Please help! My system only starts in safe mode after running combofix

katSmith · 08-25-2008, 08:43 PM

After running ComboFix trying to eliminate some variants of tr/monder trojan my system does not start. It shows the Windows XP loading page but after that it goes off. Below is attached a current Hijack log and the ComboFix report. Please help me rid my system of these trojans and saving my information.

HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:35, on 2008-08-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kathycatincali.spaces.live.co...d/MsnPUpld.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8052 bytes

***********************
COMBOFIX LOG

ComboFix 08-08-23.03 - Kathy 2008-08-24 23:41:23.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.328 [GMT -4:00]
Running from: D:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\#SharedObjects\KH3E4X94\interclick.com
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\#SharedObjects\KH3E4X94\interclick.com\ud.sol
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Guest\Cookies\guest@hi5[1].txt
C:\Documents and Settings\Kathy\Application Data\macromedia\Flash Player\#SharedObjects\5YRBHXRD\interclick.com
C:\Documents and Settings\Kathy\Application Data\macromedia\Flash Player\#SharedObjects\5YRBHXRD\interclick.com\ud.sol
C:\Documents and Settings\Kathy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Kathy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\acddnhoj.ini
C:\WINDOWS\system32\adxyebyv.ini
C:\WINDOWS\system32\afiqgvjh.ini
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\brswcish.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\daoidi.dll
C:\WINDOWS\system32\gykofdhm.dll
C:\WINDOWS\system32\hfcyrxkr.dll
C:\WINDOWS\system32\jkQpoUtv.ini
C:\WINDOWS\system32\jkQpoUtv.ini2
C:\WINDOWS\system32\mhdfokyg.ini
C:\WINDOWS\system32\nnnkHyVl.dll
C:\WINDOWS\system32\ogumdqhf.dll
C:\WINDOWS\system32\rltcgh.dll
C:\WINDOWS\system32\sfjunpcn.dll
C:\WINDOWS\system32\SysPr.prx
C:\WINDOWS\system32\vgusmwwf.ini
C:\WINDOWS\system32\vifdwbuk.ini
C:\WINDOWS\system32\vtUopQkj.dll
C:\WINDOWS\system32\xnqsbenu.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-10 19:53 . 2008-08-10 19:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-08-07 12:13 . 2008-08-07 12:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-08-07 12:13 . 2008-08-24 18:04 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-01 19:25 . 2008-08-04 23:22 1,555 --ahs---- C:\WINDOWS\system32\gfxcxkox.ini
2008-08-01 19:22 . 2008-08-01 19:22 1,434 --ahs---- C:\WINDOWS\system32\yrnleekv.ini
2008-08-01 18:22 . 2008-08-01 18:22 1,374 --ahs---- C:\WINDOWS\system32\jjdmuper.ini
2008-08-01 18:19 . 2008-08-01 18:19 1,314 --ahs---- C:\WINDOWS\system32\ojpbfdlm.ini
2008-08-01 17:19 . 2008-08-01 17:19 1,254 --ahs---- C:\WINDOWS\system32\qepkpfkl.ini
2008-08-01 17:16 . 2008-08-01 17:16 1,194 --ahs---- C:\WINDOWS\system32\qdayrxvf.ini
2008-08-01 16:16 . 2008-08-01 16:16 1,134 --ahs---- C:\WINDOWS\system32\frconrod.ini
2008-08-01 16:13 . 2008-08-01 16:13 1,074 --ahs---- C:\WINDOWS\system32\kwfrdgby.ini
2008-08-01 15:13 . 2008-08-01 15:13 1,014 --ahs---- C:\WINDOWS\system32\nhnwqupm.ini
2008-08-01 15:10 . 2008-08-01 15:10 954 --ahs---- C:\WINDOWS\system32\camgkfre.ini
2008-08-01 14:10 . 2008-08-01 14:10 894 --ahs---- C:\WINDOWS\system32\fqfeutwt.ini
2008-08-01 14:07 . 2008-08-01 14:07 834 --ahs---- C:\WINDOWS\system32\ekmrmros.ini
2008-08-01 13:07 . 2008-08-01 13:07 774 --ahs---- C:\WINDOWS\system32\xqrknfss.ini
2008-08-01 13:04 . 2008-08-01 13:04 714 --ahs---- C:\WINDOWS\system32\hpgqngli.ini
2008-08-01 12:05 . 2008-08-01 12:05 654 --ahs---- C:\WINDOWS\system32\iltjnxrc.ini
2008-08-01 12:01 . 2008-08-01 12:01 594 --ahs---- C:\WINDOWS\system32\dyrficba.ini
2008-08-01 12:01 . 2008-08-01 12:01 534 --ahs---- C:\WINDOWS\system32\msaohnul.ini
2008-07-31 19:32 . 2008-08-01 12:00 474 --ahs---- C:\WINDOWS\system32\vwyyrijo.ini
2008-07-31 19:29 . 2008-07-31 19:29 354 --ahs---- C:\WINDOWS\system32\mglwejik.ini
2008-07-31 19:27 . 2008-07-31 19:28 294 --ahs---- C:\WINDOWS\system32\prmrwime.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 03:27 29,156 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-25 03:27 2,396,192 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-07 19:45 65,536 --sh--w C:\Documents and Settings\Kathy\MediaTubeCodec_ver1.1463.1.exe
2008-07-06 00:01 --------- d-----w C:\Program Files\gBurner
2008-07-05 04:16 --------- d-----w C:\Program Files\BitTorrent
2008-07-05 04:13 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-05 01:21 --------- d-----w C:\Program Files\LimeWire
2008-07-05 01:21 --------- d-----w C:\Program Files\FastStone Photo Resizer
2008-07-04 21:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-04 20:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2007-01-07 02:05 359,112 ----a-w C:\Program Files\LimeWireWin.exe
2007-01-07 01:03 36,808,256 ----a-w C:\Program Files\iTunesSetup.exe
2006-10-27 17:20 905,728 ----a-w C:\Program Files\iview398.exe
2006-07-09 00:08 10,321,592 ----a-w C:\Program Files\SkypeSetup(2).exe
2006-06-15 17:51 1,449,368 ------w C:\Program Files\daemon403-x86.exe
2006-06-14 07:55 6,883,122 ----a-w C:\Program Files\BitTorrent-Stable.exe
2006-06-01 23:30 317,160 ----a-w C:\Program Files\directx9a.exe
2006-06-01 23:28 494,896 ----a-w C:\Program Files\WGAPluginInstall.exe
2006-06-01 22:34 23,510,720 ----a-w C:\Program Files\dotnetfx.exe
2006-06-01 22:33 36,138,952 ----a-w C:\Program Files\6-5_xp-2k_dd_ccc_wdm_enu_32464.exe
2006-06-01 22:28 22,264,623 ----a-w C:\Program Files\C-Media_XP_2K_ME_98(UDA046_build02).zip
2006-06-01 22:23 1,355,872 ----a-w C:\Program Files\4in1_XP_2K_ME_98(4.49).zip
2006-05-22 07:57 24,070,456 ----a-w C:\Program Files\media player11-windowsxp-x86-enu.exe
2006-05-22 07:52 1,050,112 ----a-w C:\Program Files\Nature Theme 2 - Nature_EN.msi
2006-05-22 07:50 5,271,552 ----a-w C:\Program Files\PStory.msi
2006-05-17 18:07 5,616,888 ----a-w C:\Program Files\winamp521_full_emusic-7plus.exe
2006-05-17 17:48 5,115,704 ----a-w C:\Program Files\Firefox Setup 1.5.0.3.exe
2006-05-17 17:28 10,816,112 ----a-w C:\Program Files\antivir_workstation_win7u_en_h.exe
2005-04-20 16:32 17,177,896 ----a-w C:\Program Files\Install_Messenger (Life).exe
2005-04-12 23:11 12,662,176 ----a-w C:\Program Files\RealPlayer10-5GOLD.exe
2005-04-12 22:58 1,355,912 ----a-w C:\Program Files\install_flash_player.exe
2005-04-12 21:31 13,706,152 ----a-w C:\Program Files\zonelabs.exe
2004-03-11 20:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-20 15:39 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 15:34 5724184]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2007-11-20 20:52 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 18:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 18:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 18:50 114688]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 01:46 401408]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 01:47 385024]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 13:08 1347584]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-09-07 09:25 1400944]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 14:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-12 19:14 180269]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 04:47 31016]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-08-04 23:27 266497]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 02:16 39792]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-03 00:07 919016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-29 00:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 11:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 12:01 437160]

C:\Documents and Settings\Kathy\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 00:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-12 04:08:05 113664]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-05-17 06:26:00 811008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-07-23 01:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\vtUopQkj

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{359edffe-2d11-11dd-bdb4-00904bdfd0a6}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec5e45ca-ab84-11dc-810e-00904bdfd0a6}]
\Shell\AutoRun\command - F:\LapNetWizard.exe
.
Contents of the 'Scheduled Tasks' folder

2008-04-22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:57]

2008-08-25 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-103fb7e9 - C:\WINDOWS\system32\sfjunpcn.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Kathy\Application Data\Mozilla\Firefox\Profiles\n484yqip.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 00:07:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-25 0:14:28
ComboFix-quarantined-files.txt 2008-08-25 04:14:23

Pre-Run: 9,522,655,232 bytes free
Post-Run: 10,441,900,032 bytes free

195 --- E O F --- 2008-07-07 17:21:16

08-25-2008, 08:43 PM	#1 (permalink)
katSmith Registered User Join Date: Aug 2008 Posts: 1 OS: WinXP	Please help! My system only starts in safe mode after running combofix After running ComboFix trying to eliminate some variants of tr/monder trojan my system does not start. It shows the Windows XP loading page but after that it goes off. Below is attached a current Hijack log and the ComboFix report. Please help me rid my system of these trojans and saving my information. HIJACK THIS LOG: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:35, on 2008-08-25 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kathycatincali.spaces.live.co...d/MsnPUpld.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 8052 bytes *********************** COMBOFIX LOG ComboFix 08-08-23.03 - Kathy 2008-08-24 23:41:23.1 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.328 [GMT -4:00] Running from: D:\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\#SharedObjects\KH3E4X94\interclick.com C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\#SharedObjects\KH3E4X94\interclick.com\ud.sol C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Guest\Cookies\guest@hi5[1].txt C:\Documents and Settings\Kathy\Application Data\macromedia\Flash Player\#SharedObjects\5YRBHXRD\interclick.com C:\Documents and Settings\Kathy\Application Data\macromedia\Flash Player\#SharedObjects\5YRBHXRD\interclick.com\ud.sol C:\Documents and Settings\Kathy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Kathy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\WINDOWS\system32\acddnhoj.ini C:\WINDOWS\system32\adxyebyv.ini C:\WINDOWS\system32\afiqgvjh.ini C:\WINDOWS\system32\AutoRun.inf C:\WINDOWS\system32\brswcish.ini C:\WINDOWS\system32\bszip.dll C:\WINDOWS\system32\daoidi.dll C:\WINDOWS\system32\gykofdhm.dll C:\WINDOWS\system32\hfcyrxkr.dll C:\WINDOWS\system32\jkQpoUtv.ini C:\WINDOWS\system32\jkQpoUtv.ini2 C:\WINDOWS\system32\mhdfokyg.ini C:\WINDOWS\system32\nnnkHyVl.dll C:\WINDOWS\system32\ogumdqhf.dll C:\WINDOWS\system32\rltcgh.dll C:\WINDOWS\system32\sfjunpcn.dll C:\WINDOWS\system32\SysPr.prx C:\WINDOWS\system32\vgusmwwf.ini C:\WINDOWS\system32\vifdwbuk.ini C:\WINDOWS\system32\vtUopQkj.dll C:\WINDOWS\system32\xnqsbenu.ini . ((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 ))))))))))))))))))))))))))))))) . 2008-08-10 19:53 . 2008-08-10 19:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback 2008-08-07 12:13 . 2008-08-07 12:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel 2008-08-07 12:13 . 2008-08-24 18:04 <DIR> d-------- C:\Documents and Settings\Administrator 2008-08-01 19:25 . 2008-08-04 23:22 1,555 --ahs---- C:\WINDOWS\system32\gfxcxkox.ini 2008-08-01 19:22 . 2008-08-01 19:22 1,434 --ahs---- C:\WINDOWS\system32\yrnleekv.ini 2008-08-01 18:22 . 2008-08-01 18:22 1,374 --ahs---- C:\WINDOWS\system32\jjdmuper.ini 2008-08-01 18:19 . 2008-08-01 18:19 1,314 --ahs---- C:\WINDOWS\system32\ojpbfdlm.ini 2008-08-01 17:19 . 2008-08-01 17:19 1,254 --ahs---- C:\WINDOWS\system32\qepkpfkl.ini 2008-08-01 17:16 . 2008-08-01 17:16 1,194 --ahs---- C:\WINDOWS\system32\qdayrxvf.ini 2008-08-01 16:16 . 2008-08-01 16:16 1,134 --ahs---- C:\WINDOWS\system32\frconrod.ini 2008-08-01 16:13 . 2008-08-01 16:13 1,074 --ahs---- C:\WINDOWS\system32\kwfrdgby.ini 2008-08-01 15:13 . 2008-08-01 15:13 1,014 --ahs---- C:\WINDOWS\system32\nhnwqupm.ini 2008-08-01 15:10 . 2008-08-01 15:10 954 --ahs---- C:\WINDOWS\system32\camgkfre.ini 2008-08-01 14:10 . 2008-08-01 14:10 894 --ahs---- C:\WINDOWS\system32\fqfeutwt.ini 2008-08-01 14:07 . 2008-08-01 14:07 834 --ahs---- C:\WINDOWS\system32\ekmrmros.ini 2008-08-01 13:07 . 2008-08-01 13:07 774 --ahs---- C:\WINDOWS\system32\xqrknfss.ini 2008-08-01 13:04 . 2008-08-01 13:04 714 --ahs---- C:\WINDOWS\system32\hpgqngli.ini 2008-08-01 12:05 . 2008-08-01 12:05 654 --ahs---- C:\WINDOWS\system32\iltjnxrc.ini 2008-08-01 12:01 . 2008-08-01 12:01 594 --ahs---- C:\WINDOWS\system32\dyrficba.ini 2008-08-01 12:01 . 2008-08-01 12:01 534 --ahs---- C:\WINDOWS\system32\msaohnul.ini 2008-07-31 19:32 . 2008-08-01 12:00 474 --ahs---- C:\WINDOWS\system32\vwyyrijo.ini 2008-07-31 19:29 . 2008-07-31 19:29 354 --ahs---- C:\WINDOWS\system32\mglwejik.ini 2008-07-31 19:27 . 2008-07-31 19:28 294 --ahs---- C:\WINDOWS\system32\prmrwime.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-25 03:27 29,156 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-08-25 03:27 2,396,192 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-07-07 19:45 65,536 --sh--w C:\Documents and Settings\Kathy\MediaTubeCodec_ver1.1463.1.exe 2008-07-06 00:01 --------- d-----w C:\Program Files\gBurner 2008-07-05 04:16 --------- d-----w C:\Program Files\BitTorrent 2008-07-05 04:13 --------- d-----w C:\Program Files\Common Files\Adobe 2008-07-05 01:21 --------- d-----w C:\Program Files\LimeWire 2008-07-05 01:21 --------- d-----w C:\Program Files\FastStone Photo Resizer 2008-07-04 21:48 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-04 20:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters 2007-01-07 02:05 359,112 ----a-w C:\Program Files\LimeWireWin.exe 2007-01-07 01:03 36,808,256 ----a-w C:\Program Files\iTunesSetup.exe 2006-10-27 17:20 905,728 ----a-w C:\Program Files\iview398.exe 2006-07-09 00:08 10,321,592 ----a-w C:\Program Files\SkypeSetup(2).exe 2006-06-15 17:51 1,449,368 ------w C:\Program Files\daemon403-x86.exe 2006-06-14 07:55 6,883,122 ----a-w C:\Program Files\BitTorrent-Stable.exe 2006-06-01 23:30 317,160 ----a-w C:\Program Files\directx9a.exe 2006-06-01 23:28 494,896 ----a-w C:\Program Files\WGAPluginInstall.exe 2006-06-01 22:34 23,510,720 ----a-w C:\Program Files\dotnetfx.exe 2006-06-01 22:33 36,138,952 ----a-w C:\Program Files\6-5_xp-2k_dd_ccc_wdm_enu_32464.exe 2006-06-01 22:28 22,264,623 ----a-w C:\Program Files\C-Media_XP_2K_ME_98(UDA046_build02).zip 2006-06-01 22:23 1,355,872 ----a-w C:\Program Files\4in1_XP_2K_ME_98(4.49).zip 2006-05-22 07:57 24,070,456 ----a-w C:\Program Files\media player11-windowsxp-x86-enu.exe 2006-05-22 07:52 1,050,112 ----a-w C:\Program Files\Nature Theme 2 - Nature_EN.msi 2006-05-22 07:50 5,271,552 ----a-w C:\Program Files\PStory.msi 2006-05-17 18:07 5,616,888 ----a-w C:\Program Files\winamp521_full_emusic-7plus.exe 2006-05-17 17:48 5,115,704 ----a-w C:\Program Files\Firefox Setup 1.5.0.3.exe 2006-05-17 17:28 10,816,112 ----a-w C:\Program Files\antivir_workstation_win7u_en_h.exe 2005-04-20 16:32 17,177,896 ----a-w C:\Program Files\Install_Messenger (Life).exe 2005-04-12 23:11 12,662,176 ----a-w C:\Program Files\RealPlayer10-5GOLD.exe 2005-04-12 22:58 1,355,912 ----a-w C:\Program Files\install_flash_player.exe 2005-04-12 21:31 13,706,152 ----a-w C:\Program Files\zonelabs.exe 2004-03-11 20:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-20 15:39 68856] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 15:34 5724184] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2007-11-20 20:52 218496] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 18:49 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 18:46 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 18:50 114688] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 01:46 401408] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 01:47 385024] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 13:08 1347584] "InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-09-07 09:25 1400944] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 14:50 155648] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-12 19:14 180269] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 04:47 31016] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-08-04 23:27 266497] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 02:16 39792] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-03 00:07 919016] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-29 00:37 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 11:36 267048] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 12:01 437160] C:\Documents and Settings\Kathy\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 00:24:54 98632] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-12 04:08:05 113664] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-05-17 06:26:00 811008] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2005-07-23 01:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\vtUopQkj [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\BitTorrent\\bittorrent.exe"= "C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{359edffe-2d11-11dd-bdb4-00904bdfd0a6}] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec5e45ca-ab84-11dc-810e-00904bdfd0a6}] \Shell\AutoRun\command - F:\LapNetWizard.exe . Contents of the 'Scheduled Tasks' folder 2008-04-22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:57] 2008-08-25 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20] . - - - - ORPHANS REMOVED - - - - HKLM-Run-103fb7e9 - C:\WINDOWS\system32\sfjunpcn.dll . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Kathy\Application Data\Mozilla\Firefox\Profiles\n484yqip.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-25 00:07:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-08-25 0:14:28 ComboFix-quarantined-files.txt 2008-08-25 04:14:23 Pre-Run: 9,522,655,232 bytes free Post-Run: 10,441,900,032 bytes free 195 --- E O F --- 2008-07-07 17:21:16