Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

please help..dont know what to do!!!!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

please help..dont know what to do!!!!!!

Unread postby crystalp » January 11th, 2008, 9:43 am

Please help, someone visited numerous porn sites on my comp and now i have nothing but problems... the windows installer box keeps coming up everytime i eneter a web page. i hit cancel every time i also have a file w/ the name of ...fvkwdrt.exe... on my computer in c:\\windows. below is my hijackthis file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:29 AM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Webroot\Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\Program Files\Yahoo!\Companion\Installs\cpn1\ytbb.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
O3 - Toolbar: The emlkdvo - {A972081B-E5FE-45E4-BE29-856D23403C4F} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [ErrorSmart] "C:\Program Files\ErrorSmart\ErrorSmart.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\RunOnce: [PGhist] C:\Program Files\Desktop Maestro\PgHist.exe WinguidesPG
O4 - HKCU\..\RunOnce: [PrivacyGuardianIndex] C:\Program Files\Desktop Maestro\PgIndex.exe
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://portal.coursecompass.com
O15 - Trusted Zone: http://www.coursecompass.com
O15 - Trusted Zone: http://us.mcafee.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b55579.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWe ... taller.CAB
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GA ... b55579.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zp ... b55579.cab
O16 - DPF: {A6B13EE4-A974-11D2-8DB7-00C04FB6E8F6} - http://www.rapidfax.com/mso_packet/acti ... 653274.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v ... b55579.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - http://zone.msn.com/binframework/v10/St ... b55579.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O21 - SSODL: bvtqfvx - {C020EB62-4693-4114-B806-4D4DF93B1C7E} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0229661198942547) (0229661198942547mcinstcleanup) - - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iClarityQoSService - AVAYA Communication - C:\WINDOWS\system32\\QosServM.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9174 bytes
crystalp
Active Member
 
Posts: 11
Joined: January 11th, 2008, 9:38 am
Advertisement
Register to Remove

Re: please help..dont know what to do!!!!!!

Unread postby chryssi2001 » January 13th, 2008, 7:23 am

Hello crystalp,

I will be assisting you with your malware issues.
Please be patient as I need some time to review your Hijackthis log and i will post back recommendations for repairs.

As I am still a trainee, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: please help..dont know what to do!!!!!!

Unread postby chryssi2001 » January 13th, 2008, 3:41 pm

Hello crystalp,

You have many protection programs on your pc, which might create conflicts or slowness as they all load and run on start up.

SpySweeper
ErrorSmart
Desktop Maestro-PrivacyGuardian

You can keep SpySweeper to load on start up and disable the other two from start up and use them on demand. Too many protection programs running the same time will create the above symptoms.

You can disable a program from start up as below:
Open the program, click on Options, and deselect "run at start up".

If you feel you are covered enough with SpySweeper and the Anti-Virus i ask you to install in my next post, remove the rest protection programs.

Please inform me what you will decide to do.
-----------------------------------------------
You aren't running Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition
-Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.
-----------------------------------------------
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
-----------------------------------------------
Run HijackThis again.
-----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: please help..dont know what to do!!!!!!

Unread postby crystalp » January 13th, 2008, 10:57 pm

I have done as requested, but i am unsure what you mean that my spysweeper w/ antivirus is not an antivirus program. please clarify, below is both logs requested, but let me tell ya so far so good, even my ie explorer pages load more quickly.

HIJACK This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:11 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Webroot\Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
O3 - Toolbar: The emlkdvo - {A972081B-E5FE-45E4-BE29-856D23403C4F} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CISCO] "C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\DelayInst.exe" delay C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\setup.exe
O4 - HKCU\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKCU\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [CISCO] "C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\DelayInst.exe" delay C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\setup.exe (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [LTMSG] LTMSG.exe 7 (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe" (User '?')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User '?')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://portal.coursecompass.com
O15 - Trusted Zone: http://www.coursecompass.com
O15 - Trusted Zone: http://us.mcafee.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b55579.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWe ... taller.CAB
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GA ... b55579.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zp ... b55579.cab
O16 - DPF: {A6B13EE4-A974-11D2-8DB7-00C04FB6E8F6} - http://www.rapidfax.com/mso_packet/acti ... 653274.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v ... b55579.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - http://zone.msn.com/binframework/v10/St ... b55579.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O23 - Service: McAfee Application Installer Cleanup (0229661198942547) (0229661198942547mcinstcleanup) - - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10210 bytes
COMBOFIX LOG


ComboFix 08-01-14.1 - Owner 2008-01-13 20:30:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.296 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\msacm32.drv
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IPRIP
-------\nm


((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-13 20:26 . 2000-08-31 08:00 51,200 --a--c--- C:\WINDOWS\NirCmd.exe
2008-01-13 10:07 . 2008-01-13 10:07 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Desktop Mechanic
2008-01-12 20:12 . 2003-07-24 04:56 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\WINDOWS
2008-01-12 20:12 . 2003-07-26 03:54 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Symantec
2008-01-12 20:12 . 2003-07-24 04:35 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Sonic
2008-01-12 20:12 . 2003-07-24 05:02 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\SampleView
2008-01-12 20:12 . 2003-07-26 03:57 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\interMute
2008-01-12 20:12 . 2004-12-21 12:40 497 --ah-c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\hpothb07.dat
2008-01-12 13:16 . 2003-07-24 04:56 <DIR> d----c--- C:\Documents and Settings\Guest\WINDOWS
2008-01-12 13:16 . 2003-07-26 03:54 <DIR> d----c--- C:\Documents and Settings\Guest\Application Data\Symantec
2008-01-12 13:16 . 2003-07-24 04:35 <DIR> d----c--- C:\Documents and Settings\Guest\Application Data\Sonic
2008-01-12 13:16 . 2003-07-24 05:02 <DIR> d----c--- C:\Documents and Settings\Guest\Application Data\SampleView
2008-01-12 13:16 . 2003-07-26 03:57 <DIR> d----c--- C:\Documents and Settings\Guest\Application Data\interMute
2008-01-12 13:16 . 2004-12-21 12:40 497 --ah-c--- C:\Documents and Settings\Guest\hpothb07.dat
2008-01-12 08:25 . 2008-01-12 08:25 <DIR> d----c--- C:\Documents and Settings\work only\.jmf
2008-01-12 08:01 . 2008-01-12 08:05 <DIR> d----c--- C:\Program Files\CA Yahoo! Anti-Spy
2008-01-12 07:53 . 2008-01-12 07:53 <DIR> d----c--- C:\WINDOWS\Data
2008-01-12 07:19 . 2008-01-12 07:19 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\Motive
2008-01-12 07:00 . 2008-01-12 07:55 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\Yahoo!
2008-01-12 06:36 . 2008-01-12 08:41 <DIR> d----c--- C:\Documents and Settings\work only\Spark
2008-01-12 06:33 . 2008-01-12 06:33 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\Webroot
2008-01-12 06:33 . 2008-01-12 06:33 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\ErrorSmart
2008-01-12 06:26 . 2003-07-24 04:56 <DIR> d----c--- C:\Documents and Settings\work only\WINDOWS
2008-01-12 06:26 . 2003-07-26 03:54 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\Symantec
2008-01-12 06:26 . 2003-07-24 04:35 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\Sonic
2008-01-12 06:26 . 2003-07-24 05:02 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\SampleView
2008-01-12 06:26 . 2003-07-26 03:57 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\interMute
2008-01-12 06:26 . 2004-12-21 12:40 497 --ah-c--- C:\Documents and Settings\work only\hpothb07.dat
2008-01-11 08:26 . 2008-01-11 08:26 <DIR> d----c--- C:\Program Files\Trend Micro
2008-01-11 08:23 . 2008-01-11 08:23 <DIR> d----c--- C:\KAV
2008-01-11 07:06 . 2008-01-11 07:06 <DIR> d----c--- C:\VundoFix Backups
2008-01-11 06:32 . 2008-01-11 06:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-11 06:31 . 2008-01-11 06:33 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\PrevxCSI
2008-01-05 17:12 . 2008-01-05 17:12 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-01-05 17:12 . 2008-01-05 17:12 1,409 --a--c--- C:\WINDOWS\QTFont.for
2007-12-29 10:44 . 2007-12-29 10:44 <DIR> d----c--- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-12-29 10:33 . 2007-12-29 10:33 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-29 08:43 . 2007-12-29 08:43 <DIR> d----c--- C:\Program Files\ZoneAlarmSB
2007-12-29 08:38 . 2007-12-29 08:38 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-29 08:35 . 2007-12-29 08:35 4,212 ---h-c--- C:\WINDOWS\system32\zllictbl.dat
2007-12-29 08:29 . 2007-12-29 08:49 <DIR> d----c--- C:\WINDOWS\system32\ZoneLabs
2007-12-29 06:07 . 2007-12-29 06:07 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-12-29 06:07 . 2008-01-04 20:34 163,696 --a--c--- C:\WINDOWS\system32\drivers\ssidrv.sys
2007-12-29 06:07 . 2008-01-04 20:34 23,920 --a--c--- C:\WINDOWS\system32\drivers\sskbfd.sys
2007-12-29 06:07 . 2008-01-04 20:34 21,872 --a--c--- C:\WINDOWS\system32\drivers\sshrmd.sys
2007-12-29 06:07 . 2008-01-04 20:34 20,336 --a--c--- C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-12-29 06:06 . 2007-12-29 10:00 <DIR> d----c--- C:\Program Files\Webroot
2007-12-29 06:06 . 2007-12-29 06:06 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Webroot
2007-12-29 06:06 . 2007-12-29 09:52 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Webroot
2007-12-29 06:06 . 2008-01-04 20:56 1,526,640 --a--c--- C:\WINDOWS\WRSetup.dll
2007-12-29 06:05 . 2008-01-11 17:51 164 --a--c--- C:\install.dat
2007-12-27 09:32 . 2007-12-27 09:32 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Mattel
2007-12-27 09:31 . 2007-12-27 09:31 <DIR> d----c--- C:\Program Files\Mattel
2007-12-26 19:53 . 2007-12-26 19:54 <DIR> d--hsc--- C:\Documents and Settings\All Users\DRM
2007-12-26 19:47 . 2008-01-06 09:37 870,128 --a--c--- C:\WINDOWS\system32\mcs.rma
2007-12-26 19:47 . 2008-01-06 09:37 4 --a--c--- C:\WINDOWS\system32\A888B7
2007-12-26 19:45 . 2007-12-26 19:45 8,413 --a--c--- C:\WINDOWS\system32\drivers\mcstrm.sys
2007-12-26 19:41 . 2007-12-26 19:55 <DIR> d----c--- C:\Program Files\Rhapsody
2007-12-26 19:26 . 2007-12-26 19:26 <DIR> d----c--- C:\Program Files\SanDisk
2007-12-26 19:26 . 2007-12-26 19:27 <DIR> d----c--- C:\Program Files\Common Files\ArcSoft
2007-12-26 19:26 . 2004-05-04 11:53 1,645,320 --a--c--- C:\WINDOWS\system32\gdiplus.dll
2007-12-26 19:26 . 2005-06-21 10:29 245,408 --a--c--- C:\WINDOWS\system32\unicows.dll
2007-12-21 07:38 . 2007-12-21 07:38 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Stamps.com Internet Postage
2007-12-21 06:48 . 2007-12-21 06:48 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{D9AA4D17-9292-410D-9AA5-84526D062900}
2007-12-21 06:47 . 2007-12-21 06:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{E23E3BED-ADD9-4DF7-B375-5EC5E69FD666}
2007-12-21 06:47 . 2007-12-21 06:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
2007-12-21 06:47 . 2007-12-21 06:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{8737778F-82C6-4680-A660-E8B2B8C8C22B}
2007-12-21 06:46 . 2007-12-21 06:46 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{AB89557A-DCAD-4657-A970-8F9A3EFFB34D}
2007-12-21 06:45 . 2007-12-21 06:45 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{876C6265-922D-4EF3-A784-71D72FF033C0}
2007-12-21 06:44 . 2007-12-21 07:50 <DIR> d----c--- C:\Program Files\Stamps.com Internet Postage
2007-12-21 06:44 . 2007-12-21 07:38 36 --ah-c--- C:\WINDOWS\system32\f9t.dat
2007-12-20 09:00 . 2007-12-20 09:00 <DIR> d----c--- C:\Program Files\Common Files\Deterministic Networks
2007-12-20 09:00 . 2004-01-26 15:01 268,872 --a--c--- C:\WINDOWS\system32\drivers\CVPNDRVA.sys
2007-12-17 13:00 . 2008-01-09 07:44 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\ErrorSmart
2007-12-17 12:59 . 2008-01-09 07:44 <DIR> d----c--- C:\Program Files\ErrorSmart
2007-12-17 12:05 . 2004-12-21 12:40 497 --ah-c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.000\hpothb07.dat
2007-12-17 10:56 . 2007-12-27 13:33 <DIR> d----c--- C:\Program Files\PC MightyMax 2007
2007-12-16 21:29 . 2007-12-17 06:40 <DIR> d----c--- C:\Program Files\Microsoft Silverlight
2007-12-14 11:59 . 2007-12-14 11:59 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Desktop Mechanic
2007-12-14 11:38 . 2008-01-13 10:24 <DIR> d----c--- C:\Program Files\Desktop Maestro
2007-12-14 11:38 . 2008-01-13 20:23 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-14 10:10 . 2008-01-11 08:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 10:05 --------- dc----w C:\Program Files\Common Files\InstallShield
2008-01-12 09:23 --------- dc----w C:\Program Files\MalwareBot
2008-01-11 13:00 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Yahoo!
2008-01-11 03:21 --------- dc----w C:\Program Files\Spark
2008-01-05 20:27 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\ArcSoft
2007-12-27 14:31 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-12-18 11:50 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\SiteAdvisor
2007-12-11 14:49 --------- dc----w C:\Program Files\Windows Defender
2007-12-11 14:48 --------- dc----w C:\Program Files\iTunes
2007-12-10 11:51 --------- dc----w C:\Program Files\Rand McNally
2007-12-10 00:31 60,968 -c--a-w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\GoToAssistDownloadHelper.exe
2007-12-08 19:14 --------- dc----w C:\Program Files\Thinkwell
2007-12-06 13:54 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Avaya
2007-12-06 12:40 --------- dc----w C:\Program Files\Cisco Systems
2007-12-05 23:01 --------- dc----w C:\Program Files\QuickTime
2007-12-05 18:14 --------- dc----w C:\Program Files\TryMedia
2007-12-03 19:13 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\VonageTalk
2007-12-03 17:07 --------- dc----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-03 15:47 --------- dc----w C:\Program Files\iPod
2007-11-27 13:51 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Image Zone Express
2007-11-27 11:05 --------- dc----w C:\Program Files\IObit
2007-11-25 21:30 --------- dc----w C:\Documents and Settings\All Users\Application Data\FunGames
2007-11-21 23:24 --------- dc----w C:\Program Files\McAfee
2007-11-16 22:02 --------- dc----w C:\Program Files\Windows Live Safety Center
2007-11-07 09:26 721,920 -c--a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 -c--a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 -c--a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 -c--a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 -c--a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 -c--a-w C:\WINDOWS\system32\mscorier.dll
2007-10-20 18:20 177,496 -c--a-w C:\WINDOWS\system32\wdfproc.dll
2004-12-21 17:40 497 -c-ha-w C:\WINDOWS\system32\config\systemprofile\hpothb07.dat
2004-12-21 17:40 497 -c-ha-w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\hpothb07.dat
2004-12-21 17:40 497 -c-ha-w C:\Documents and Settings\Default User\hpothb07.dat
2004-12-21 17:40 497 -c-ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2004-12-21 17:40 497 -c-ha-w C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\hpothb07.dat
2004-08-10 15:18 169 -c-ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2003-11-02 00:04 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
2006-06-10 12:43 56 -csh--r C:\WINDOWS\system32\4D5F065ECC.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-29 08:43 262144 --a--c--- C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{8EAB99C9-F9EC-4B64-A4BA-D9BCAE8779C2}
{A972081B-E5FE-45E4-BE29-856D23403C4F}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-29 08:43 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"NVIEW"="nview.dll" [2003-05-03 01:19 835654 C:\WINDOWS\system32\nview.dll]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-03 01:19 4640768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"CISCO"="C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\DelayInst.exe" [2004-01-26 14:01 45126]
"LTMSG"="LTMSG.exe" [2003-07-14 09:52 40960 C:\WINDOWS\ltmsg.exe]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 16:37 936960]
"ErrorSmart"="C:\Program Files\ErrorSmart\ErrorSmart.exe" [2007-10-25 15:11 18244856]
"PrivacyGuardianIndex"="C:\Program Files\Desktop Maestro\PgIndex.exe" [2006-10-30 13:57 38488]
"PGhist"="C:\Program Files\Desktop Maestro\PgHist.exe" [2007-03-28 17:39 42584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42 212992]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 22:28 81920]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 08:03 155648]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"Webroot Desktop Firewall"="C:\Program Files\Webroot\Desktop Firewall\WDF.exe" [2007-10-20 13:20 1717592]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
"ErrorSmart"="C:\Program Files\ErrorSmart\ErrorSmart.exe" [2007-10-25 15:11 18244856]

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 05:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Avaya IP Agent - English.lnk]
backup=C:\WINDOWS\pss\Avaya IP Agent - English.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.YOUR-LK4RLMSU41.000^Start Menu^Programs^Startup^Compaq Organize.lnk]
backup=C:\WINDOWS\pss\Compaq Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.YOUR-LK4RLMSU41.000^Start Menu^Programs^Startup^spamsubtract.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0176181154318107mcinstcleanup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0283871154301336mcinstcleanup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2007-10-10 18:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopMaestro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\errorkiller]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareBot]
--a--c--- 2007-02-19 14:38 8589312 C:\Program Files\MalwareBot\MalwareBot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a--c--- 2003-02-24 20:51 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a--c--- 2003-02-05 21:38 143360 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a--c--- 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pwreset]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-10-19 20:16 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spark]
--a--c--- 2007-11-14 12:52 434176 C:\Program Files\Spark\Spark.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a--c--- 2005-05-31 00:04 1415824 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2003-07-24 04:36 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"omniserv"=2 (0x2)
"usnjsvc"=3 (0x3)
"MpfService"=2 (0x2)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2008-01-05 23:35:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-12 11:00:01 C:\WINDOWS\Tasks\avast! Antivirus.job"
- C:\PROGRA~1\ALWILS~1\Avast4\ashAvast.exe
"2007-06-10 00:22:36 C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job"
"2008-01-12 14:20:20 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.exe
- C:\Program Files\ErrorSmart
"2005-02-09 13:06:12 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1098932354.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2006-09-28 00:03:31 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1151330391.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2008-01-14 02:03:31 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-12 05:00:08 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
- A:\
"2008-01-12 08:00:00 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 21:06:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2008-01-13 21:11:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-14 02:11:31
.
2008-01-12 14:21:55 --- E O F ---
crystalp
Active Member
 
Posts: 11
Joined: January 11th, 2008, 9:38 am

Re: please help..dont know what to do!!!!!!

Unread postby chryssi2001 » January 14th, 2008, 7:46 am

Hello crystalp,

I need some time to check your reports, in the meanwhile, i need some information from you.

I can see SpySweeper firewall in your log. Can you tell me exactly which SpySweeper program you use , and if it includes Anti-Virus with a firewall?
I am asking you this because most users have SpySweeper-AntiSpyware application only.

I need to be sure you are fully protected from infection with an Anti-Virus.
-------------------------------------------------
LIST OF PROGRAMS USING HIJACKTHIS
  • Open HijackThis.
  • Click on Open the Misc Tools section.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.
See in this link details.
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: please help..dont know what to do!!!!!!

Unread postby crystalp » January 14th, 2008, 8:12 am

yes, i have the LATEST version of spysweeper with antivirus, firewall, and antispyware. below is the uninstall log as requested

Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Apple Mobile Device Support
Barbie Girls
CA Yahoo! Anti-Spy (remove only)
ChristmasTheme
Compatibility Pack for the 2007 Office system
Desktop Maestro 2.0
ErrorSmart
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
iTunes
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Office Outlook 2003
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
QuickTime
Rhapsody
Sansa Media Converter
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Spark 2.5.8
Spy Sweeper
Stamps.com
Stamps.com support for Harmony
Stamps.com support for Microsoft Outlook 2000-2007
Stamps.com support for Microsoft Outlook 97-2007
Stamps.com support for Microsoft Word 2000-2007
Stamps.com support for Outlook Express, Works, IE
Update for Windows XP (KB925877)
Update for Windows XP (KB942763)
VPN Client
Webroot Desktop Firewall
Windows Presentation Foundation
Yahoo! Browser Services
Yahoo! Messenger
Yahoo! Toolbar
Yahoo! Widgets
ZoneAlarm Spy Blocker
crystalp
Active Member
 
Posts: 11
Joined: January 11th, 2008, 9:38 am

Re: please help..dont know what to do!!!!!!

Unread postby chryssi2001 » January 14th, 2008, 12:47 pm

Thank you for the information about SpySweeper and the programs list. I will finish checking your reports and be back asap. :)
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: please help..dont know what to do!!!!!!

Unread postby chryssi2001 » January 15th, 2008, 3:59 am

Hello crystalp,

Wow you have even more protection programs which are disabled with msconfig.
I suggest you choose and uninstall whichever you don't use.
-------------------------------------------
Go to Start-Settings-Control Panel, click on Add remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

    MalwareBot
    My Web Search Bar Search Scope Monitor
    MyWebSearch Email Plugin and any My Web Search related programs you find
    XoftSpySE
    ZoneAlarm Spy Blocker
    CA Yahoo! Anti-Spy

-------------------------------------------
The following instructions are for disabling the anti-spyware version of SpySweeper and unfortunately I'm not sure that the instructions are the same for your version of SpySweeper. The important thing is that we need the anti-spyware element disabled, and NOT the antivirus or firewall.

Disable SpySweeper until the computer is clean

SpySweeper normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

- Open SpySweeper
- Select Options and then Program Options
- Uncheck the option Load at Windows Startup
- Select Shields and uncheck all there
- Uncheck Home page shield
- Uncheck automatically restore default without notification
- Reboot your machine to complete the process
Don't forget to re-enable it, when your computer is clean.
-------------------------------------------
Delete bad services
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat
Please save it on your desktop.

@echo off
sc stop McAfee Application Installer Cleanup
sc delete McAfee Application Installer Cleanup
exit


Double click FixServices.bat. A window will open and close. This is normal.
-------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
O3 - Toolbar: The emlkdvo - {A972081B-E5FE-45E4-BE29-856D23403C4F} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O23 - Service: McAfee Application Installer Cleanup (0229661198942547) (0229661198942547mcinstcleanup) - - (no file)


Please fix these lines too, if you didn't added them yourself, in your Trusted Zone.

O15 - Trusted Zone: http://portal.coursecompass.com
O15 - Trusted Zone: http://www.coursecompass.com
O15 - Trusted Zone: http://us.mcafee.com



Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
-------------------------------------------
Set Your Computer to Show All Files
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading, select Show hidden files and folders.
  • Uncheck Hide protected operating system files (recommended).
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.
  • Click OK.
In addition, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom.
Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
-------------------------------------------
I need some information from you. I want you to locate the folders below and have a look what it's inside them. You can take notes in Notepad, and post them back here please.

C:\WINDOWS\system32\A888B7
C:\Documents and Settings\All Users\Application Data\{E23E3BED-ADD9-4DF7-B375-5EC5E69FD666}
C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
C:\Documents and Settings\All Users\Application Data\{8737778F-82C6-4680-A660-E8B2B8C8C22B}
C:\Documents and Settings\All Users\Application Data\{AB89557A-DCAD-4657-A970-8F9A3EFFB34D}
C:\Documents and Settings\All Users\Application Data\{876C6265-922D-4EF3-A784-71D72FF033C0}
C:\Documents and Settings\All Users\Application Data\TEMP
-------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    C:\WINDOWS\system32\f9t.dat

    Folder::
    C:\VundoFix Backups
    C:\Program Files\MalwareBot
    C:\Program Files\ZoneAlarmSB
    C:\Program Files\My Web Search
    C:\Program Files\XoftSpySE
    C:\Program Files\ZoneAlarm Spy Blocker
    C:\Program Files\CA Yahoo! Anti-Spy

    Registry::
    [-HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0176181154318107mcinstcleanup]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0283871154301336mcinstcleanup]

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
-------------------------------------------
Post back:
Combofix Report.
A new HijackThis log.
Informations for the content of the folders i ask you to have a look at them.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: please help..dont know what to do!!!!!!

Unread postby crystalp » January 15th, 2008, 7:23 am

AS REQUESTED FILES ARE BELOW, COMBOFIX LOG, NEW HIJACKTHIS LOG, AND FOLDER CONTENTS:>>>>>>>>>

HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:58 AM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CISCO] "C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\DelayInst.exe" delay C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\setup.exe
O4 - HKCU\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKCU\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [CISCO] "C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\DelayInst.exe" delay C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\setup.exe (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [LTMSG] LTMSG.exe 7 (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe" (User '?')
O4 - S-1-5-21-2992285633-4232029239-668411950-1003 Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe (User '?')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User '?')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://portal.coursecompass.com
O15 - Trusted Zone: http://www.coursecompass.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b55579.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWe ... taller.CAB
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GA ... b55579.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zp ... b55579.cab
O16 - DPF: {A6B13EE4-A974-11D2-8DB7-00C04FB6E8F6} - http://www.rapidfax.com/mso_packet/acti ... 653274.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v ... b55579.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - http://zone.msn.com/binframework/v10/St ... b55579.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O23 - Service: McAfee Application Installer Cleanup (0229661198942547) (0229661198942547mcinstcleanup) - - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9136 bytes

COMBOFIX LOG>>>>>

ComboFix 08-01-15.4 - Owner 2008-01-15 6:08:53.3 - NTFSx86

Running from: C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\CFScript.txt

FILE
C:\WINDOWS\system32\f9t.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\system32\f9t.dat

.
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 06:06 . 2000-08-31 08:00 51,200 --a--c--- C:\WINDOWS\NirCmd.exe
2008-01-15 05:14 . 2007-12-29 08:43 262,144 --a--c--- C:\Program Files\Uninstall Spy Blocker.dll
2008-01-15 05:08 . 2008-01-15 05:08 111 --a--c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\FixServices.bat
2008-01-13 10:07 . 2008-01-13 10:07 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Desktop Mechanic
2008-01-12 20:12 . 2003-07-24 04:56 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\WINDOWS
2008-01-12 20:12 . 2003-07-26 03:54 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Symantec
2008-01-12 20:12 . 2003-07-24 04:35 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Sonic
2008-01-12 20:12 . 2003-07-24 05:02 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\SampleView
2008-01-12 20:12 . 2003-07-26 03:57 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\interMute
2008-01-12 20:12 . 2004-12-21 12:40 497 --ah-c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\hpothb07.dat
2008-01-12 13:16 . 2003-07-24 04:56 <DIR> d----c--- C:\Documents and Settings\Guest\WINDOWS
2008-01-12 13:16 . 2003-07-26 03:54 <DIR> d----c--- C:\Documents and Settings\Guest\Application Data\Symantec
2008-01-12 13:16 . 2003-07-24 04:35 <DIR> d----c--- C:\Documents and Settings\Guest\Application Data\Sonic
2008-01-12 13:16 . 2003-07-24 05:02 <DIR> d----c--- C:\Documents and Settings\Guest\Application Data\SampleView
2008-01-12 13:16 . 2003-07-26 03:57 <DIR> d----c--- C:\Documents and Settings\Guest\Application Data\interMute
2008-01-12 13:16 . 2004-12-21 12:40 497 --ah-c--- C:\Documents and Settings\Guest\hpothb07.dat
2008-01-12 08:25 . 2008-01-12 08:25 <DIR> d----c--- C:\Documents and Settings\work only\.jmf
2008-01-12 07:53 . 2008-01-12 07:53 <DIR> d----c--- C:\WINDOWS\Data
2008-01-12 07:19 . 2008-01-12 07:19 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\Motive
2008-01-12 07:00 . 2008-01-12 07:55 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\Yahoo!
2008-01-12 06:36 . 2008-01-12 08:41 <DIR> d----c--- C:\Documents and Settings\work only\Spark
2008-01-12 06:33 . 2008-01-12 06:33 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\Webroot
2008-01-12 06:33 . 2008-01-12 06:33 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\ErrorSmart
2008-01-12 06:26 . 2003-07-24 04:56 <DIR> d----c--- C:\Documents and Settings\work only\WINDOWS
2008-01-12 06:26 . 2003-07-26 03:54 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\Symantec
2008-01-12 06:26 . 2003-07-24 04:35 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\Sonic
2008-01-12 06:26 . 2003-07-24 05:02 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\SampleView
2008-01-12 06:26 . 2003-07-26 03:57 <DIR> d----c--- C:\Documents and Settings\work only\Application Data\interMute
2008-01-12 06:26 . 2004-12-21 12:40 497 --ah-c--- C:\Documents and Settings\work only\hpothb07.dat
2008-01-11 08:26 . 2008-01-11 08:26 <DIR> d----c--- C:\Program Files\Trend Micro
2008-01-11 08:23 . 2008-01-11 08:23 <DIR> d----c--- C:\KAV
2008-01-11 06:32 . 2008-01-11 06:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-11 06:31 . 2008-01-11 06:33 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\PrevxCSI
2008-01-05 17:12 . 2008-01-05 17:12 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-01-05 17:12 . 2008-01-05 17:12 1,409 --a--c--- C:\WINDOWS\QTFont.for
2007-12-29 10:44 . 2007-12-29 10:44 <DIR> d----c--- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-12-29 10:33 . 2007-12-29 10:33 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-29 08:38 . 2007-12-29 08:38 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-29 08:35 . 2007-12-29 08:35 4,212 ---h-c--- C:\WINDOWS\system32\zllictbl.dat
2007-12-29 08:29 . 2007-12-29 08:49 <DIR> d----c--- C:\WINDOWS\system32\ZoneLabs
2007-12-29 06:07 . 2007-12-29 06:07 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-12-29 06:07 . 2008-01-04 20:34 163,696 --a--c--- C:\WINDOWS\system32\drivers\ssidrv.sys
2007-12-29 06:07 . 2008-01-04 20:34 23,920 --a--c--- C:\WINDOWS\system32\drivers\sskbfd.sys
2007-12-29 06:07 . 2008-01-04 20:34 21,872 --a--c--- C:\WINDOWS\system32\drivers\sshrmd.sys
2007-12-29 06:07 . 2008-01-04 20:34 20,336 --a--c--- C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-12-29 06:06 . 2007-12-29 10:00 <DIR> d----c--- C:\Program Files\Webroot
2007-12-29 06:06 . 2007-12-29 06:06 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Webroot
2007-12-29 06:06 . 2007-12-29 09:52 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Webroot
2007-12-29 06:06 . 2008-01-04 20:56 1,526,640 --a--c--- C:\WINDOWS\WRSetup.dll
2007-12-29 06:05 . 2008-01-11 17:51 164 --a--c--- C:\install.dat
2007-12-27 09:32 . 2007-12-27 09:32 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Mattel
2007-12-27 09:31 . 2007-12-27 09:31 <DIR> d----c--- C:\Program Files\Mattel
2007-12-26 19:53 . 2007-12-26 19:54 <DIR> d--hsc--- C:\Documents and Settings\All Users\DRM
2007-12-26 19:47 . 2008-01-06 09:37 870,128 --a--c--- C:\WINDOWS\system32\mcs.rma
2007-12-26 19:47 . 2008-01-06 09:37 4 --a--c--- C:\WINDOWS\system32\A888B7
2007-12-26 19:45 . 2007-12-26 19:45 8,413 --a--c--- C:\WINDOWS\system32\drivers\mcstrm.sys
2007-12-26 19:41 . 2007-12-26 19:55 <DIR> d----c--- C:\Program Files\Rhapsody
2007-12-26 19:26 . 2007-12-26 19:26 <DIR> d----c--- C:\Program Files\SanDisk
2007-12-26 19:26 . 2007-12-26 19:27 <DIR> d----c--- C:\Program Files\Common Files\ArcSoft
2007-12-26 19:26 . 2004-05-04 11:53 1,645,320 --a--c--- C:\WINDOWS\system32\gdiplus.dll
2007-12-26 19:26 . 2005-06-21 10:29 245,408 --a--c--- C:\WINDOWS\system32\unicows.dll
2007-12-21 07:38 . 2007-12-21 07:38 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Stamps.com Internet Postage
2007-12-21 06:48 . 2007-12-21 06:48 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{D9AA4D17-9292-410D-9AA5-84526D062900}
2007-12-21 06:47 . 2007-12-21 06:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{E23E3BED-ADD9-4DF7-B375-5EC5E69FD666}
2007-12-21 06:47 . 2007-12-21 06:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
2007-12-21 06:47 . 2007-12-21 06:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{8737778F-82C6-4680-A660-E8B2B8C8C22B}
2007-12-21 06:46 . 2007-12-21 06:46 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{AB89557A-DCAD-4657-A970-8F9A3EFFB34D}
2007-12-21 06:45 . 2007-12-21 06:45 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{876C6265-922D-4EF3-A784-71D72FF033C0}
2007-12-21 06:44 . 2007-12-21 07:50 <DIR> d----c--- C:\Program Files\Stamps.com Internet Postage
2007-12-20 09:00 . 2007-12-20 09:00 <DIR> d----c--- C:\Program Files\Common Files\Deterministic Networks
2007-12-20 09:00 . 2004-01-26 15:01 268,872 --a--c--- C:\WINDOWS\system32\drivers\CVPNDRVA.sys
2007-12-17 13:00 . 2008-01-09 07:44 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\ErrorSmart
2007-12-17 12:59 . 2008-01-09 07:44 <DIR> d----c--- C:\Program Files\ErrorSmart
2007-12-17 12:05 . 2004-12-21 12:40 497 --ah-c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.000\hpothb07.dat
2007-12-17 10:56 . 2007-12-27 13:33 <DIR> d----c--- C:\Program Files\PC MightyMax 2007
2007-12-16 21:29 . 2007-12-17 06:40 <DIR> d----c--- C:\Program Files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 21:45 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-14 21:45 --------- dc----w C:\Program Files\Desktop Maestro
2008-01-14 11:02 --------- dc----w C:\Program Files\Yahoo!
2008-01-12 10:05 --------- dc----w C:\Program Files\Common Files\InstallShield
2008-01-12 09:23 --------- dc----w C:\Program Files\MalwareBot
2008-01-11 13:03 --------- dc----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-11 13:00 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Yahoo!
2008-01-11 03:21 --------- dc----w C:\Program Files\Spark
2008-01-05 20:27 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\ArcSoft
2007-12-27 14:31 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-12-18 11:50 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\SiteAdvisor
2007-12-14 16:59 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Desktop Mechanic
2007-12-11 14:49 --------- dc----w C:\Program Files\Windows Defender
2007-12-11 14:48 --------- dc----w C:\Program Files\iTunes
2007-12-10 11:51 --------- dc----w C:\Program Files\Rand McNally
2007-12-10 00:31 60,968 -c--a-w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\GoToAssistDownloadHelper.exe
2007-12-08 19:14 --------- dc----w C:\Program Files\Thinkwell
2007-12-06 13:54 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Avaya
2007-12-06 12:40 --------- dc----w C:\Program Files\Cisco Systems
2007-12-05 23:01 --------- dc----w C:\Program Files\QuickTime
2007-12-05 18:14 --------- dc----w C:\Program Files\TryMedia
2007-12-03 19:13 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\VonageTalk
2007-12-03 17:07 --------- dc----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-03 15:47 --------- dc----w C:\Program Files\iPod
2007-11-27 13:51 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Image Zone Express
2007-11-27 11:05 --------- dc----w C:\Program Files\IObit
2007-11-25 21:30 --------- dc----w C:\Documents and Settings\All Users\Application Data\FunGames
2007-11-21 23:24 --------- dc----w C:\Program Files\McAfee
2007-11-16 22:02 --------- dc----w C:\Program Files\Windows Live Safety Center
2007-11-07 09:26 721,920 -c--a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 -c--a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 -c--a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 -c--a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 -c--a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 -c--a-w C:\WINDOWS\system32\mscorier.dll
2007-10-20 18:20 177,496 -c--a-w C:\WINDOWS\system32\wdfproc.dll
2004-12-21 17:40 497 -c-ha-w C:\WINDOWS\system32\config\systemprofile\hpothb07.dat
2004-12-21 17:40 497 -c-ha-w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\hpothb07.dat
2004-12-21 17:40 497 -c-ha-w C:\Documents and Settings\Default User\hpothb07.dat
2004-12-21 17:40 497 -c-ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2004-12-21 17:40 497 -c-ha-w C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\hpothb07.dat
2004-08-10 15:18 169 -c-ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2003-11-02 00:04 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
2006-06-10 12:43 56 -csh--r C:\WINDOWS\system32\4D5F065ECC.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-13_21.09.52.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 13:00:00 163,328 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2008-01-14 01:28:12 786,432 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-15 11:06:58 786,432 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-14 01:28:12 552,960 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-15 11:06:58 552,960 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-14 01:28:12 782,336 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-15 11:06:58 782,336 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-14 01:28:12 552,960 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-15 11:06:58 552,960 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-14 01:28:13 8,433,664 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-15 11:06:59 8,708,096 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-14 01:28:14 708,608 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 11:07:00 708,608 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2007-11-21 00:04:14 218,496 -c--a-w C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
- 2007-12-03 17:07:40 48,749 -c--a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-01-14 11:01:50 74,137 -c--a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
- 2006-01-09 14:36:06 40,960 -c--a-w C:\WINDOWS\system32\swsc.exe
+ 2000-08-31 13:00:00 136,704 -c--a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 10:20:32 79,360 -c--a-w C:\WINDOWS\system32\swxcacls.exe
+ 2000-08-31 13:00:00 212,480 -c--a-w C:\WINDOWS\system32\swxcacls.exe
+ 2008-01-15 10:22:58 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_c4c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"NVIEW"="rundll32.exe" [2004-08-04 02:56 33280 C:\WINDOWS\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 33280 C:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"CISCO"="C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\DelayInst.exe" [2004-01-26 14:01 45126]
"LTMSG"="LTMSG.exe" [2003-07-14 09:52 40960 C:\WINDOWS\ltmsg.exe]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 16:37 936960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42 212992]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 22:28 81920]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 08:03 155648]
"Webroot Desktop Firewall"="C:\Program Files\Webroot\Desktop Firewall\WDF.exe" [2007-10-20 13:20 1717592]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 17:34:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 05:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Avaya IP Agent - English.lnk]
backup=C:\WINDOWS\pss\Avaya IP Agent - English.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.YOUR-LK4RLMSU41.000^Start Menu^Programs^Startup^Compaq Organize.lnk]
backup=C:\WINDOWS\pss\Compaq Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.YOUR-LK4RLMSU41.000^Start Menu^Programs^Startup^spamsubtract.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2007-10-10 18:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopMaestro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\errorkiller]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorSmart]
--a--c--- 2007-10-25 15:11 18244856 C:\Program Files\ErrorSmart\ErrorSmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareBot]
--a--c--- 2007-02-19 14:38 8589312 C:\Program Files\MalwareBot\MalwareBot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a--c--- 2003-02-24 20:51 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a--c--- 2003-02-05 21:38 143360 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a--c--- 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PGhist]
--a--c--- 2007-03-28 17:39 42584 C:\Program Files\Desktop Maestro\PgHist.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrivacyGuardianIndex]
--a--c--- 2006-10-30 13:57 38488 C:\Program Files\Desktop Maestro\PgIndex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pwreset]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-10-19 20:16 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spark]
--a--c--- 2007-11-14 12:52 434176 C:\Program Files\Spark\Spark.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a--c--- 2005-05-31 00:04 1415824 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2003-07-24 04:36 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"omniserv"=3 (0x3)
"usnjsvc"=3 (0x3)
"MpfService"=2 (0x2)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2008-01-05 23:35:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-15 11:00:00 C:\WINDOWS\Tasks\avast! Antivirus.job"
- C:\PROGRA~1\ALWILS~1\Avast4\ashAvast.exe
"2007-06-10 00:22:36 C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job"
"2008-01-12 14:20:20 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
"2005-02-09 13:06:12 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1098932354.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2006-09-28 00:03:31 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1151330391.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-01-15 10:25:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-15 10:20:31 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
"2008-01-12 08:00:00 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 06:17:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2008-01-15 6:20:14
ComboFix-quarantined-files.txt 2008-01-15 11:20:06
ComboFix2.txt 2008-01-14 02:51:13
ComboFix3.txt 2008-01-14 02:11:42
.
2008-01-12 14:21:55 --- E O F ---


FOLDER CONTENTS LOG

"I need some information from you. I want you to locate the folders below and have a look what it's inside them.
You can take notes in Notepad, and post them back here please."


FILE FOLDERS:

C:\WINDOWS\system32\A888B7

inside is>>>>> ðë¤r >>>>>>>


C:\Documents and Settings\All Users\Application Data\{E23E3BED-ADD9-4DF7-B375-5EC5E69FD666}

Inside is >>>>> instance.dat
mia.dll
oeabpstmp.dat
oeabpstmp.exe
oeabpstmp.msi
oeabpstmp.par
oeabpstmp.res
I believe this is my stamp online program, which i plan on cancleing anyway,
so tell me if it will go away when deleted!!!


C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}

this is also the stamps.com folder

instance.dat
mia.dll
MSW2KPIMstmp.exe
MSW2KPIMstmp.msi
MSW2KPIMstmp.par
MSW2KPIMstmp.res
setup.bmp

C:\Documents and Settings\All Users\Application Data\{8737778F-82C6-4680-A660-E8B2B8C8C22B}

instance.dat
mia.dll
MSOPIMstmp.dat
MSOPIMstmp.exe
MSOPIMstmp.msi
MSOPIMstmp.par
MSOPIMstmp.res
setup.bmp

C:\Documents and Settings\All Users\Application Data\{AB89557A-DCAD-4657-A970-8F9A3EFFB34D}

HRMYstmp.dat
HRMYstmp.exe
HRMYstmp.msi
HRMYstmp.par
HRMYstmp.res
instance.dat
mia.dll

C:\Documents and Settings\All Users\Application Data\{876C6265-922D-4EF3-A784-71D72FF033C0}

instance.dat
mia.dll
setup.bmp
stamps.dat
stamps.exe
stamps.msi
stamps.par
stamps.res

C:\Documents and Settings\All Users\Application Data\TEMP

there are 5 folders in this 1 folder as follows:

name= TEMP c:\DOCUMENTS AND SETTINGS\ALLUSERS\APPLICATION DATA
FOLDER EMPTY WHEN CLICKED ON

NAME = DOWNLOADED TEMPLATES c:\DOCUMENTS AND SETTINGS\ALLUSERS\APPLICATION DATA\PHOTOSHOP ALBUM
FOLDER EMPMTY WHEN CLICKED ON

NAME = TEMP c:\DOCUMENTS AND SETTINGS\ALLUSERS\APPLICATION DATA\MCAFEE\MPF
FOLDER EMPTY WHEN CLICKED ON
NAME = tempIpRules.xdb c:\DOCUMENTS AND SETTINGS\ALLUSERS\APPLICATION DATA\McAfee\MPF\data
windows window pops up saying cannot open this folder
NAME = item_templ c:\DOCUMENTS AND SETTINGS\ALLUSERS\APPLICATION DATA\GTEK\GTUPDATE\AUPDATE\CHANNELS\CH1\HTML
FOLDER IS EMPTY WHEN CLICKED ON>>>>ALL IN THE SEARCH OPTION IN START THEN SEARCH
crystalp
Active Member
 
Posts: 11
Joined: January 11th, 2008, 9:38 am

Re: please help..dont know what to do!!!!!!

Unread postby crystalp » January 15th, 2008, 10:00 am

ok, a few more issues now, i have tried to go into add/remove programs for my stamps.com program and it will not let me uninstall. also when ever i try and open a program the windows installer box keeps coming up. a window stays on my desktop that is empty it it has information in the top part. it belongs to the process csrss.exe. how can i fix this also?
crystalp
Active Member
 
Posts: 11
Joined: January 11th, 2008, 9:38 am

Re: please help..dont know what to do!!!!!!

Unread postby chryssi2001 » January 16th, 2008, 2:02 am

Hi crystalp,

Let aside the fix for a while. Try to remove mystamps.com in safe mode and let me know if it works and if that window still appears.

Safe Mode

Go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Go in Add/Remove programs and remove mystamps.com

Remove also:

McAfee

Additional, i see you had Avast AV installed? Did you remove it after you installed SpySweeper AV+Firewall? If still on the pc uninstall it too.
-----------------------------------------------
While in Safe mode please do this:

FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O23 - Service: McAfee Application Installer Cleanup (0229661198942547) (0229661198942547mcinstcleanup) - - (no file)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
-----------------------------------------------
Now i can't figure what is this:

FILE FOLDERS:

C:\WINDOWS\system32\A888B7

inside is>>>>> ðë¤r >>>>>>>

I can't read ðë¤r . Can you? Or you just copy pasted what you found in it?
-----------------------------------------------
Post back:
A new HijackThis log.
Information about ðë¤r , and tell me if stamps.com uninstalled and if you still get that hanging window.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: please help..dont know what to do!!!!!!

Unread postby chryssi2001 » January 19th, 2008, 3:46 am

crystalp, are you still with me?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: please help..dont know what to do!!!!!!

Unread postby crystalp » January 19th, 2008, 9:07 am

yes, i am sorry, my daughter is sick, i will reply with the requested items by Sunday.

Thanks
Cryst :flower: al
crystalp
Active Member
 
Posts: 11
Joined: January 11th, 2008, 9:38 am

Re: please help..dont know what to do!!!!!!

Unread postby chryssi2001 » January 19th, 2008, 10:54 am

Ok, i hope she is better now. :)
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: please help..dont know what to do!!!!!!

Unread postby crystalp » January 21st, 2008, 6:36 am

hi, sorry, i am back, ok a ? how can I get unistalled programs off my computer when i removed them from the add/remove programs and I can still see them in my comp? i removed Avast a LONG time ago...also smart defrag is not set to autostart. i changed settings after log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:34:25 AM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKCU\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CISCO] "C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\DelayInst.exe" delay C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\setup.exe
O4 - HKCU\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [CISCO] "C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\DelayInst.exe" delay C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\setup.exe (User '?')
O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [LTMSG] LTMSG.exe 7 (User '?')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User '?')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O15 - Trusted Zone: http://portal.coursecompass.com
O15 - Trusted Zone: http://www.coursecompass.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GA ... b55579.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zp ... b55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v ... b55579.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - http://zone.msn.com/binframework/v10/St ... b55579.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8454 bytes
crystalp
Active Member
 
Posts: 11
Joined: January 11th, 2008, 9:38 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 302 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware