDOWS\system32\DAntivirus.cfg
2008-01-19 00:29 . 2004-06-17 11:56 7,626 --a------ C:\WINDOWS\system32\GPCIEnu.sys
2008-01-19 00:29 . 2004-06-09 14:31 6,144 --a------ C:\WINDOWS\system32\DLPT.sys
2008-01-18 23:41 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-18 23:40 . 2008-01-18 23:40 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 22:07 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 23:36 . 2008-01-15 23:36 <DIR> d-------- C:\Documents and Settings\Stewart Gemmell\Application Data\Grisoft
2008-01-15 23:36 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-15 23:30 . 2008-01-16 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-14 21:08 . 2008-01-14 21:08 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-13 22:54 . 2008-01-13 22:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-13 22:54 . 2008-01-13 22:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 22:38 . 2008-01-10 22:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-10 22:25 . 2008-01-10 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-09 22:26 . 2008-01-09 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-01-09 21:03 . 2008-01-09 21:03 <DIR> d-------- C:\Documents and Settings\Wendy Clark\Application Data\Anti-Virus-Pro.com
2008-01-09 20:32 . 2008-01-09 20:33 125 --a------ C:\ioSpecial.ini
2008-01-09 19:59 . 2008-01-09 19:59 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-09 00:39 . 2008-01-09 20:09 <DIR> d-------- C:\Program Files\Error Expert
2008-01-08 20:33 . 2008-01-19 00:21 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-08 02:40 . 2008-01-09 00:17 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-08 00:35 . 2008-01-10 01:41 <DIR> d-------- C:\Program Files\AntiVirusPro
2008-01-08 00:35 . 2008-01-08 00:35 <DIR> d-------- C:\Documents and Settings\Stewart Gemmell\Application Data\Anti-Virus-Pro.com
2008-01-08 00:34 . 2008-01-08 00:34 269,334 --a------ C:\WINDOWS\system32\lgjmp.bmp
2008-01-08 00:20 . 2008-01-09 00:28 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-08 00:14 . 2008-01-08 00:14 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-01-08 00:01 . 2008-01-08 00:01 72,423 --a------ C:\bfu.zip
2008-01-07 23:57 . 2008-01-07 23:58 3,011 --a------ C:\BFU.bfu
2008-01-07 23:55 . 2007-10-28 15:46 75,776 --a------ C:\Documents and Settings\Stewart Gemmell\BFU.exe
2008-01-04 22:41 . 2008-01-04 22:41 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-01-04 22:41 . 2008-01-04 22:41 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-01-03 13:40 . 2008-01-03 15:26 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-28 00:51 . 2008-01-04 18:59 738 --a------ C:\WINDOWS\system32\D4F87A2D.inf
2007-12-25 23:36 . 2007-12-25 23:36 <DIR> d-------- C:\Program Files\Live_TV
2007-12-25 15:35 . 2007-12-25 17:08 <DIR> d-------- C:\Program Files\PC MightyMax 2007

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 08:18 --------- d-----w C:\Program Files\McAfee
2008-01-19 09:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-19 09:38 --------- d-----w C:\Program Files\Common Files\McAfee
2008-01-19 09:37 --------- d-----w C:\Program Files\McAfee.com
2008-01-19 01:08 --------- d-----w C:\Program Files\Dl_cats
2008-01-18 23:41 --------- d-----w C:\Program Files\Java
2008-01-16 10:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-15 21:40 --------- d-----w C:\Program Files\Napster
2008-01-09 22:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-08 00:03 --------- d-----w C:\Documents and Settings\Stewart Gemmell\Application Data\Yahoo!
2007-12-27 00:08 --------- d-----w C:\Program Files\Dell Photo AIO Printer 944
2007-12-13 21:43 --------- d-----w C:\Documents and Settings\Stewart Gemmell\Application Data\Sonic
2007-12-12 23:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-10 21:20 --------- d--h--w C:\Program Files\Creative Installation Information
2007-12-10 21:20 --------- d-----w C:\Program Files\Creative
2007-12-10 21:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-10 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2007-11-29 00:47 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 1
2007-11-27 19:33 --------- d-----w C:\Program Files\BT Broadband Desktop Help
2007-11-26 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-05-21 18:43 6,376 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2007-03-18 08:54 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-3-18-2007_8-54-37_3706041.dnp
2007-03-18 08:50 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-3-18-2007_8-49-55_2757251.dnp
2007-03-18 08:49 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item1-3-18-2007_8-48-45_5731338.dnp
2006-06-21 07:54 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot_2008-01-23_ 0.18.37.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 00:14:14 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 21:39:56 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-23 00:14:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 21:39:56 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-23 00:14:14 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 21:39:56 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-23 00:14:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 21:39:56 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-23 00:14:15 5,193,728 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-24 21:39:56 5,193,728 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-23 00:14:15 270,336 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 21:39:56 270,336 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 11:03 868352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 11:00 15360]
"DellSupport"="C:\PROGRA~1\DELLSU~2\DSAgnt.exe" [2004-07-19 07:51 306688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25 49152]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2006-02-24 15:12 73728]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 17:05 282624]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-10-31 15:32 2250104]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 17:30 152144]

C:\Documents and Settings\Stewart Gemmell\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-07-01 20:47:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
"LoadAppInit_DLLs"=0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk
backup=C:\WINDOWS\pss\Digimax Viewer 2.1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionBackup.lnk]
backup=C:\WINDOWS\pss\VersionBackup.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VersionBackup.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--------- 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-02-21 22:26 43008 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
--a--c--- 2006-11-30 10:51 935936 C:\Program Files\btbb_wcm\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 17:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-10 11:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--------- 2005-08-08 06:10 16384 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE]
-----c--- 2005-02-23 15:57 57344 C:\Program Files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
--------- 2007-07-17 11:03 868352 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--------- 2005-08-08 06:10 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 07:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
-----c--- 2005-05-31 04:33 122941 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcdmon.exe]
--a------ 2005-07-22 19:45 430080 C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-04-28 13:34 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-06-21 21:10 168960 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
-----c--- 2005-06-17 07:56 139264 C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--------- 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--------- 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaPipe P2P Loader]
C:\Program Files\p2pnetworks\mpp2pl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2006-05-24 13:20 458839 C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MskAgentexe]
--a------ 2007-01-17 17:30 152144 C:\Program Files\McAfee\MSK\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
--a------ 2007-01-12 18:36 323216 C:\Program Files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--------- 2005-07-08 18:57 7110656 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Booster]
--------- 2005-12-28 10:39 5967942 C:\Program Files\inKline Global\PC Booster\pcbooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2006-12-12 00:36 366400 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-22 22:46 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-05-17 23:38 208941 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Toolkit]
C:\Program Files\Registry Toolkit\RegToolkit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-17 23:38 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
-----c--- 2005-07-11 11:34 122880 C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
--a------ 2005-09-08 19:49 1363968 C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XPRepairPro2007]
C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--------- 2005-08-31 17:11 2478080 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YPC]
--------- 2005-06-03 16:32 352256 C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
c:\program files\zango\zango.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"IAANTMon"=2 (0x2)
"dlcd_device"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"Netman"=3 (0x3)
"mnmsrvc"=3 (0x3)
"YPCService"=3 (0x3)
"McrdSvc"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"SiteAdvisor Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
"Windows Media Player"=C:\Program Files\Windows Media Player\wmplayer.exe
"Run a DLL as an App"=C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Yahoo!\Common\ymmapi.dll,OpenInboxHandler
"Run a DLL as an App606"=C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Yahoo!\Common\ymmapi.dll,OpenInboxHandler
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"YBrowser"=C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
"YPC"=C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

R0 hotcore;hotcore;C:\WINDOWS\system32\drivers\hotcore.sys [2005-04-29 00:47]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" [2007-02-10 05:29]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-08 05:54]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 13:05]
S4 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2007-01-16 22:34]

*Newly Created Service* - AD-WATCH_REGISTRY_FILTER
.
Contents of the 'Scheduled Tasks' folder
"2006-06-07 14:44:54 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-01-11 18:30:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (OWNER-21BA3FD68-Administrator).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-01-19 09:37:33 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-19 09:37:32 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-06-06 19:19:59 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe%Scan -RestrictPrivileges -ScanType 1
"2008-01-24 21:09:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 21:43:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-24 21:44:43
ComboFix-quarantined-files.txt 2008-01-24 21:44:39
ComboFix2.txt 2008-01-23 00:19:09
ComboFix3.txt 2008-01-18 22:43:09
ComboFix4.txt 2008-01-18 22:22:18
.
2008-01-24 20:01:45 --- E O F ---

The p.c seems to be running fine with only a couple of problem items;
I can't get my printer to work. It always lost the connection after a day to a month (must be some coruption problem) but I was always able to uninstall then reinstall from the disc but now I can't find the programme anywhere on the pc and when I put the printer disc in, I choose the option to uninstall but the cd spins then stops 20s later with nothing happening. I don't know how to get the printer back working.
The other problem is my mp3 player now is not recognised when I plug it in. It still charges and my camera is fine when using the same connection but the mp3 player is not picked up. (I also tried my wife's one also and it is the same)
I have a Napster subscription and I am about to lose around 12000 tracks as they have to be validated every month or so.
Do you think these problems are related to the recent malware infestation? Could you give me any suggestions about resolving them?
Thanks,
Gem
gem
Regular Member
 
Posts: 17
Joined: January 11th, 2008, 8:12 pm

Re: Hijackthis notepad info. Malware problems

Unread postby Bob4 » January 23rd, 2008, 9:18 pm

Nuts forgive me I made a slight error on some files. Nothing to do with your other issues though. I will help with these in a moment.

Just navigate to and delete the 2 folders I have listed in bold.

C:\Program Files\AntiVirusPro
C:\Documents and Settings\Stewart Gemmell\Application Data\Anti-Virus-Pro.com

Thats it for spyware, your clean now.


Do this next:
This process is going to clean up some of the tools we have used.

  • Open OTmoveit.
  • Click on Cleanup!.
  • Allow it to access the internet if any security software asks about it.

    It will ask you if you want to start the clean up process :
  • Click yes.
  • When it's ready it will ask you to reboot.
    Do so now.
    Then finish up with the rest of the instructions.




PRINTER:
Ususally the web site for a printer has the drivers/programs for free download at thereir respective sites.

The only reference I found to a printer of yours was a
Dell All-in-One Printer 944. If that is the printer you have use the link below to find them. ;)

http://support.us.dell.com/support/down ... eid=144124

If that is not your printer and you need help finding the drivers let me know the make and model number of your printer.
_________________________________________

I will look into the MP3 Player Issue for you.

Please let me know you were able to delete those 2 folders.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 54 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware