Extremly slow Computer
revorocks
England, East Sussex, Hove Member
Hi, my parents computer is really really slow, it never used to be this slow, its been defragged, regscanned etc yet is still slow.
It is a HP pavillion 763n
It has:
2.53ghz Pentium 4
512 ram
80gb HDD
ATI Radeon 9000
Windows xp home
for some reason i cannot install panda antivirus even with a fresh download. its just gives me an install error.
I have tried panda active scan and it found nothing.
here my hijack this log.
Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:18:03, on 05/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\VMSnap23.exe
C:\WINDOWS\Domino.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
c:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by RapidRank
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINDOWS\DLP.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BigDogPath323VMSnap] C:\WINDOWS\VMSnap23.exe
O4 - HKLM\..\Run: [BigDogPath323Domino] C:\WINDOWS\Domino.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: ddrive.js (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxuk101YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rapidrank.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4-5.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
--
End of file - 8149 bytes
It is a HP pavillion 763n
It has:
2.53ghz Pentium 4
512 ram
80gb HDD
ATI Radeon 9000
Windows xp home
for some reason i cannot install panda antivirus even with a fresh download. its just gives me an install error.
I have tried panda active scan and it found nothing.
here my hijack this log.
Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:18:03, on 05/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\VMSnap23.exe
C:\WINDOWS\Domino.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
c:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by RapidRank
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINDOWS\DLP.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BigDogPath323VMSnap] C:\WINDOWS\VMSnap23.exe
O4 - HKLM\..\Run: [BigDogPath323Domino] C:\WINDOWS\Domino.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: ddrive.js (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxuk101YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rapidrank.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4-5.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
--
End of file - 8149 bytes
0
Comments
my first suggestion is do not show your softwares' product key to the public, they can use your product key for their purposal, however
the computer being slow that mean there is some hidden process is running, you may hold ctrl-alt-del at the same time and find out what process is consuming more CPU than kill that trouble maker off .............. your computer will come back to normal
another way, you may need to repair / re-image your computer in order to make it running faster
I think that will help
That earlier log posted shows some rogue software installed there, so we'll need to start some repairs here. With CA's eTrust EZ Armor already installed you would not want to be adding another antivirus software like that Panda one you planned, and either CA or malware could have been blocking that move.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Right click the CA shield icon in the Taskbar, and one by one open each of the security programs and do the following:
1. Click the Options button.
2. Uncheck "Real-time Scanner".
3. Click "Apply Changes".
To disable the CA Personal Firewall, again right click the CA Taskbar icon -> CA Personal Firewall -> select "Disable CA Personal Firewall".
To re-enable the CA Internet Security Suite programs once the repairs are completed just reverse the preceding steps.
Download ComboFix.exe from here to your desktop.
Then disable your net access, and click the downloaded file to run the repair.
When starting ComboFix will cause your computer's internal speakers to produce two beeps, and during the start process display two warnings. These are intended to discourage people who are not getting help in the forum from just experimenting with tools they do not understand. Just to inform you so you will understand that the procedures are expected, and okay.
ComboFix will also change the drive autoplay settings there as it's own added security measure. When we have completed all repairs here we will return the default Windows settings.
A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop, however given the infection there ComboFix will likely cause a reboot in order to complete it's repairs.
(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)
Re-enable net access, and post back the C:\ComboFix.txt log as well as a new HijackThis log please.
here is the combo fix log
ComboFix 08-03-07.4 - Owner 2008-03-08 9:41:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.191 [GMT 0:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
!!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Downloaded Program Files\Quarantine
.
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08
)))))))))))))))))))))))))))))))
.
2008-03-08 09:35 . 2004-08-04 05:31 154,624 --a--c---
C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-03-08 09:35 . 2004-08-04 07:56 116,224 --a--c---
C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-03-08 09:35 . 2001-08-17 22:37 99,865 --a--c---
C:\WINDOWS\system32\dllcache\xlog.exe
2008-03-08 09:35 . 2001-08-17 12:12 34,890 --a--c---
C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-03-08 09:35 . 2001-08-17 22:37 27,648 --a--c---
C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-03-08 09:35 . 2001-08-17 22:36 23,040 --a--c---
C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-03-08 09:35 . 2001-08-17 22:36 17,408 --a--c---
C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-03-08 09:35 . 2001-08-17 12:11 16,970 --a--c---
C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-03-08 09:35 . 2004-08-04 06:07 8,832 --a--c---
C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-03-08 09:35 . 2004-08-04 07:56 8,192 --a--c---
C:\WINDOWS\system32\dllcache\wshirda.dll
2008-03-08 09:35 . 2001-08-17 22:37 4,608 --a--c---
C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-03-08 09:33 . 2001-08-17 22:36 525,568 --a--c---
C:\WINDOWS\system32\dllcache\tridxp.dll
2008-03-08 09:32 . 2001-08-17 14:56 252,032 --a--c---
C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-03-08 09:31 . 2001-08-17 22:36 495,616 --a--c---
C:\WINDOWS\system32\dllcache\sblfx.dll
2008-03-08 09:30 . 2001-08-17 13:28 899,146 --a--c---
C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-03-08 09:29 . 2007-02-28 08:38 2,015,744 --a--c---
C:\WINDOWS\system32\dllcache\OLD437.tmp
2008-03-08 09:28 . 2001-08-17 12:50 320,384 --a--c---
C:\WINDOWS\system32\dllcache\mgaum.sys
2008-03-08 09:27 . 2001-08-17 13:28 802,683 --a--c---
C:\WINDOWS\system32\dllcache\ltsm.sys
2008-03-08 09:26 . 2001-08-17 22:36 372,824 --a--c---
C:\WINDOWS\system32\dllcache\iconf32.dll
2008-03-08 09:25 . 2001-08-17 14:56 1,733,120 --a--c---
C:\WINDOWS\system32\dllcache\g400d.dll
2008-03-08 09:24 . 2001-08-17 13:28 634,134 --a--c---
C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-03-08 09:23 . 2001-08-17 12:14 952,007 --a--c---
C:\WINDOWS\system32\dllcache\diwan.sys
2008-03-08 09:22 . 2004-08-04 07:56 249,856 --a--c---
C:\WINDOWS\system32\dllcache\ctmasetp.dll
2008-03-08 09:21 . 2001-08-17 12:13 980,034 --a--c---
C:\WINDOWS\system32\dllcache\cicap.sys
2008-03-08 09:20 . 2001-08-18 12:00 187,938 --a--c---
C:\WINDOWS\system32\dllcache\c_20005.nls
2008-03-08 09:19 . 2001-08-17 13:28 871,388 --a--c---
C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-03-08 09:18 . 2001-08-17 13:28 762,780 --a--c---
C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-03-08 09:17 . 2008-03-08 09:34 <DIR> d
C:\WINDOWS\LastGood
2008-03-08 09:17 . 2007-02-28 09:08 2,136,064 --a--c---
C:\WINDOWS\system32\dllcache\OLD19.tmp
2008-03-08 09:17 . 2001-08-17 14:56 66,048 --a--c---
C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-03-07 23:05 . 2008-03-08 08:53 <DIR> d
C:\WINDOWS\SxsCaPendDel
2008-03-07 22:42 . 2008-03-07 22:42 <DIR> d
C:\Documents and
Settings\All Users\Application Data\Avg7
2008-03-07 22:05 . 2008-03-07 22:05 <DIR> d
C:\Program Files\CCleaner
2008-03-07 20:35 . 2008-03-07 20:33 691,545 --a
C:\WINDOWS\unins000.exe
2008-03-07 20:35 . 2008-03-07 20:35 2,550 --a
C:\WINDOWS\unins000.dat
2008-03-07 20:31 . 2008-03-07 20:31 <DIR> d
C:\Program Files\Spybot -
Search & Destroy
2008-03-07 18:47 . 2007-06-05 10:56 44,928 --a
C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-05 18:17 . 2008-03-05 18:17 <DIR> d
C:\Program Files\Trend Micro
2008-02-20 17:49 . 2008-02-20 17:51 <DIR> d
C:\Program Files\Hamachi
2008-02-20 17:15 . 2008-02-20 17:15 <DIR> d
C:\Program Files\Electronic
Arts
2008-02-17 12:55 . 2008-02-17 12:55 54,156 --ah
C:\WINDOWS\QTFont.qfn
2008-02-17 12:55 . 2008-02-17 12:55 1,409 --a
C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 08:55
d
w C:\Program Files\SpeedFan
2008-03-07 23:09
d
w C:\Program Files\FinePixViewer
2008-03-07 23:03
d
w C:\Program Files\Symantec
2008-03-07 23:03
d
w C:\Program Files\Common Files\Symantec
Shared
2008-03-07 22:50
d
w C:\Program Files\ntl
2008-03-07 22:49
d
w C:\Program Files\Steam
2008-03-07 22:49
d
w C:\Program Files\QuickTime
2008-03-07 22:49
d
w C:\Program Files\PC Wizard 2007 ORCA Logic
Edition
2008-03-07 22:49
d
w C:\Program Files\Ahead
2008-03-07 22:40
d
w C:\Documents and Settings\All
Users\Application Data\Grisoft
2008-03-07 20:33
d
w C:\Documents and Settings\All
Users\Application Data\Spybot - Search & Destroy
2008-03-07 20:31
d
w C:\Documents and Settings\Owner\Application
Data\BitTorrent
2008-03-07 19:42
d
w C:\Program Files\Microsoft Virtual PC
2008-03-07 19:39
d
w C:\Program Files\iTunes
2008-03-05 18:05
d
w C:\Documents and Settings\Owner\Application
Data\Hamachi
2008-02-20 17:49 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-01-08 20:48
d
w C:\Documents and Settings\Owner\Application
Data\DNA
2008-01-08 19:05
d
w C:\Program Files\LimeWire
2008-01-08 18:56
d
w C:\Program Files\Notepad++
2008-01-08 18:34
d
w C:\Documents and Settings\Owner\Application
Data\Uniblue
2007-11-08 15:34 64,512 ---ha-w C:\Documents and Settings\Owner\Application
Data\dach100.dll
2007-07-09 18:45 83,040 ----a-w C:\Documents and Settings\Owner\Application
Data\GDIPFONTCACHEV1.DAT
2007-03-02 10:46 2,216 ----a-w C:\Documents and Settings\Owner\Application
Data\ViewerApp.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA}]
2005-12-01 23:38 127488 --a
C:\WINDOWS\DLP.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CaAvTray"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [2005-09-16
11:57 230512]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2005-09-16
11:57 185456]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 17:16 376912]
"BigDogPath323VMSnap"="C:\WINDOWS\VMSnap23.exe" [ ]
"BigDogPath323Domino"="C:\WINDOWS\Domino.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 09:17
1241088]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp center.lnk - C:\Program Files\hp center\137903\Program\BackWeb-137903.exe [2002-01-01
19:13:44 16384]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe
Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed
Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^broadband medic.lnk]
backup=C:\WINDOWS\pss\broadband medic.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif
Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^hpoddt01.exe.lnk]
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image
Transfer.lnk]
backup=C:\WINDOWS\pss\Image Transfer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^NETGEAR WG111T Smart Wizard.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111T Smart
Wizard.lnk
backup=C:\WINDOWS\pss\NETGEAR WG111T Smart Wizard.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Picture Package Menu.lnk]
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Picture Package VCD Maker.lnk]
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start
Menu^Programs^Startup^AntiCrash.lnk]
backup=C:\WINDOWS\pss\AntiCrash.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg
Scheduler V3.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg
Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a
2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a
2006-02-21 20:40 26112 C:\WINDOWS\system32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a
2002-06-21 16:17 290816 C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a
2002-07-16 08:03 106549 C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a
2002-05-15 03:20 114688 C:\WINDOWS\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a
1998-05-07 16:04 52736 c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a
2002-05-15 03:29 155648 C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a
2001-07-06 21:56 61440 C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works
Update Detection]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a
2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a
2002-03-25 23:29 364544 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a
2002-06-14 16:39 81920 C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a
2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a
2001-12-18 23:39 212992 C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-04 21:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCANINICIO]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchAndDestroyMFC]
C:\Program Files\Search And Destroy\Search And Destroy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a
2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a
2002-05-09 08:01 155648 C:\Program Files\VERITAS Software\Update
Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a
2004-12-06 21:31 36975 C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver
Monitor]
--a
2005-05-12 15:18 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"C-DillaSrv"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
-reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplicatio
ns\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\revorocks\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\revorocks\\garrysmod\\hl2.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.9\\cnc3game.dat"=
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card
Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 11:21]
S3 C-Dilla;C-Dilla;C:\WINDOWS\System32\drivers\CDANT.SYS [2001-09-10 18:09]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24
12:10]
S3 ZSMC326;Vimicro USB2.0 PC Camera(VC0323);C:\WINDOWS\system32\Drivers\usbvm323.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 17:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-19 10:17:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-22 20:08:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-29 16:12:09 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-03-08 09:45:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-08 9:46:58
ComboFix-quarantined-files.txt 2008-03-08 09:46:37
.
2008-02-13 19:05:02 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:57:47, on 08/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINDOWS\DLP.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BigDogPath323VMSnap] C:\WINDOWS\VMSnap23.exe
O4 - HKLM\..\Run: [BigDogPath323Domino] C:\WINDOWS\Domino.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: ddrive.js (User 'Default user')
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Search - ?p=ZNxuk101YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rapidrank.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4-5.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
--
End of file - 7414 bytes
ComboFix 08-03-07.4 - Owner 2008-03-08 9:41:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.191 [GMT 0:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Downloaded Program Files\Quarantine
.
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.
2008-03-08 09:35 . 2004-08-04 05:31 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-03-08 09:35 . 2004-08-04 07:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-03-08 09:35 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-03-08 09:35 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-03-08 09:35 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-03-08 09:35 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-03-08 09:35 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-03-08 09:35 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-03-08 09:35 . 2004-08-04 06:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-03-08 09:35 . 2004-08-04 07:56 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-03-08 09:35 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-03-08 09:33 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-03-08 09:32 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-03-08 09:31 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-03-08 09:30 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-03-08 09:29 . 2007-02-28 08:38 2,015,744 --a--c--- C:\WINDOWS\system32\dllcache\OLD437.tmp
2008-03-08 09:28 . 2001-08-17 12:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2008-03-08 09:27 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-03-08 09:26 . 2001-08-17 22:36 372,824 --a--c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-03-08 09:25 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-03-08 09:24 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-03-08 09:23 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-03-08 09:22 . 2004-08-04 07:56 249,856 --a--c--- C:\WINDOWS\system32\dllcache\ctmasetp.dll
2008-03-08 09:21 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-03-08 09:20 . 2001-08-18 12:00 187,938 --a--c--- C:\WINDOWS\system32\dllcache\c_20005.nls
2008-03-08 09:19 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-03-08 09:18 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-03-08 09:17 . 2008-03-08 09:34 <DIR> d
C:\WINDOWS\LastGood
2008-03-08 09:17 . 2007-02-28 09:08 2,136,064 --a--c--- C:\WINDOWS\system32\dllcache\OLD19.tmp
2008-03-08 09:17 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-03-07 23:05 . 2008-03-08 08:53 <DIR> d
C:\WINDOWS\SxsCaPendDel
2008-03-07 22:42 . 2008-03-07 22:42 <DIR> d
C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-07 22:05 . 2008-03-07 22:05 <DIR> d
C:\Program Files\CCleaner
2008-03-07 20:35 . 2008-03-07 20:33 691,545 --a
C:\WINDOWS\unins000.exe
2008-03-07 20:35 . 2008-03-07 20:35 2,550 --a
C:\WINDOWS\unins000.dat
2008-03-07 20:31 . 2008-03-07 20:31 <DIR> d
C:\Program Files\Spybot - Search & Destroy
2008-03-07 18:47 . 2007-06-05 10:56 44,928 --a
C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-05 18:17 . 2008-03-05 18:17 <DIR> d
C:\Program Files\Trend Micro
2008-02-20 17:49 . 2008-02-20 17:51 <DIR> d
C:\Program Files\Hamachi
2008-02-20 17:15 . 2008-02-20 17:15 <DIR> d
C:\Program Files\Electronic Arts
2008-02-17 12:55 . 2008-02-17 12:55 54,156 --ah
C:\WINDOWS\QTFont.qfn
2008-02-17 12:55 . 2008-02-17 12:55 1,409 --a
C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 08:55
d
w C:\Program Files\SpeedFan
2008-03-07 23:09
d
w C:\Program Files\FinePixViewer
2008-03-07 23:03
d
w C:\Program Files\Symantec
2008-03-07 23:03
d
w C:\Program Files\Common Files\Symantec Shared
2008-03-07 22:50
d
w C:\Program Files\ntl
2008-03-07 22:49
d
w C:\Program Files\Steam
2008-03-07 22:49
d
w C:\Program Files\QuickTime
2008-03-07 22:49
d
w C:\Program Files\PC Wizard 2007 ORCA Logic Edition
2008-03-07 22:49
d
w C:\Program Files\Ahead
2008-03-07 22:40
d
w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-07 20:33
d
w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-07 20:31
d
w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-07 19:42
d
w C:\Program Files\Microsoft Virtual PC
2008-03-07 19:39
d
w C:\Program Files\iTunes
2008-03-05 18:05
d
w C:\Documents and Settings\Owner\Application Data\Hamachi
2008-02-20 17:49 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-01-08 20:48
d
w C:\Documents and Settings\Owner\Application Data\DNA
2008-01-08 19:05
d
w C:\Program Files\LimeWire
2008-01-08 18:56
d
w C:\Program Files\Notepad++
2008-01-08 18:34
d
w C:\Documents and Settings\Owner\Application Data\Uniblue
2007-11-08 15:34 64,512 ---ha-w C:\Documents and Settings\Owner\Application Data\dach100.dll
2007-07-09 18:45 83,040 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-03-02 10:46 2,216 ----a-w C:\Documents and Settings\Owner\Application Data\ViewerApp.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA}]
2005-12-01 23:38 127488 --a
C:\WINDOWS\DLP.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CaAvTray"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [2005-09-16 11:57 230512]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2005-09-16 11:57 185456]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 17:16 376912]
"BigDogPath323VMSnap"="C:\WINDOWS\VMSnap23.exe" [ ]
"BigDogPath323Domino"="C:\WINDOWS\Domino.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 09:17 1241088]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp center.lnk - C:\Program Files\hp center\137903\Program\BackWeb-137903.exe [2002-01-01 19:13:44 16384]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
backup=C:\WINDOWS\pss\broadband medic.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
backup=C:\WINDOWS\pss\Image Transfer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111T Smart Wizard.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111T Smart Wizard.lnk
backup=C:\WINDOWS\pss\NETGEAR WG111T Smart Wizard.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^AntiCrash.lnk]
backup=C:\WINDOWS\pss\AntiCrash.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a
2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a
2006-02-21 20:40 26112 C:\WINDOWS\system32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a
2002-06-21 16:17 290816 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a
2002-07-16 08:03 106549 C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a
2002-05-15 03:20 114688 C:\WINDOWS\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a
1998-05-07 16:04 52736 c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a
2002-05-15 03:29 155648 C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a
2001-07-06 21:56 61440 C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a
2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a
2002-03-25 23:29 364544 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a
2002-06-14 16:39 81920 C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a
2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a
2001-12-18 23:39 212992 C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-04 21:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCANINICIO]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchAndDestroyMFC]
C:\Program Files\Search And Destroy\Search And Destroy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a
2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a
2002-05-09 08:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a
2004-12-06 21:31 36975 C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a
2005-05-12 15:18 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"C-DillaSrv"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\revorocks\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\revorocks\\garrysmod\\hl2.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.9\\cnc3game.dat"=
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 11:21]
S3 C-Dilla;C-Dilla;C:\WINDOWS\System32\drivers\CDANT.SYS [2001-09-10 18:09]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 12:10]
S3 ZSMC326;Vimicro USB2.0 PC Camera(VC0323);C:\WINDOWS\system32\Drivers\usbvm323.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 17:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-19 10:17:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-22 20:08:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-29 16:12:09 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 09:45:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-08 9:46:58
ComboFix-quarantined-files.txt 2008-03-08 09:46:37
.
2008-02-13 19:05:02 --- E O F ---
Be sure to continue to temporarily disable any protective software when running the scan tools we use here.
Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:
File:: C:\WINDOWS\DLP.dll Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA}] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]Save this to your desktop as "CFScript"
(include the "quotation marks" with the name)
You should now have both ComboFix and that CFScript on the desktop. Just left click/hold on the CFScript file, and drag it into ComboFix to start the scan.
ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).
To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.
To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".
Post back that log along with the ComboFix.txt and a new HijackThis log please.
ComboFix 08-03-07.4 - Owner 2008-03-12 18:57:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.127 [GMT 0:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\DLP.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\DLP.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.
2008-03-12 18:44 . 2008-03-12 18:44 <DIR> d
C:\WINDOWS\system32\Kaspersky Lab
2008-03-12 18:44 . 2008-03-12 18:44 <DIR> d
C:\WINDOWS\LastGood
2008-03-12 18:44 . 2008-03-12 18:44 <DIR> d
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-08 13:24 . 2008-03-08 13:24 <DIR> d
C:\Program Files\SUPERAntiSpyware
2008-03-08 13:24 . 2008-03-08 13:24 <DIR> d
C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-03-08 13:24 . 2008-03-08 13:24 <DIR> d
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-08 13:23 . 2008-03-08 13:23 <DIR> d
C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 11:10 . 2008-03-08 11:10 <DIR> d
C:\Video
2008-03-08 11:10 . 2008-03-08 11:10 262,144 --a
C:\WINDOWS\system32\QUIZFNTS
2008-03-08 11:10 . 2008-03-08 11:10 32,768 --a
C:\WINDOWS\NSMWIND.EXE
2008-03-08 11:10 . 2008-03-08 11:10 16,384 --a
C:\WINDOWS\system32\NMH0409.DLL
2008-03-08 09:34 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-03-08 09:33 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-03-08 09:32 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-03-08 09:31 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-03-08 09:30 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-03-08 09:29 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-03-08 09:28 . 2001-08-17 12:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2008-03-08 09:27 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-03-08 09:26 . 2001-08-17 22:36 372,824 --a--c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-03-08 09:25 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-03-08 09:24 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-03-08 09:23 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-03-08 09:22 . 2004-08-04 07:56 249,856 --a--c--- C:\WINDOWS\system32\dllcache\ctmasetp.dll
2008-03-08 09:21 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-03-08 09:20 . 2001-08-18 12:00 187,938 --a--c--- C:\WINDOWS\system32\dllcache\c_20005.nls
2008-03-08 09:19 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-03-08 09:18 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-03-08 09:17 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-03-07 23:05 . 2008-03-08 08:53 <DIR> d
C:\WINDOWS\SxsCaPendDel
2008-03-07 22:42 . 2008-03-07 22:42 <DIR> d
C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-07 22:05 . 2008-03-07 22:05 <DIR> d
C:\Program Files\CCleaner
2008-03-07 20:35 . 2008-03-07 20:33 691,545 --a
C:\WINDOWS\unins000.exe
2008-03-07 20:35 . 2008-03-07 20:35 2,550 --a
C:\WINDOWS\unins000.dat
2008-03-07 20:31 . 2008-03-12 18:45 <DIR> d
C:\Program Files\Spybot - Search & Destroy
2008-03-07 18:47 . 2007-06-05 10:56 44,928 --a
C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-05 18:17 . 2008-03-05 18:17 <DIR> d
C:\Program Files\Trend Micro
2008-02-20 17:49 . 2008-02-20 17:51 <DIR> d
C:\Program Files\Hamachi
2008-02-20 17:15 . 2008-02-20 17:15 <DIR> d
C:\Program Files\Electronic Arts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 18:45
d
w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-09 17:33
d
w C:\Program Files\Steam
2008-03-09 14:53
d
w C:\Documents and Settings\Owner\Application Data\Hamachi
2008-03-08 11:13
d
w C:\Program Files\Common Files\Adobe
2008-03-08 10:59
d
w C:\Program Files\Nokia
2008-03-08 08:55
d
w C:\Program Files\SpeedFan
2008-03-07 23:09
d
w C:\Program Files\FinePixViewer
2008-03-07 23:03
d
w C:\Program Files\Symantec
2008-03-07 23:03
d
w C:\Program Files\Common Files\Symantec Shared
2008-03-07 22:50
d
w C:\Program Files\ntl
2008-03-07 22:49
d
w C:\Program Files\QuickTime
2008-03-07 22:49
d
w C:\Program Files\PC Wizard 2007 ORCA Logic Edition
2008-03-07 22:49
d
w C:\Program Files\Ahead
2008-03-07 22:40
d
w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-07 20:31
d
w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-07 19:42
d
w C:\Program Files\Microsoft Virtual PC
2008-03-07 19:39
d
w C:\Program Files\iTunes
2008-02-20 17:49 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-11-08 15:34 64,512 ---ha-w C:\Documents and Settings\Owner\Application Data\dach100.dll
2007-07-09 18:45 83,040 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-03-02 10:46 2,216 ----a-w C:\Documents and Settings\Owner\Application Data\ViewerApp.dat
.
((((((((((((((((((((((((((((( snapshot@2008-03-08_ 9.46.20.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-08 13:24:13 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-03-08 13:24:13 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-07-30 08:04:27 266,208 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-03-08 13:15:19 265,416 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2005-05-24 12:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-02-04 23:09:46 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CaAvTray"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [2005-09-16 11:57 230512]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2005-09-16 11:57 185456]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 17:16 376912]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp center.lnk - C:\Program Files\hp center\137903\Program\BackWeb-137903.exe [2002-01-01 19:13:44 16384]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
backup=C:\WINDOWS\pss\broadband medic.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
backup=C:\WINDOWS\pss\Image Transfer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111T Smart Wizard.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111T Smart Wizard.lnk
backup=C:\WINDOWS\pss\NETGEAR WG111T Smart Wizard.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^AntiCrash.lnk]
backup=C:\WINDOWS\pss\AntiCrash.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a
2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a
2006-02-21 20:40 26112 C:\WINDOWS\system32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a
2002-06-21 16:17 290816 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a
2002-07-16 08:03 106549 C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a
2002-05-15 03:20 114688 C:\WINDOWS\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a
1998-05-07 16:04 52736 c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a
2002-05-15 03:29 155648 C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a
2001-07-06 21:56 61440 C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
c:\Program Files\Microsoft Works\WkDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a
2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a
2002-03-25 23:29 364544 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a
2002-06-14 16:39 81920 C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a
2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a
2001-12-18 23:39 212992 C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-04 21:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCANINICIO]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchAndDestroyMFC]
C:\Program Files\Search And Destroy\Search And Destroy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a
2002-05-09 08:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a
2004-12-06 21:31 36975 C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a
2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a
2005-05-12 15:18 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"C-DillaSrv"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\revorocks\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\revorocks\\garrysmod\\hl2.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.9\\cnc3game.dat"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 11:21]
S3 C-Dilla;C-Dilla;C:\WINDOWS\System32\drivers\CDANT.SYS [2001-09-10 18:09]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 12:10]
S3 ZSMC326;Vimicro USB2.0 PC Camera(VC0323);C:\WINDOWS\system32\Drivers\usbvm323.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 17:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-03-08 10:17:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-22 20:08:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-29 16:12:09 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 19:02:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-12 19:03:24
ComboFix-quarantined-files.txt 2008-03-12 19:03:04
ComboFix2.txt 2008-03-08 09:46:59
.
2008-03-12 18:45:29 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:11:06, on 12/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: ddrive.js (User 'Default user')
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Search - ?p=ZNxuk101YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rapidrank.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4-5.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
--
End of file - 7312 bytes
it said none were skipped in the scan so why does it say skipped on all of them?
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 12, 2008 9:22:01 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/03/2008
Kaspersky Anti-Virus database records: 626007
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 136233
Number of viruses found: 3
Number of infected objects: 9
Number of suspicious objects: 8
Duration of the scan process: 01:44:41
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\t00jdrpi.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\t00jdrpi.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\t00jdrpi.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\t00jdrpi.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\t00jdrpi.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\t00jdrpi.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\t00jdrpi.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47B29EB1-5FE8-4917-859B-EA5DC2EB9FFD}\Microsoft\Outlook Express\Deleted Items.dbx/[From ythell@protagona.com][Date Mon, 29 Mar 2004 17:19:59 +0100]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47B29EB1-5FE8-4917-859B-EA5DC2EB9FFD}\Microsoft\Outlook Express\Deleted Items.dbx/[From ythell@protagona.com][Date Mon, 29 Mar 2004 17:19:59 +0100]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47B29EB1-5FE8-4917-859B-EA5DC2EB9FFD}\Microsoft\Outlook Express\Deleted Items.dbx/[From ythell@protagona.com][Date Mon, 29 Mar 2004 17:19:59 +0100]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47B29EB1-5FE8-4917-859B-EA5DC2EB9FFD}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Alex Pamment" <alpam1@x-stream.co.uk>][Date Mon, 23 Jun 2003 17:20:04 +0100]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47B29EB1-5FE8-4917-859B-EA5DC2EB9FFD}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Alex Pamment" <alpam1@x-stream.co.uk>][Date Mon, 23 Jun 2003 17:20:04 +0100]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47B29EB1-5FE8-4917-859B-EA5DC2EB9FFD}\Microsoft\Outlook Express\Deleted Items.dbx/[From oote@kuoni.co.uk][Date Tue, 30 Mar 2004 18:00:42 +0100]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47B29EB1-5FE8-4917-859B-EA5DC2EB9FFD}\Microsoft\Outlook Express\Deleted Items.dbx/[From oote@kuoni.co.uk][Date Tue, 30 Mar 2004 18:00:42 +0100]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47B29EB1-5FE8-4917-859B-EA5DC2EB9FFD}\Microsoft\Outlook Express\Deleted Items.dbx/[From oote@kuoni.co.uk][Date Tue, 30 Mar 2004 18:00:42 +0100]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47B29EB1-5FE8-4917-859B-EA5DC2EB9FFD}\Microsoft\Outlook Express\Deleted Items.dbx/[From gemmamcfadden@hotmail.com][Date Mon, 19 Apr 2004 14:14:49 +0100]/UNNAMED/msg7947.zip/msg.eml .scr Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47B29EB1-5FE8-4917-859B-EA5DC2EB9FFD}\Microsoft\Outlook Express\Deleted Items.dbx/[From gemmamcfadden@hotmail.com][Date Mon, 19 Apr 2004 14:14:49 +0100]/UNNAMED/msg7947.zip Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47B29EB1-5FE8-4917-859B-EA5DC2EB9FFD}\Microsoft\Outlook Express\Deleted Items.dbx/[From gemmamcfadden@hotmail.com][Date Mon, 19 Apr 2004 14:14:49 +0100]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47B29EB1-5FE8-4917-859B-EA5DC2EB9FFD}\Microsoft\Outlook Express\Deleted Items.dbx/[From RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address][Date Mon, 19 Apr 2004 15:59:58 +0100]/UNNAMED/data24769.zip/msg.eml .scr Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47B29EB1-5FE8-4917-859B-EA5DC2EB9FFD}\Microsoft\Outlook Express\Deleted Items.dbx/[From RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address][Date Mon, 19 Apr 2004 15:59:58 +0100]/UNNAMED/data24769.zip Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47B29EB1-5FE8-4917-859B-EA5DC2EB9FFD}\Microsoft\Outlook Express\Deleted Items.dbx/[From RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address][Date Mon, 19 Apr 2004 15:59:58 +0100]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47B29EB1-5FE8-4917-859B-EA5DC2EB9FFD}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 6, suspicious - 8 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\t00jdrpi.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\t00jdrpi.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\t00jdrpi.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\t00jdrpi.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\L0000008.FCS Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\hp center\137903\Users\Default\Data\storydb.idx Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\DLP.dll.vir Infected: not-a-virus:AdWare.Win32.Webdir.b skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc14\Desktop.ini Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc15\MSN Hotmail - New Message.txt Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc15\They killed Julius Caesar by stabbing him to death with sharp things.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\04 - Boulevard of Broken Dreams.mp3 Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\Animation Shop 3.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\Animation4.mng Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\aztec[2].jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\DANCE2.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\Data.out Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\Desktop.ini Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\easy Internet sign-up.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\Error.out Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\evil sam.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\evil sam2.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\fizeau1[2].jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\gta cheats.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\Internet Explorer.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\MIKE[1].jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\MSN Messenger 6.2.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\Paint Shop Pro 7.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\Paint.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\Pinball.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\QuickTime Player.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\RapidSite.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\Rave eJay Demo.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\Shortcut to Internet Explorer.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\Windows Media Player.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\X-Plane.out Object is locked skipped
C:\RECYCLER\S-1-5-21-3604470327-3957454863-557728558-1007\Dc16\~$ey killed Julius Caesar by stabbing him to death with sharp things.doc Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP640\A0182568.dll Infected: not-a-virus:AdWare.Win32.Webdir.b skipped
C:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP640\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{F598387F-3ED0-4478-B3D8-AD0A44E33B2D}\RP640\change.log Object is locked skipped
Scan process completed.
How are things running right now? The logs show you have many, many startups disabled through msconfig. Not really something I recommend, and suggest instead people first take the time to learn their softwares and disable things like startups through the various Options settings they have. To do a more complete cleaning let's see if any startups are only remnants we can remove.
Go to Start - Run, type msconfig (and Enter).
Under the Startup tab, click Enable All, then Apply/OK to close msconfig. Allow the reboot at this time. You can expect to receive alerts/error messages at reboot after this, but we will be addressing all this during the repairs.
Then run and post back a new ComboFix and HijackThis scan log please.
ComboFix 08-03-07.4 - Owner 2008-03-14 16:05:23.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.209 [GMT 0:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.
2008-03-12 18:44 . 2008-03-12 18:44 <DIR> d
C:\WINDOWS\system32\Kaspersky Lab
2008-03-12 18:44 . 2008-03-12 18:44 <DIR> d
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-08 13:24 . 2008-03-08 13:24 <DIR> d
C:\Program Files\SUPERAntiSpyware
2008-03-08 13:24 . 2008-03-08 13:24 <DIR> d
C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-03-08 13:24 . 2008-03-08 13:24 <DIR> d
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-08 13:23 . 2008-03-08 13:23 <DIR> d
C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 11:10 . 2008-03-08 11:10 <DIR> d
C:\Video
2008-03-08 11:10 . 2008-03-08 11:10 262,144 --a
C:\WINDOWS\system32\QUIZFNTS
2008-03-08 11:10 . 2008-03-08 11:10 32,768 --a
C:\WINDOWS\NSMWIND.EXE
2008-03-08 11:10 . 2008-03-08 11:10 16,384 --a
C:\WINDOWS\system32\NMH0409.DLL
2008-03-08 09:34 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-03-08 09:33 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-03-08 09:32 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-03-08 09:31 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-03-08 09:30 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-03-08 09:29 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-03-08 09:28 . 2001-08-17 12:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2008-03-08 09:27 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-03-08 09:26 . 2001-08-17 22:36 372,824 --a--c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-03-08 09:25 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-03-08 09:24 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-03-08 09:23 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-03-08 09:22 . 2004-08-04 07:56 249,856 --a--c--- C:\WINDOWS\system32\dllcache\ctmasetp.dll
2008-03-08 09:21 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-03-08 09:20 . 2001-08-18 12:00 187,938 --a--c--- C:\WINDOWS\system32\dllcache\c_20005.nls
2008-03-08 09:19 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-03-08 09:18 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-03-08 09:17 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-03-07 23:05 . 2008-03-08 08:53 <DIR> d
C:\WINDOWS\SxsCaPendDel
2008-03-07 22:42 . 2008-03-07 22:42 <DIR> d
C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-07 22:05 . 2008-03-07 22:05 <DIR> d
C:\Program Files\CCleaner
2008-03-07 20:35 . 2008-03-07 20:33 691,545 --a
C:\WINDOWS\unins000.exe
2008-03-07 20:35 . 2008-03-07 20:35 2,550 --a
C:\WINDOWS\unins000.dat
2008-03-07 18:47 . 2007-06-05 10:56 44,928 --a
C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-05 18:17 . 2008-03-05 18:17 <DIR> d
C:\Program Files\Trend Micro
2008-02-20 17:49 . 2008-02-20 17:51 <DIR> d
C:\Program Files\Hamachi
2008-02-20 17:15 . 2008-02-20 17:15 <DIR> d
C:\Program Files\Electronic Arts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 18:45
d
w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-09 17:33
d
w C:\Program Files\Steam
2008-03-09 14:53
d
w C:\Documents and Settings\Owner\Application Data\Hamachi
2008-03-08 11:13
d
w C:\Program Files\Common Files\Adobe
2008-03-08 10:59
d
w C:\Program Files\Nokia
2008-03-08 08:55
d
w C:\Program Files\SpeedFan
2008-03-07 23:09
d
w C:\Program Files\FinePixViewer
2008-03-07 23:03
d
w C:\Program Files\Symantec
2008-03-07 23:03
d
w C:\Program Files\Common Files\Symantec Shared
2008-03-07 22:50
d
w C:\Program Files\ntl
2008-03-07 22:49
d
w C:\Program Files\QuickTime
2008-03-07 22:49
d
w C:\Program Files\PC Wizard 2007 ORCA Logic Edition
2008-03-07 22:49
d
w C:\Program Files\Ahead
2008-03-07 22:40
d
w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-07 20:31
d
w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-07 19:42
d
w C:\Program Files\Microsoft Virtual PC
2008-03-07 19:39
d
w C:\Program Files\iTunes
2008-02-20 17:49 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-11-08 15:34 64,512 ---ha-w C:\Documents and Settings\Owner\Application Data\dach100.dll
2007-07-09 18:45 83,040 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-03-02 10:46 2,216 ----a-w C:\Documents and Settings\Owner\Application Data\ViewerApp.dat
.
((((((((((((((((((((((((((((( snapshot@2008-03-08_ 9.46.20.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-08 13:24:13 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-03-08 13:24:13 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-07-30 08:04:27 266,208 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-03-08 13:15:19 265,416 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2005-05-24 12:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-02-04 23:09:46 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
"SearchAndDestroyMFC"="C:\Program Files\Search And Destroy\Search And Destroy.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CaAvTray"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [2005-09-16 11:57 230512]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2005-09-16 11:57 185456]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 17:16 376912]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-12 15:18 100056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31 36975]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 08:01 155648]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-18 23:39 212992]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-06-14 16:39 81920]
"nwiz"="nwiz.exe" [2002-03-25 23:29 364544 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="NvQTwk" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 21:56 61440]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-05-15 03:29 155648]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 03:20 114688]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-07-16 08:03 106549]
"ATIPTA"="atiptaxx.exe" [2002-06-21 16:17 290816 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
hp center.lnk - C:\Program Files\hp center\137903\Program\BackWeb-137903.exe [2002-01-01 19:13:44 16384]
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2007-01-06 15:59:11 884840]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
backup=C:\WINDOWS\pss\broadband medic.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
backup=C:\WINDOWS\pss\Image Transfer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^AntiCrash.lnk]
backup=C:\WINDOWS\pss\AntiCrash.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCANINICIO]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"C-DillaSrv"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\revorocks\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\revorocks\\garrysmod\\hl2.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.9\\cnc3game.dat"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 11:21]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 12:10]
S3 C-Dilla;C-Dilla;C:\WINDOWS\System32\drivers\CDANT.SYS [2001-09-10 18:09]
S3 ZSMC326;Vimicro USB2.0 PC Camera(VC0323);C:\WINDOWS\system32\Drivers\usbvm323.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 17:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-03-08 10:17:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-22 20:08:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-29 16:12:09 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 16:09:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-14 16:10:59
ComboFix-quarantined-files.txt 2008-03-14 16:10:37
ComboFix2.txt 2008-03-12 19:03:25
ComboFix3.txt 2008-03-08 09:46:59
.
2008-03-12 18:45:29 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:42:38, on 14/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SearchAndDestroyMFC] C:\Program Files\Search And Destroy\Search And Destroy.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: ddrive.js (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZNxuk101YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rapidrank.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4-5.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
--
End of file - 8963 bytes
The info shows you have HP's Backweb as a startup there. See here about views on Backweb and it's system monitoring functions. You can remove this if you wish by following the steps here under "Can I deactivate the messaging service?".
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it fixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.
Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis. These indicate SpyBot has been uninstalled but the startups left behind.
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SearchAndDestroyMFC] C:\Program Files\Search And Destroy\Search And Destroy.exe
Then reboot to complete the changes made. Before we finish by cleaning up what we added there post back how things are running now please.
Thanks very much for your help so far.
Kaspersky, if you don't plan to use it again, uninstalls through Add/Remove Programs.
The autoplay functions there were blocked as part of the procedures we did here. You can return those to the Windows default settings at this time by doing the following step, if you wish. This will allow autoplay for all drives such as CD-ROM and external drives.
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it autofix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.
You can also at this time delete the files/folders of the tools we used. To assist with some of that download OTMoveIt2 and save the file to your desktop. This will help by automatically removing some of the tools we used.
Please double-click OTMoveIt.exe to run it and click on Cleanup (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator"). When you do this list of malware removal programs will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has downloaded, you'll be asked if you want to begin cleanup process? Select Yes.
OTMoveIt will search for and delete/uninstall all the tools that we have used to fix your problems and all their backup folders and then delete itself when you next reboot. At the end of the run you will receive a prompt to reboot, but save that for the next step.
Then reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.
You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.
When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.
In addition, I like to recommend reviewing the information Here to make sure you stay malware free.