Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

please help..dont know what to do!!!!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: please help..dont know what to do!!!!!!

Unread postby crystalp » January 21st, 2008, 6:38 am

Post back:
A new HijackThis log.
Information about ðë¤r , and tell me if stamps.com uninstalled and if you still get that hanging window.


I have no idea what "ðë¤r" is i just copy and pasted what was there. to me it looks like the word "dear", but no idea and i was able to uninstall stamps, and i think i fixed the windows installer issue to, i think...
crystalp
Active Member
 
Posts: 11
Joined: January 11th, 2008, 9:38 am
Advertisement
Register to Remove

Re: please help..dont know what to do!!!!!!

Unread postby chryssi2001 » January 21st, 2008, 9:29 am

Hello crystalp,

how can I get unistalled programs off my computer when i removed them from the add/remove programs and I can still see them in my comp? i removed Avast a LONG time ago...also smart defrag is not set to autostart. i changed settings after log.

Where do you see the programs, if they are not in Add/Remove?
If you go to C:\Program Files you will find a folder with the name of the program you uninstalled. You have to delete that too.

Can you give me the location and the program name please?
------------------------------------------------
Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\system32\A888B7

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
------------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    C:\Program Files\Uninstall Spy Blocker.dll
    C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\FixServices.bat
    C:\WINDOWS\Tasks\avast! Antivirus.job
    C:\WINDOWS\Tasks\XoftSpySE.job

    Folder::
    C:\Documents and Settings\All Users\Application Data\{E23E3BED-ADD9-4DF7-B375-5EC5E69FD666}
    C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
    C:\Documents and Settings\All Users\Application Data\{8737778F-82C6-4680-A660-E8B2B8C8C22B}
    C:\Documents and Settings\All Users\Application Data\{AB89557A-DCAD-4657-A970-8F9A3EFFB34D}
    C:\Documents and Settings\All Users\Application Data\{876C6265-922D-4EF3-A784-71D72FF033C0}
    C:\PROGRAM FILES\ALWILSOFTWARE
    C:\DOCUMENTS AND SETTINGS\ALLUSERS\APPLICATION DATA\MCAFEE

    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareBot]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
------------------------------------------------
Post back:
Jotti Results
Combofix report
A new HijackThis log
Information about the uninstalled programs you see, if still there.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: please help..dont know what to do!!!!!!

Unread postby crystalp » January 23rd, 2008, 6:19 am

i tried copying and pasting the notepad info into combofix and the program starts, but then i get an error stating that the cf script is spelled wrong, i checked all the spelling and found nothing, so below is just a reg combofix log

combofix

ComboFix 08-01-15.4 - Owner 2008-01-22 21:02:46.6 - NTFSx86

Running from: C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-22 19:09 . 2008-01-22 19:09 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\PeerNetworking
2008-01-21 06:18 . 2008-01-21 06:18 3,145,782 --a--c--- C:\WINDOWS\CrawlerWallpaper.bmp
2008-01-20 17:49 . 2008-01-20 17:50 <DIR> d----c--- C:\Program Files\LimeWire
2008-01-17 08:08 . 2008-01-17 08:08 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\TaxCut
2008-01-17 08:08 . 2008-01-17 08:08 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-17 08:08 . 2008-01-17 08:08 249,856 --a--c--- C:\WINDOWS\system32\pdfmona.dll
2008-01-17 08:08 . 2008-01-17 08:08 51,716 --a--c--- C:\WINDOWS\system32\pdf995mon.dll
2008-01-17 08:08 . 2007-08-24 11:13 142 --a--c--- C:\WINDOWS\wpd99.drv
2008-01-17 08:06 . 2008-01-17 08:25 <DIR> d----c--- C:\Program Files\TaxCut07
2008-01-17 08:06 . 2008-01-17 08:08 <DIR> d----c--- C:\Program Files\PDF995
2008-01-17 08:00 . 2008-01-17 08:00 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\TaxCut
2008-01-17 07:59 . 2008-01-17 07:59 <DIR> d--hsc--- C:\WINDOWS\ftpcache
2008-01-16 16:35 . 2008-01-16 16:35 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\VSRevoGroup
2008-01-16 16:34 . 2008-01-16 16:34 <DIR> d----c--- C:\Program Files\VS Revo Group
2008-01-15 21:02 . 2008-01-17 06:21 <DIR> d----c--- C:\Program Files\Mozilla Thunderbird
2008-01-15 20:24 . 2008-01-15 20:24 <DIR> d----c--- C:\Program Files\Opera
2008-01-15 06:32 . 2008-01-15 06:32 36 --ah-c--- C:\WINDOWS\system32\f9t.dat
2008-01-15 06:06 . 2000-08-31 08:00 51,200 --a--c--- C:\WINDOWS\NirCmd.exe
2008-01-15 05:08 . 2008-01-15 05:08 111 --a--c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\FixServices.bat
2008-01-13 10:07 . 2008-01-13 10:07 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Desktop Mechanic
2008-01-12 20:12 . 2003-07-24 04:56 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\WINDOWS
2008-01-12 20:12 . 2003-07-26 03:54 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Symantec
2008-01-12 20:12 . 2003-07-24 04:35 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Sonic
2008-01-12 20:12 . 2003-07-24 05:02 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\SampleView
2008-01-12 20:12 . 2003-07-26 03:57 <DIR> d----c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\interMute
2008-01-12 20:12 . 2004-12-21 12:40 497 --ah-c--- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\hpothb07.dat
2008-01-12 13:16 . 2003-07-24 04:56 <DIR> d----c--- C:\Documents and Settings\Guest\WINDOWS
2008-01-12 13:16 . 2003-07-26 03:54 <DIR> d----c--- C:\Documents and Settings\Guest\Application Data\Symantec
2008-01-12 13:16 . 2003-07-24 04:35 <DIR> d----c--- C:\Documents and Settings\Guest\Application Data\Sonic
2008-01-12 13:16 . 2003-07-24 05:02 <DIR> d----c--- C:\Documents and Settings\Guest\Application Data\SampleView
2008-01-12 13:16 . 2003-07-26 03:57 <DIR> d----c--- C:\Documents and Settings\Guest\Application Data\interMute
2008-01-12 13:16 . 2004-12-21 12:40 497 --ah-c--- C:\Documents and Settings\Guest\hpothb07.dat
2008-01-12 07:53 . 2008-01-12 07:53 <DIR> d----c--- C:\WINDOWS\Data
2008-01-11 08:26 . 2008-01-11 08:26 <DIR> d----c--- C:\Program Files\Trend Micro
2008-01-11 08:23 . 2008-01-11 08:23 <DIR> d----c--- C:\KAV
2008-01-11 06:32 . 2008-01-11 06:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-11 06:31 . 2008-01-11 06:33 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\PrevxCSI
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a--c--- C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a--c--- C:\WINDOWS\system32\QuickTime.qts
2007-12-29 10:44 . 2007-12-29 10:44 <DIR> d----c--- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-12-29 10:33 . 2007-12-29 10:33 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-29 08:38 . 2007-12-29 08:38 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-29 08:35 . 2007-12-29 08:35 4,212 ---h-c--- C:\WINDOWS\system32\zllictbl.dat
2007-12-29 08:29 . 2007-12-29 08:49 <DIR> d----c--- C:\WINDOWS\system32\ZoneLabs
2007-12-29 06:07 . 2007-12-29 06:07 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-12-29 06:07 . 2008-01-04 20:34 163,696 --a--c--- C:\WINDOWS\system32\drivers\ssidrv.sys
2007-12-29 06:07 . 2008-01-04 20:34 23,920 --a--c--- C:\WINDOWS\system32\drivers\sskbfd.sys
2007-12-29 06:07 . 2008-01-04 20:34 21,872 --a--c--- C:\WINDOWS\system32\drivers\sshrmd.sys
2007-12-29 06:07 . 2008-01-04 20:34 20,336 --a--c--- C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-12-29 06:06 . 2007-12-29 10:00 <DIR> d----c--- C:\Program Files\Webroot
2007-12-29 06:06 . 2007-12-29 06:06 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Webroot
2007-12-29 06:06 . 2007-12-29 09:52 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Webroot
2007-12-29 06:06 . 2008-01-04 20:56 1,526,640 --a--c--- C:\WINDOWS\WRSetup.dll
2007-12-29 06:05 . 2008-01-11 17:51 164 --a--c--- C:\install.dat
2007-12-27 09:32 . 2007-12-27 09:32 <DIR> d----c--- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Mattel
2007-12-27 09:31 . 2007-12-27 09:31 <DIR> d----c--- C:\Program Files\Mattel
2007-12-26 19:53 . 2007-12-26 19:54 <DIR> d--hsc--- C:\Documents and Settings\All Users\DRM
2007-12-26 19:47 . 2008-01-06 09:37 870,128 --a--c--- C:\WINDOWS\system32\mcs.rma
2007-12-26 19:47 . 2008-01-06 09:37 4 --a--c--- C:\WINDOWS\system32\A888B7
2007-12-26 19:45 . 2007-12-26 19:45 8,413 --a--c--- C:\WINDOWS\system32\drivers\mcstrm.sys
2007-12-26 19:41 . 2007-12-26 19:55 <DIR> d----c--- C:\Program Files\Rhapsody
2007-12-26 19:26 . 2007-12-26 19:26 <DIR> d----c--- C:\Program Files\SanDisk
2007-12-26 19:26 . 2007-12-26 19:27 <DIR> d----c--- C:\Program Files\Common Files\ArcSoft
2007-12-26 19:26 . 2004-05-04 11:53 1,645,320 --a--c--- C:\WINDOWS\system32\gdiplus.dll
2007-12-26 19:26 . 2005-06-21 10:29 245,408 --a--c--- C:\WINDOWS\system32\unicows.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 00:14 --------- dc----w C:\Program Files\Desktop Maestro
2008-01-23 00:13 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-21 14:12 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\LimeWire
2008-01-21 10:25 --------- dc----w C:\Program Files\IObit
2008-01-18 12:53 --------- dc----w C:\Program Files\Paint.NET
2008-01-17 11:26 --------- dc----w C:\Program Files\QuickTime
2008-01-16 11:54 --------- dc----w C:\Program Files\MalwareBot
2008-01-15 14:23 --------- dc----w C:\Program Files\MSECache
2008-01-14 11:02 --------- dc----w C:\Program Files\Yahoo!
2008-01-12 10:05 --------- dc----w C:\Program Files\Common Files\InstallShield
2008-01-11 13:03 --------- dc----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-11 13:00 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Yahoo!
2008-01-11 03:21 --------- dc----w C:\Program Files\Spark
2008-01-09 12:44 --------- dc----w C:\Program Files\ErrorSmart
2008-01-09 12:44 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\ErrorSmart
2008-01-05 20:27 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\ArcSoft
2007-12-27 14:31 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-12-21 12:38 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Stamps.com Internet Postage
2007-12-20 14:00 --------- dc----w C:\Program Files\Common Files\Deterministic Networks
2007-12-18 11:50 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\SiteAdvisor
2007-12-17 11:40 --------- dc----w C:\Program Files\Microsoft Silverlight
2007-12-14 16:59 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Desktop Mechanic
2007-12-11 14:49 --------- dc----w C:\Program Files\Windows Defender
2007-12-11 14:48 --------- dc----w C:\Program Files\iTunes
2007-12-10 11:51 --------- dc----w C:\Program Files\Rand McNally
2007-12-10 00:31 60,968 -c--a-w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\GoToAssistDownloadHelper.exe
2007-12-08 19:14 --------- dc----w C:\Program Files\Thinkwell
2007-12-06 13:54 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Avaya
2007-12-06 12:40 --------- dc----w C:\Program Files\Cisco Systems
2007-12-05 18:14 --------- dc----w C:\Program Files\TryMedia
2007-12-03 19:13 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\VonageTalk
2007-12-03 17:07 --------- dc----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-03 15:47 --------- dc----w C:\Program Files\iPod
2007-11-27 13:51 --------- dc----w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Image Zone Express
2007-11-25 21:30 --------- dc----w C:\Documents and Settings\All Users\Application Data\FunGames
2007-11-07 09:26 721,920 -c--a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 -c--a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 -c--a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 -c--a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 -c--a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 -c--a-w C:\WINDOWS\system32\mscorier.dll
2004-12-21 17:40 497 -c-ha-w C:\WINDOWS\system32\config\systemprofile\hpothb07.dat
2004-12-21 17:40 497 -c-ha-w C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\hpothb07.dat
2004-12-21 17:40 497 -c-ha-w C:\Documents and Settings\Default User\hpothb07.dat
2004-12-21 17:40 497 -c-ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2004-12-21 17:40 497 -c-ha-w C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\hpothb07.dat
2004-12-21 17:40 497 -c-ha-w C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.000\hpothb07.dat
2004-08-10 15:18 169 -c-ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2003-11-02 00:04 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
2006-06-10 12:43 56 -csh--r C:\WINDOWS\system32\4D5F065ECC.sys
.

((((((((((((((((((((((((((((( snapshot_2008-01-21_18.56.00.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 01:23:02 110,592 -c--a-r C:\WINDOWS\Installer\{66268879-215C-4D5B-B197-1D9868339BAD}\Icon.exe
+ 2008-01-23 00:50:37 110,592 -c--a-r C:\WINDOWS\Installer\{66268879-215C-4D5B-B197-1D9868339BAD}\Icon.exe
+ 2008-01-23 00:21:06 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_2a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42 212992]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 22:28 81920]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 08:03 155648]
"Webroot Desktop Firewall"="C:\Program Files\Webroot\Desktop Firewall\WDF.exe" [2007-10-20 13:20 1717592]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
"ErrorSmart"="C:\Program Files\ErrorSmart\ErrorSmart.exe" [2007-10-25 15:11 18244856]

C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 05:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Avaya IP Agent - English.lnk]
backup=C:\WINDOWS\pss\Avaya IP Agent - English.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.YOUR-LK4RLMSU41.000^Start Menu^Programs^Startup^Compaq Organize.lnk]
backup=C:\WINDOWS\pss\Compaq Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.YOUR-LK4RLMSU41.000^Start Menu^Programs^Startup^spamsubtract.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2007-10-10 18:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopMaestro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\errorkiller]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorSmart]
--a--c--- 2007-10-25 15:11 18244856 C:\Program Files\ErrorSmart\ErrorSmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareBot]
--a--c--- 2007-02-19 14:38 8589312 C:\Program Files\MalwareBot\MalwareBot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a--c--- 2003-02-24 20:51 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a--c--- 2003-02-05 21:38 143360 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a--c--- 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PGhist]
--a--c--- 2007-03-28 17:39 42584 C:\Program Files\Desktop Maestro\PgHist.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrivacyGuardianIndex]
--a--c--- 2006-10-30 13:57 38488 C:\Program Files\Desktop Maestro\PgIndex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pwreset]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spark]
--a--c--- 2007-11-14 12:52 434176 C:\Program Files\Spark\Spark.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a--c--- 2005-05-31 00:04 1415824 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2003-07-24 04:36 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"omniserv"=3 (0x3)
"usnjsvc"=3 (0x3)
"MpfService"=2 (0x2)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2008-01-05 23:35:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-21 11:00:00 C:\WINDOWS\Tasks\avast! Antivirus.job"
- C:\PROGRA~1\ALWILS~1\Avast4\ashAvast.exe
"2007-06-10 00:22:36 C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job"
"2008-01-21 08:30:00 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
"2005-02-09 13:06:12 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1098932354.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2006-09-28 00:03:31 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1151330391.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-01-21 07:08:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-21 10:25:29 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Program Files\IObit\IObit SmartDefrag\schedule.exe
"2008-01-22 17:28:43 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
"2008-01-19 08:00:00 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 21:11:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2008-01-22 21:16:35
ComboFix-quarantined-files.txt 2008-01-23 02:16:24
ComboFix2.txt 2008-01-21 23:57:48
ComboFix3.txt 2008-01-15 16:58:30
ComboFix4.txt 2008-01-15 11:20:16
ComboFix5.txt 2008-01-14 02:51:13
.
2008-01-18 08:37:50 --- E O F ---
Jotti log
Service load: 0% 100%

File: A888B7
Status: OK
MD5: 7889a9bb1c179e155e6648b90ef56c8c
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 21 Jan 2008 23:26:30 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:18:54 AM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O15 - Trusted Zone: http://portal.coursecompass.com
O15 - Trusted Zone: http://www.coursecompass.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GA ... b55579.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zp ... b55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v ... b55579.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - http://zone.msn.com/binframework/v10/St ... b55579.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5933 bytes
crystalp
Active Member
 
Posts: 11
Joined: January 11th, 2008, 9:38 am

Re: please help..dont know what to do!!!!!!

Unread postby chryssi2001 » January 23rd, 2008, 3:17 pm

Hello crystalp,

Please do not install and new programs while we try to clean this pc.
Some infection is back and I see LimeWire.
Read my post below about LimeWire, and re-consider if you are going to use such a program.
------------------------------------------------
P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

LimeWire

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you choose not to remove them, please do not use them until this computer is clean.
------------------------------------------------
Make be sure your SpySweeper Anti-Spyware is disabled, and your are not running any other programs or you are connected to the Internet when you run Combofix again.
------------------------------------------------
Let's give it another try. It seems when you copy/pasted my quoted fix in Notepad, you didn't save it as described below.
Please try to follow exactly my instructions, as you did them right the first time.

Give special attention to this part in my fix below please:
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

------------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    C:\WINDOWS\system32\f9t.dat
    C:\WINDOWS\Tasks\avast! Antivirus.job
    C:\WINDOWS\Tasks\XoftSpySE.job

    Folder::
    C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Stamps.com Internet Postage
    C:\WINDOWS\Installer\{66268879-215C-4D5B-B197-1D9868339BAD}
    C:\PROGRAM FILES\ALWILSOFTWARE

    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareBot]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
------------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.
------------------------------------------------
Post back:
A new Combofix report.
Malwarebytes' Anti-Malware report.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: please help..dont know what to do!!!!!!

Unread postby crystalp » January 24th, 2008, 9:17 am

ok, i have tried over and over to save the file in ALLFILES but it automaticall saves as text file. dont know what to do, but here is the malware log and a deckards sytem scanner w/ hijackthis included log

Deckard's System Scanner v20071014.68
Run by Owner on 2008-01-24 07:43:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x00000001


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:48 AM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Webroot\Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://portal.coursecompass.com
O15 - Trusted Zone: http://www.coursecompass.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b55579.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GA ... b55579.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zp ... b55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v ... b55579.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - http://zone.msn.com/binframework/v10/St ... b55579.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6737 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080115-052802-339 O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
backup-20080115-052802-432 O3 - Toolbar: The emlkdvo - {A972081B-E5FE-45E4-BE29-856D23403C4F} - (no file)
backup-20080115-052802-517 O15 - Trusted Zone: http://us.mcafee.com
backup-20080115-052802-652 O3 - Toolbar: (no name) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
backup-20080115-052802-827 O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
backup-20080115-052802-987 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080115-052803-577 O23 - Service: McAfee Application Installer Cleanup (0229661198942547) (0229661198942547mcinstcleanup) - - (no file)
backup-20080115-052803-900 O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
backup-20080116-065140-481 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
backup-20080116-065140-535 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
backup-20080116-065140-576 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
backup-20080116-065142-540 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
backup-20080116-065142-919 O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWe ... taller.CAB
backup-20080116-065143-405 O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
backup-20080116-065143-723 O16 - DPF: {A6B13EE4-A974-11D2-8DB7-00C04FB6E8F6} - http://www.rapidfax.com/mso_packet/acti ... 653274.cab
backup-20080122-210523-451 O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup (User '?')
backup-20080122-210523-638 O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [LTMSG] LTMSG.exe 7 (User '?')
backup-20080122-210523-661 O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [CISCO] "C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\DelayInst.exe" delay C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\setup.exe (User '?')
backup-20080122-210523-672 O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook (User '?')
backup-20080122-210523-817 O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" (User '?')
backup-20080122-210523-846 O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User '?')
backup-20080122-210523-905 O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User '?')

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-24 06:00:00 292 --a----c- C:\WINDOWS\Tasks\avast! Antivirus.job
2008-01-24 00:00:14 1504 --a----c- C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job
2008-01-23 07:51:45 264 --a----c- C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
2008-01-23 07:51:43 338 --a----c- C:\WINDOWS\Tasks\Uniblue SpyEraser.job
2008-01-21 05:25:29 346 --a----c- C:\WINDOWS\Tasks\SmartDefrag.job
2008-01-21 03:30:00 402 --a----c- C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
2008-01-21 02:08:02 330 --ah---c- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-01-19 03:00:00 362 --a----c- C:\WINDOWS\Tasks\XoftSpySE.job
2008-01-05 18:35:03 284 --a----c- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-06-09 19:22:36 0 --a----c- C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job
2006-09-27 19:03:31 342 --a----c- C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1151330391.job
2005-02-09 08:06:12 342 --a----c- C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1098932354.job


-- Files created between 2007-12-24 and 2008-01-24 -----------------------------

2008-01-24 06:31:36 0 d------c- C:\WINDOWS\ERUNT
2008-01-24 06:06:43 0 dr-h---c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Recent
2008-01-23 22:04:34 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Malwarebytes
2008-01-23 22:04:33 0 d------c- C:\Program Files\Malwarebytes' Anti-Malware
2008-01-23 07:04:01 0 d------c- C:\Program Files\CCleaner
2008-01-23 05:42:04 0 d------c- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-01-23 05:42:02 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Uniblue
2008-01-23 05:41:53 0 d------c- C:\Program Files\Uniblue
2008-01-22 19:09:45 0 d------c- C:\Documents and Settings\LocalService\Application Data\PeerNetworking
2008-01-20 17:49:51 0 d------c- C:\Program Files\LimeWire
2008-01-17 08:08:52 0 d------c- C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-17 08:08:50 249856 --a----c- C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-01-17 08:08:50 51716 --a----c- C:\WINDOWS\system32\pdf995mon.dll
2008-01-17 08:08:14 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\TaxCut
2008-01-17 08:06:10 0 d------c- C:\Program Files\TaxCut07
2008-01-17 08:06:10 0 d------c- C:\Program Files\PDF995
2008-01-17 08:00:19 0 d------c- C:\Documents and Settings\All Users\Application Data\TaxCut
2008-01-17 07:59:07 0 d--hs--c- C:\WINDOWS\ftpcache
2008-01-16 16:35:58 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\VSRevoGroup
2008-01-16 16:34:40 0 d------c- C:\Program Files\VS Revo Group
2008-01-15 21:02:26 0 d------c- C:\Program Files\Mozilla Thunderbird
2008-01-15 20:24:50 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Opera
2008-01-15 20:24:29 0 d------c- C:\Program Files\Opera
2008-01-15 06:32:02 36 --ah---c- C:\WINDOWS\system32\f9t.dat
2008-01-15 05:08:41 111 --a----c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\FixServices.bat
2008-01-13 10:07:23 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Desktop Mechanic
2008-01-12 20:12:35 497 --ah---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\hpothb07.dat
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\WINDOWS
2008-01-12 20:12:33 0 d--h---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Templates
2008-01-12 20:12:33 0 dr-----c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Start Menu
2008-01-12 20:12:33 0 dr-h---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\SendTo
2008-01-12 20:12:33 0 d--h---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Recent
2008-01-12 20:12:33 0 d--h---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\PrintHood
2008-01-12 20:12:33 786432 --ah----- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\NTUSER.DAT
2008-01-12 20:12:33 0 d--h---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\NetHood
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\My Documents
2008-01-12 20:12:33 0 d--h---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Local Settings
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Favorites
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Desktop
2008-01-12 20:12:33 0 d--hs--c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Cookies
2008-01-12 20:12:33 0 dr-h---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Symantec
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Sonic
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\SampleView
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Real
2008-01-12 20:12:33 0 d---s--c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Microsoft
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\interMute
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Identities
2008-01-12 13:16:07 497 --ah---c- C:\Documents and Settings\Guest\hpothb07.dat
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\WINDOWS
2008-01-12 13:16:06 0 d--h---c- C:\Documents and Settings\Guest\Templates
2008-01-12 13:16:06 0 dr-----c- C:\Documents and Settings\Guest\Start Menu
2008-01-12 13:16:06 0 dr-h---c- C:\Documents and Settings\Guest\SendTo
2008-01-12 13:16:06 0 dr-h---c- C:\Documents and Settings\Guest\Recent
2008-01-12 13:16:06 0 d--h---c- C:\Documents and Settings\Guest\PrintHood
2008-01-12 13:16:06 524288 --ah----- C:\Documents and Settings\Guest\NTUSER.DAT
2008-01-12 13:16:06 0 d--h---c- C:\Documents and Settings\Guest\NetHood
2008-01-12 13:16:06 0 dr-----c- C:\Documents and Settings\Guest\My Documents
2008-01-12 13:16:06 0 d--h---c- C:\Documents and Settings\Guest\Local Settings
2008-01-12 13:16:06 0 dr-----c- C:\Documents and Settings\Guest\Favorites
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\Desktop
2008-01-12 13:16:06 0 d--hs--c- C:\Documents and Settings\Guest\Cookies
2008-01-12 13:16:06 0 dr-h---c- C:\Documents and Settings\Guest\Application Data
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\Application Data\Symantec
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\Application Data\Sonic
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\Application Data\SampleView
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\Application Data\Real
2008-01-12 13:16:06 0 d---s--c- C:\Documents and Settings\Guest\Application Data\Microsoft
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\Application Data\interMute
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\Application Data\Identities
2008-01-12 07:53:11 0 d------c- C:\WINDOWS\Data
2008-01-12 07:35:20 0 d------c- C:\WINDOWS\system32\ar-sa
2008-01-12 07:35:19 0 d------c- C:\WINDOWS\system32\zh-cn
2008-01-12 07:35:19 0 d------c- C:\WINDOWS\system32\pt-br
2008-01-12 07:35:18 0 d------c- C:\WINDOWS\system32\zh-tw
2008-01-12 07:35:18 0 d------c- C:\WINDOWS\system32\cs-cz
2008-01-12 07:35:17 0 d------c- C:\WINDOWS\system32\da-dk
2008-01-12 07:35:16 0 d------c- C:\WINDOWS\system32\es-es
2008-01-12 07:35:16 0 d------c- C:\WINDOWS\system32\el-gr
2008-01-12 07:35:15 0 d------c- C:\WINDOWS\system32\fr-fr
2008-01-12 07:35:15 0 d------c- C:\WINDOWS\system32\fi-fi
2008-01-12 07:35:14 0 d------c- C:\WINDOWS\system32\de-de
2008-01-12 07:35:13 0 d------c- C:\WINDOWS\system32\hu-hu
2008-01-12 07:35:13 0 d------c- C:\WINDOWS\system32\he-il
2008-01-12 07:35:12 0 d------c- C:\WINDOWS\system32\ja-jp
2008-01-12 07:35:12 0 d------c- C:\WINDOWS\system32\it-it
2008-01-12 07:35:11 0 d------c- C:\WINDOWS\system32\ko-kr
2008-01-12 07:35:10 0 d------c- C:\WINDOWS\system32\nl-nl
2008-01-12 07:35:10 0 d------c- C:\WINDOWS\system32\nb-no
2008-01-12 07:35:09 0 d------c- C:\WINDOWS\system32\pt-pt
2008-01-12 07:35:09 0 d------c- C:\WINDOWS\system32\pl-pl
2008-01-12 07:35:08 0 d------c- C:\WINDOWS\system32\sv-se
2008-01-12 07:35:08 0 d------c- C:\WINDOWS\system32\ru-ru
2008-01-12 07:35:07 0 d------c- C:\WINDOWS\system32\tr-tr
2008-01-11 08:26:56 0 d------c- C:\Program Files\Trend Micro
2008-01-11 08:23:11 0 d------c- C:\KAV
2008-01-11 06:32:08 0 d------c- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-11 06:31:26 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\PrevxCSI
2007-12-29 10:44:30 0 d------c- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-12-29 10:33:03 0 d------c- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-29 08:38:42 0 d------c- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-29 08:35:30 4212 ---h---c- C:\WINDOWS\system32\zllictbl.dat
2007-12-29 08:29:00 0 d------c- C:\WINDOWS\system32\ZoneLabs
2007-12-29 06:07:33 0 d------c- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-12-29 06:06:20 0 d------c- C:\Program Files\Webroot
2007-12-29 06:06:20 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Webroot
2007-12-29 06:06:20 0 d------c- C:\Documents and Settings\All Users\Application Data\Webroot
2007-12-29 06:05:21 164 --a----c- C:\install.dat
2007-12-27 09:32:16 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Mattel
2007-12-27 09:31:15 0 d------c- C:\Program Files\Mattel
2007-12-26 19:53:32 0 d--hs--c- C:\Documents and Settings\All Users\DRM
2007-12-26 19:47:04 4 --a----c- C:\WINDOWS\system32\A888B7
2007-12-26 19:45:04 8413 --a----c- C:\WINDOWS\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
2007-12-26 19:41:54 0 d------c- C:\Program Files\Rhapsody
2007-12-26 19:26:48 0 d------c- C:\Program Files\Common Files\ArcSoft
2007-12-26 19:26:46 0 d------c- C:\Program Files\SanDisk


-- Find3M Report ---------------------------------------------------------------

2008-01-23 23:57:38 0 d------c- C:\Program Files\Common Files
2008-01-23 08:27:24 2084 --a----c- C:\WINDOWS\system32\tmp.reg
2008-01-23 07:41:52 0 d------c- C:\Program Files\Common Files\Scanner
2008-01-23 05:50:29 0 d------c- C:\Program Files\MalwareBot
2008-01-22 23:55:11 0 d------c- C:\Program Files\Spark
2008-01-22 19:14:52 0 d------c- C:\Program Files\Desktop Maestro
2008-01-21 09:12:47 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\LimeWire
2008-01-21 05:25:05 0 d------c- C:\Program Files\IObit
2008-01-18 07:53:45 0 d------c- C:\Program Files\Paint.NET
2008-01-17 16:15:00 333 --a----c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\AdobeDLM.log
2008-01-17 16:14:44 754 --a----c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\dm.ini
2008-01-17 06:26:41 0 d------c- C:\Program Files\QuickTime
2008-01-17 06:10:29 22037 --a----c- C:\WINDOWS\mozver.dat
2008-01-15 09:23:50 0 d------c- C:\Program Files\MSECache
2008-01-14 06:02:05 0 d------c- C:\Program Files\Yahoo!
2008-01-12 05:05:12 0 d------c- C:\Program Files\Common Files\InstallShield
2008-01-11 08:00:43 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Yahoo!
2008-01-09 07:44:23 0 d------c- C:\Program Files\ErrorSmart
2008-01-09 07:44:23 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\ErrorSmart
2008-01-05 15:27:59 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\ArcSoft
2007-12-27 09:31:57 0 d--h---c- C:\Program Files\InstallShield Installation Information
2007-12-26 19:44:02 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Real
2007-12-21 07:38:45 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Stamps.com Internet Postage
2007-12-20 09:02:14 8 --a----c- C:\WINDOWS\system32\success
2007-12-20 09:00:54 0 d------c- C:\Program Files\Common Files\Deterministic Networks
2007-12-18 06:50:22 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\SiteAdvisor
2007-12-17 06:40:57 0 d------c- C:\Program Files\Microsoft Silverlight
2007-12-14 11:59:48 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Desktop Mechanic
2007-12-11 09:49:47 0 d------c- C:\Program Files\Windows Defender
2007-12-11 09:48:53 0 d------c- C:\Program Files\iTunes
2007-12-10 06:51:25 0 d------c- C:\Program Files\Rand McNally
2007-12-10 06:40:56 509 --a----c- C:\WINDOWS\EReg077.dat
2007-12-08 14:14:40 0 d------c- C:\Program Files\Thinkwell
2007-12-06 08:54:18 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Avaya
2007-12-06 07:40:42 0 d------c- C:\Program Files\Cisco Systems
2007-12-05 13:14:26 0 d------c- C:\Program Files\TryMedia
2007-12-03 14:13:04 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\VonageTalk
2007-12-03 10:47:30 0 d------c- C:\Program Files\iPod
2007-11-27 08:51:41 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Image Zone Express


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 06:04 PM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/11/2003 10:02 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 11:42 PM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [07/31/2002 10:28 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [11/02/2004 08:03 AM]
"Webroot Desktop Firewall"="C:\Program Files\Webroot\Desktop Firewall\WDF.exe" [10/20/2007 01:20 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/10/2008 03:27 PM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 02/21/2003 05:50 AM 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Avaya IP Agent - English.lnk]
backup=C:\WINDOWS\pss\Avaya IP Agent - English.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner.YOUR-LK4RLMSU41.000^Start Menu^Programs^Startup^Compaq Organize.lnk]
backup=C:\WINDOWS\pss\Compaq Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner.YOUR-LK4RLMSU41.000^Start Menu^Programs^Startup^spamsubtract.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopMaestro]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\errorkiller]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorSmart]
"C:\Program Files\ErrorSmart\ErrorSmart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareBot]
C:\Program Files\MalwareBot\MalwareBot.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PGhist]
"C:\Program Files\Desktop Maestro\PgHist.exe" WinguidesPG

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrivacyGuardianIndex]
"C:\Program Files\Desktop Maestro\PgIndex.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pwreset]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spark]
C:\Program Files\Spark\Spark.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"omniserv"=3 (0x3)
"usnjsvc"=3 (0x3)
"MpfService"=2 (0x2)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"WinDefend"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc




-- End of Deckard's System Scanner: finished at 2008-01-24 07:48:51 ------------

malware log

Malwarebytes' Anti-Malware version 1.00
Database version: 270

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 183583
Time elapsed: 1 hour(s), 41 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\MalwareBot\Quarantine\19-05-2007-22-11-36\13578.qit (Backdoor) -> Quarantined and deleted successfully.
crystalp
Active Member
 
Posts: 11
Joined: January 11th, 2008, 9:38 am

Re: please help..dont know what to do!!!!!!

Unread postby chryssi2001 » January 24th, 2008, 11:30 am

Hi crystalp,

ok, i have tried over and over to save the file in ALLFILES but it automaticall saves as text file.

I believe you are confused. :(

We need it to be saved as type: ALL FILES but you have to name it CFScript.txt yourself. TYPE IT!

After you copy my quoted previous fix in notepad, when you try to save it on your Desktop:

The Save As Box opens, at File name: Type CFScript.txt and at Save as type change it to All Files.

Then drag the file "CFScript.txt" which will be on your Desktop into Combofix.exe like it shows in my previous post.
Combofix will run then, and post back here the report.

Please give it another try. I am trying to avoid downloading additional tools to fix your pc, since we can do it with Combofix.
If you still can't make it, do not run another tool. Just let me know.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: please help..dont know what to do!!!!!!

Unread postby crystalp » January 24th, 2008, 12:22 pm

sorry, but i am not confused, i have entered the file name myself as cfscript.txt and other file names and all are still saved as text files even after i save it as ALL FILES in the box.

i go to save as, then type the file name, then click off ALL FILES instead of txt files and then hit save, and nothing works. :pale:
crystalp
Active Member
 
Posts: 11
Joined: January 11th, 2008, 9:38 am

Re: please help..dont know what to do!!!!!!

Unread postby chryssi2001 » January 24th, 2008, 2:53 pm

Hi crystalp,

Ok we'll do it another way. Probably the CFScript.txt file you created was not saved on your desktop.
-------------------------------------------
Download OTMoveIt by OldTimer to your Desktop.
  • Double click OTMoveIt.exe to launch it.
  • Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.
C:\WINDOWS\system32\f9t.dat
C:\WINDOWS\Tasks\avast! Antivirus.job
C:\WINDOWS\Tasks\XoftSpySE.job
C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Stamps.com Internet Postage
C:\WINDOWS\Installer\{66268879-215C-4D5B-B197-1D9868339BAD}
C:\PROGRAM FILES\ALWILSOFTWARE

  • Click the Move It button.
  • The list will be processed and the results will appear in the right hand pane.
  • If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • When finished click Exit to exit the program.
  • A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).
  • Post the log back here please.
-------------------------------------------
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note:to restore your registry, go to the folder and start ERDNT.exe

Open Notepad!
Copy and Paste everything from the Quote box into Notepad:

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareBot]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Go to File > Save As
Save File name as Fix.reg
Change Save as Type to All Files and save the file to your desktop.

Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer.
-------------------------------------------
Post back:
OTMoveIt report.
Tell me if you had any problem with the registry fix.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: please help..dont know what to do!!!!!!

Unread postby chryssi2001 » January 28th, 2008, 2:05 pm

Hello crystalp,

Any problem following the last steps i posted?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: please help..dont know what to do!!!!!!

Unread postby Vino Rosso » January 30th, 2008, 3:29 pm

This topic is now closed.

Note: If it has been five days or more since your last post and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link: >Donations For Malware Removal<

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 313 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware