Pls Help w/ Generic BackDoor Trojan Removal

[steampunkx]

My pc is infected with a Generic Backdoor trojan. I've copied the main.txt below, but no extra.txt file was generated (I've tried a couple times). Any help you can offer is profoundly appreciated.

Deckard's System Scanner v20070809.63
Run by Owner on 2007-08-11 at 13:44:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:52 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\7BL3F5SS\dss[1].exe
C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\7BL3F5SS\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O4 - HKLM\..\Run: [v72O39P] sndav.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Install.exe] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [ewtERVjsg] ir3iscon.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\stubinstaller5356.exe"
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/...sb_1002952.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yaho...bio5_0_2_1.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6814 bytes

-- Files created between 2007-07-11 and 2007-08-11 -----------------------------

2007-08-11 12:21:26 0 d-------- C:\Program Files\Trend Micro
2007-08-11 12:19:06 0 d-------- C:\!KillBox
2007-08-11 11:20:59 21312 --a------ C:\WINDOWS\choice.exe
2007-08-11 11:16:03 0 d-------- C:\ie-spyad
2007-08-11 11:11:28 0 d-------- C:\Program Files\SpywareBlaster
2007-08-11 07:24:59 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-06 18:34:40 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-08-06 18:34:40 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-08-06 18:34:40 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-08-06 18:34:40 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-08-06 18:34:40 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-08-06 18:34:40 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-08-06 18:34:40 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-08-06 18:34:40 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-08-06 18:34:40 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-08-06 18:34:40 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-08-06 18:34:40 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-08-06 18:34:40 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-08-06 18:34:40 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-08-06 18:34:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-08-06 18:34:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-08-06 18:34:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-08-06 18:34:39 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-08-06 18:34:39 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-08-05 08:05:31 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2007-08-05 07:59:31 0 d-------- C:\Program Files\McAfee.com
2007-08-05 07:59:20 0 d-------- C:\Program Files\Common Files\McAfee
2007-08-05 07:59:03 0 d-------- C:\Program Files\McAfee
2007-08-05 07:50:06 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-08-03 16:22:53 0 d-------- C:\WINDOWS\pss


-- Find3M Report ---------------------------------------------------------------

2007-08-11 10:17:25 0 d-------- C:\Program Files\QuickTime
2007-08-05 07:59:20 0 d-a------ C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DA5457F-A8AA-4CCF-A842-70E6FD274094}]
C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"v72O39P"="sndav.exe" []
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [06/15/2001 06:34 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/12/2005 12:32 PM]
"PS2"="C:\WINDOWS\system32\ps2.exe" []
"POINTER"="point32.exe" []
"nwiz"="nwiz.exe" [07/28/2003 03:19 PM C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/28/2003 03:19 PM]
"Install.exe"="C:\WINDOWS\svchost.exe" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [08/07/2001 08:25 PM]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 12:04 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [08/07/2001 07:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ewtERVjsg"="ir3iscon.exe" []
"180ClientStubInstall"="C:\WINDOWS\stubinstaller5356.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)
"disabletaskmgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\perfc000.dat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2007-08-11 at 13:46:27 ---------

[sUBs]

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O4 - HKLM\..\Run: [v72O39P] sndav.exe
O4 - HKLM\..\Run: [Install.exe] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [ewtERVjsg] ir3iscon.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\stubinstaller5356.exe"
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/...sb_1002952.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat

Ignore any prompts for a reboot


---------------


1. Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop







2. Go to → Run → paste in the single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[steampunkx]

working on it. you rock!

[steampunkx]

Thanks sUBs!

Per your request, the combofix.exe log:

ComboFix 07-08-12 - "Owner" 2007-08-11 16:39:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.274 [GMT -4:00]
Command switches used :: /killall
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\tatss
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\tatss\patchme.exe
C:\DOCUME~1\Owner\Desktop.\internet explorer.lnk
C:\WINDOWS\DOWNLO~1.\temp


((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))


2007-08-11 16:36 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-11 12:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-11 12:19 <DIR> d-------- C:\!KillBox
2007-08-11 11:44 <DIR> d-------- C:\Deckard
2007-08-11 11:20 21,312 --a------ C:\WINDOWS\choice.exe
2007-08-11 11:16 <DIR> d-------- C:\ie-spyad
2007-08-11 11:11 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-11 07:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-06 18:34 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-06 18:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-06 18:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-08-05 08:05 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2007-08-05 08:00 71,496 --a------ C:\WINDOWS\SYSTEM32\drivers\mfeavfk.sys
2007-08-05 08:00 37,480 --a------ C:\WINDOWS\SYSTEM32\drivers\mfesmfk.sys
2007-08-05 08:00 34,184 --a------ C:\WINDOWS\SYSTEM32\drivers\mfebopk.sys
2007-08-05 08:00 32,008 --a------ C:\WINDOWS\SYSTEM32\drivers\mferkdk.sys
2007-08-05 08:00 170,408 --a------ C:\WINDOWS\SYSTEM32\drivers\mfehidk.sys
2007-08-05 08:00 109,608 --a------ C:\WINDOWS\SYSTEM32\drivers\Mpfp.sys
2007-08-05 07:59 <DIR> d-------- C:\Program Files\McAfee.com
2007-08-05 07:59 <DIR> d-------- C:\Program Files\McAfee
2007-08-05 07:59 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-08-05 07:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-03 16:22 <DIR> d-------- C:\WINDOWS\pss


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-11 10:17 --------- d-------- C:\Program Files\QuickTime
2007-05-16 11:12 86528 --a------ C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --a------ C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --a------ C:\WINDOWS\system32\dllcache\msoe.dll
2001-07-22 02:45:40 94,784 -csh--w C:\WINDOWS\twain.dll
2004-08-04 07:56:46 50,688 -csh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56:42 1,028,096 --sha-w C:\WINDOWS\SYSTEM32\mfc42.dll
2004-08-04 07:56:43 54,784 -csha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 07:56:44 553,472 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 07:56:44 83,456 --sha-w C:\WINDOWS\SYSTEM32\olepro32.dll
2004-08-04 07:56:55 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 18:34]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-12 12:32]
"PS2"="C:\WINDOWS\system32\ps2.exe" []
"POINTER"="point32.exe" []
"nwiz"="nwiz.exe" [2003-07-28 15:19 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 15:19]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 20:25]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 12:04]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 19:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disabletaskmgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R3 IPFilter;Microsoft IntelliPoint Features driver;C:\WINDOWS\system32\DRIVERS\IPFilter.sys
R3 ltmodem5;LT Modem Driver;C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
S3 dbustrcm;dbustrcm;\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\dbustrcm.sys
S3 PcdrNt;PcdrNt;C:\WINDOWS\system32\drivers\PcdrNt.sys
S3 SECYPUSB;SAMSUNG YEPP2;C:\WINDOWS\system32\Drivers\SECYPUSB.sys
S3 wandrv;WAN Network Driver;C:\WINDOWS\system32\DRIVERS\wandrv.sys

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2001-12-08 17:30:08 C:\WINDOWS\Tasks\ISP signup reminder 3.job - C:\WINDOWS\System32\OOBE\oobebaln.exe
2007-08-05 11:59:59 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-08-05 11:59:58 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2001-12-08 17:30:08 C:\WINDOWS\Tasks\Registration reminder 2.job - C:\WINDOWS\System32\OOBE\oobebaln.exe
2001-12-08 17:30:08 C:\WINDOWS\Tasks\Registration reminder 3.job - C:\WINDOWS\System32\OOBE\oobebaln.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 16:41:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-11 16:43:40
C:\ComboFix-quarantined-files.txt ... 2007-08-11 16:43

--- E O F ---
and the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:36 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yaho...bio5_0_2_1.cab
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5132 bytes

[sUBs]

Do a HijackThis scan & place a check next to these items and select "Fix checked":

O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')


---------------


Click here perform an online scan >> Online Scanner


---------------


In your next post, please include fresh logs from:

1. Fresh Hijackthis log taken just before replying
2. Online scan

Please provide details of any problems you encountered whilst performing the above steps

[steampunkx]

Thanks sUBs,

Kas.txt attached, HJK log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:51 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yaho...bio5_0_2_1.cab
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5233 bytes


Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: false
Scan Mail Bases: false

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 59865
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:52:46

[sUBs]

Kaspersky gave you a clean bill of health. Only thing not fixed yet is this entry:

O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
vfind -lrtf %systemdrive%\AutoPlay.exe >logit.txt
if exist logit.txt start notepad logit.txt
nircmd wait 2000
del logit.txt
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[steampunkx]

logit.txt says:

Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0

which sounds good, no?

[sUBs]

The results do not match with HJT's report. Please post a fresh HJT log.

[steampunkx]

Oy Vey!

Latest HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:12 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yaho...bio5_0_2_1.cab
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5184 bytes

[steampunkx]

Ok, I'm going to bed. Will post when I'm active again.

[steampunkx]

I'm up! This thread is live!

[sUBs]

This is a slightly different batchfile from the one I had you run earlier:

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
vfind -ltf %systemdrive%\AutoPlay.exe >logit.txt
if exist logit.txt start notepad logit.txt
nircmd wait 2000
del logit.txt
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says[

[steampunkx]

fix.bat reports:

----a-w 36,864 2001-08-27 20:52:06 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe
-c--a-w 36,864 2001-08-27 20:52:06 C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe
-c----w 36,864 2001-08-27 20:52:06 C:\hp\bin\AUTOPLAY.EXE

Entries: 3 (3)
Directories: 0 Files: 3
Bytes: 110,592 Blocks: 216

[sUBs]

Hmmm ...entry's legit. It's related to HP. We'll leave it be.


Your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

1. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
2. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here ? http://www.bleepingcomputer.com/forums/tutorial60.html
   
   
   
3. Microsoft Windows Update ? http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html
   
   
   
5. IE-SPYAD
   IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[steampunkx]

Wow! Thanks a million! it's been a heck of a trip. I'll definitely be donating to your cause!

SPX