A mess with ads and popups

[Alexlonebear]

Hi TheBruce1
Sorry it has taken me a bit to reply but nomally I get an
email notice that some has sent me somethng. I didn't get that with this. In the future I'll check here anyway. You were right about the size of the Panda log, 4.14 MB.
I going to paste the other two logs in this post. I assume you want me to try the Panda log the same way. I've tried it once but I'm going to try it again on a post all by itself. I'll also make sure I check back here often.
Hank


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:00 AM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\DOCUME~1\Hank\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Hank\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/channel/START
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 3324 bytes




ComboFix 07-12-02.7 - Hank 2007-12-04 9:40:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.648 [GMT -5:00]
Running from: C:\Documents and Settings\Hank\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\xcrkrubg.dll
C:\Documents and Settings\Hank\Application Data\privprotect.exe
C:\Documents and Settings\Hank\err.log
C:\Documents and Settings\Hank\My Documents\SEMBLY~1
C:\Documents and Settings\Hank\My Documents\SEMBLY~1\?vchost.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\Yazzle1549OinAdmin.exe
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\folder.js\
C:\Program Files\Opera\rteme.html
C:\Program Files\pppatc~1
C:\Program Files\pppatc~1\?ppPatch\
C:\Program Files\pppatc~1\wucrtupd.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\temp\tn3
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\bcddclbh.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\e1
C:\WINDOWS\system32\fibagbia
C:\WINDOWS\system32\fibagbia\bg1.gif
C:\WINDOWS\system32\fibagbia\bgtop.gif
C:\WINDOWS\system32\fibagbia\bottom1.gif
C:\WINDOWS\system32\fibagbia\essentials.gif
C:\WINDOWS\system32\fibagbia\fibagbia1.exe
C:\WINDOWS\system32\fibagbia\fibagbia2.exe
C:\WINDOWS\system32\fibagbia\fibagbia3.exe
C:\WINDOWS\system32\fibagbia\icon1.ico
C:\WINDOWS\system32\fibagbia\install1.gif
C:\WINDOWS\system32\fibagbia\left1.gif
C:\WINDOWS\system32\fibagbia\li.gif
C:\WINDOWS\system32\fibagbia\logo.gif
C:\WINDOWS\system32\fibagbia\main.htm
C:\WINDOWS\system32\fibagbia\mainframe.htm
C:\WINDOWS\system32\fibagbia\reinstall1.gif
C:\WINDOWS\system32\fibagbia\right1.gif
C:\WINDOWS\system32\fibagbia\s1.htm
C:\WINDOWS\system32\fibagbia\s2.htm
C:\WINDOWS\system32\fibagbia\s3.htm
C:\WINDOWS\system32\fibagbia\SMTop1.gif
C:\WINDOWS\system32\fibagbia\SMTop2.gif
C:\WINDOWS\system32\fibagbia\SMTop3.gif
C:\WINDOWS\system32\fibagbia\SMTop4.gif
C:\WINDOWS\system32\fibagbia\soft1_off.gif
C:\WINDOWS\system32\fibagbia\soft1_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft1_on.gif
C:\WINDOWS\system32\fibagbia\soft1_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_off.gif
C:\WINDOWS\system32\fibagbia\soft2_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_on.gif
C:\WINDOWS\system32\fibagbia\soft2_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_off.gif
C:\WINDOWS\system32\fibagbia\soft3_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_on.gif
C:\WINDOWS\system32\fibagbia\soft3_on_ext.gif
C:\WINDOWS\system32\fibagbia\softbottom_off.gif
C:\WINDOWS\system32\fibagbia\softbottom_on.gif
C:\WINDOWS\system32\fibagbia\softleft_off.gif
C:\WINDOWS\system32\fibagbia\softleft_on.gif
C:\WINDOWS\system32\fibagbia\top1.gif
C:\WINDOWS\system32\fibagbia\top2.gif
C:\WINDOWS\system32\fibagbia\turnoff1.gif
C:\WINDOWS\system32\fibagbia\turnon1.gif
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\g2\bemwdll3.exe
C:\WINDOWS\system32\hblcddcb.dll
C:\WINDOWS\system32\hpnftbua.dll
C:\WINDOWS\system32\i2
C:\WINDOWS\system32\n8
C:\WINDOWS\system32\n8\ensts2dll.exe
C:\WINDOWS\system32\opnmkjj.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\rMa02yy\rMa02yy1099.exe
C:\WINDOWS\system32\uujofwtx.exe
C:\WINDOWS\system32\wapiiit.exe
C:\WINDOWS\system32\wrycgywn.dll
C:\WINDOWS\system32\xlibgfl254.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_FMTR
-------\LEGACY_NETWORK_MONITOR
-------\core


((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-03 17:47 . 2007-12-03 17:47 <DIR> d-------- C:\Deckard
2007-12-02 14:00 . 2007-12-02 14:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-02 12:56 . 2007-12-02 12:56 <DIR> d-------- C:\VundoFix Backups
2007-12-02 00:22 . 2007-12-02 00:22 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-12-02 00:21 . 2007-12-02 09:35 <DIR> d-------- C:\Program Files\SpyNoMore
2007-12-02 00:20 . 2007-12-02 00:20 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-12-01 21:49 . 2007-12-01 21:49 <DIR> d-------- C:\Program Files\AdwareAlert
2007-12-01 21:49 . 2007-12-01 22:11 <DIR> d-------- C:\Documents and Settings\Hank\Application Data\AdwareAlert
2007-11-20 12:04 . 2007-12-01 13:55 793,724 ---hs---- C:\WINDOWS\system32\uuuxpqva.ini
2007-11-20 11:20 . 2007-12-02 10:17 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-19 17:28 . 2007-11-19 17:28 <DIR> d-------- C:\Program Files\E404 Helper
2007-11-19 17:23 . 2007-11-19 17:23 <DIR> d-------- C:\Program Files\Tfbbwtah
2007-11-19 17:23 . 2007-11-19 17:23 <DIR> d-------- C:\Program Files\rcxcdsxg
2007-11-19 17:23 . 2007-11-19 17:23 1,147,424 --a------ C:\Install
2007-11-19 17:22 . 2007-11-19 17:24 <DIR> d-------- C:\Documents and Settings\Hank\Application Data\SpyGuardPro
2007-11-19 17:05 . 2007-11-19 17:45 <DIR> d--hs---- C:\WINDOWS\SGFuaw
2007-11-18 20:35 . 2007-11-18 20:35 <DIR> d-------- C:\Temp\PALM
2007-11-18 20:35 . 2007-11-18 20:35 <DIR> d-------- C:\Temp\2577

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 14:47 --------- d-----w C:\Program Files\Opera
2007-12-01 18:53 --------- d-----w C:\Program Files\PC Tools AntiVirus
2007-10-15 03:10 139,432 ----a-w C:\Documents and Settings\Hank\Application Data\GDIPFONTCACHEV1.DAT
2007-06-14 09:22 2,231 ----a-w C:\Program Files\folder.js
2006-06-12 20:52 5,187 ----a-w C:\Documents and Settings\Incomplete\downloads.dat
2006-03-17 08:16 22 ----a-w C:\Documents and Settings\Music Downloads\nik Color Efex Pro 2.0 (Photoshop Plug.zip
2006-03-16 03:04 0 ----a-w C:\Documents and Settings\Incomplete\T-15872-nik color efex.exe
2006-02-03 17:21 2,255 ----a-w C:\Documents and Settings\Music Downloads\teps.zip
2005-12-12 03:00 4,126,240 ----a-w C:\Documents and Settings\Music Downloads\picasa2-current.exe
2005-12-12 03:00 3,707,944 ----a-w C:\Documents and Settings\Music Downloads\picasa-google-free.exe
2005-12-12 02:55 22 ----a-w C:\Documents and Settings\Music Downloads\Picasa 2.1.0.zip
2004-02-02 21:40 560 ----a-w C:\Documents and Settings\Hank\PCDOC.BAT
2005-08-02 21:46 187,904 --sha-r C:\WINDOWS\SGFuaw\asappsrv.dll
2005-07-29 21:24 472 --sha-r C:\WINDOWS\SGFuaw\m3IRuT.vbs
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4574ECBE-7799-48C7-A514-C499EAB88AD8}]
C:\WINDOWS\system32\sstqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F42E612-4210-4896-BEEF-D2E484659561}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50A3D411-02D2-4AA8-9EF8-953C513AF631}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 08:50 C:\WINDOWS\LOGI_MWX.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 13:46 C:\WINDOWS\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [2007-12-02 00:22]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" []
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-12-13 15:13]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2006-05-29 12:41:29]
HOTSYNCSHORTCUTNAME.lnk - C:\Palm\Hotsync.exe [2004-06-09 14:27:34]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2006-08-17 14:57 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineak32]
wineak32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 4.0.8.lnk]
backup=C:\WINDOWS\pss\LimeWire 4.0.8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PhotoCAL Startup.lnk]
backup=C:\WINDOWS\pss\PhotoCAL Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
backup=C:\WINDOWS\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^Virtual Bouncer.lnk]
backup=C:\WINDOWS\pss\Virtual Bouncer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiware]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Open Site]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyKiller]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Macromedia Licensing Service"=3 (0x3)

R1 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R3 SQTECH930B;Motion Track Webcam;C:\WINDOWS\system32\Drivers\Capt930b.sys
S1 AEC671X;AEC671X;C:\WINDOWS\system32\drivers\AEC671X.SYS
S1 DMX3191;DMX3191;C:\WINDOWS\system32\drivers\DMX3191.SYS
S2 UDNT;UDNT;C:\WINDOWS\system32\drivers\UDNT.sys
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys
S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINDOWS\system32\DRIVERS\epusbsto.sys
S3 NUVision;Pinnacle LINX;C:\WINDOWS\system32\DRIVERS\NUVision.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53de9c33-01c0-11dc-8070-0040ca587ccf}]
\Shell\AutoRun\command - G:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - G:\system\viewer\FlipVideoforPC.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-04 08:00:01 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 09:58:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-04 10:01:03 - machine was rebooted
.
--- E O F ---

[Alexlonebear]

Hi,
It appears that another cut and paste version of the Panda logs did not work. I can't even try to do an attachment as there is no "Manage attachment" choice
under the options menu at the bottom of the "reply to Thread" screen. Just this:

Attach Files
Valid file extensions: bmp doc gif jpe jpeg jpg pdf png psd rar txt zip

It was there when I sent something to you a few days ago but it has dissapeared, as has any of the other graphics on the "Reply to thread" page.
Suggestions?

Hank

[tetonbob]

Hi Hank -

You can zip up the file, (right click, send to > compressed file) and upload it here, so TheBruce1 can review it:

http://www.bleepingcomputer.com/subm...php?channel=28

[TheBruce1]

Hi Alex

If you are unable to post the Panda scan in this forum,please follow tetonbob advise.Also the combofix log you have posted is from 2007-12-04 9:40:23.1

Look for the combofix log with the date 2007-12-07,if you ran it today.

[Alexlonebear]

Hey TheBruce1,

Sorry to be so dense.
I think I know how to ZIP a file,
I have WINZIP.
But when Tetonbob says post the zipped file "here" does he mean on this forum or on the website that he gives the address for.
Also, can I paste a ZIP file into the copy?
The ComboFix file was old because I started to send it when I started trying to send the Scan from Panda.
I'm pasteing a new one here.
It just occured to me.
The Panda scan is 3 days old also.
Should I run a new one before I try to send it again.


ComboFix 07-12-02.7 - Hank 2007-12-07 19:48:41.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.572 [GMT -5:00]
Running from: C:\Documents and Settings\Hank\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.

2007-12-07 13:42 . 2007-12-07 13:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-07 13:42 . 2007-12-07 13:42 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-05 12:02 . 2007-12-05 14:51 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-05 12:02 . 2007-12-05 12:02 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-05 12:02 . 2007-12-05 12:02 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-05 12:02 . 2007-12-05 12:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-05 12:02 . 2007-12-05 12:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-04 10:07 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-04 10:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-04 10:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-04 10:07 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-03 17:47 . 2007-12-03 17:47 <DIR> d-------- C:\Deckard
2007-12-02 14:00 . 2007-12-02 14:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-02 00:22 . 2007-12-02 00:22 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-12-02 00:21 . 2007-12-07 02:00 <DIR> d-------- C:\Program Files\SpyNoMore
2007-12-02 00:20 . 2007-12-02 00:20 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-11-18 20:35 . 2007-11-18 20:35 <DIR> d-------- C:\Temp\PALM
2007-11-18 20:35 . 2007-11-18 20:35 <DIR> d-------- C:\Temp\2577

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 19:25 --------- d-----w C:\Program Files\Spyware Doctor
2007-12-05 19:10 --------- d-----w C:\Program Files\PC Tools AntiVirus
2007-12-05 18:59 --------- d-----w C:\Program Files\EvidenceNuker
2007-12-04 14:47 --------- d-----w C:\Program Files\Opera
2007-10-15 03:10 139,432 ----a-w C:\Documents and Settings\Hank\Application Data\GDIPFONTCACHEV1.DAT
2006-03-17 08:16 22 ----a-w C:\Documents and Settings\Music Downloads\nik Color Efex Pro 2.0 (Photoshop Plug.zip
2006-02-03 17:21 2,255 ----a-w C:\Documents and Settings\Music Downloads\teps.zip
2005-12-12 03:00 4,126,240 ----a-w C:\Documents and Settings\Music Downloads\picasa2-current.exe
2005-12-12 03:00 3,707,944 ----a-w C:\Documents and Settings\Music Downloads\picasa-google-free.exe
2005-12-12 02:55 22 ----a-w C:\Documents and Settings\Music Downloads\Picasa 2.1.0.zip
2004-02-02 21:40 560 ----a-w C:\Documents and Settings\Hank\PCDOC.BAT
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot_2007-12-05_11.33.56.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 13:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
+ 2007-03-29 14:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 21:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 19:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 16:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 18:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2006-02-16 23:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-25 23:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2004-05-04 20:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 18:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 15:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 18:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-16 23:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 21:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2006-06-30 19:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 19:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2006-08-01 18:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2006-08-23 1808 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2006-08-17 16:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 16:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 13:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 19:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 15:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 15:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 21:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 14:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 15:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 19:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 19:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 18:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 13:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 13:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-04-18 22:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 19:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 1997-09-18 11:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 22:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2006-08-02 17:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
+ 2003-03-25 23:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 08:50 C:\WINDOWS\LOGI_MWX.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 13:46 C:\WINDOWS\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [2007-12-02 00:22]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-06-15 08:56]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-12-13 15:13]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2006-05-29 12:41:29]
HOTSYNCSHORTCUTNAME.lnk - C:\Palm\Hotsync.exe [2004-06-09 14:27:34]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2006-08-17 14:57 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 4.0.8.lnk]
backup=C:\WINDOWS\pss\LimeWire 4.0.8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PhotoCAL Startup.lnk]
backup=C:\WINDOWS\pss\PhotoCAL Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
backup=C:\WINDOWS\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Macromedia Licensing Service"=3 (0x3)

R1 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R3 SQTECH930B;Motion Track Webcam;C:\WINDOWS\system32\Drivers\Capt930b.sys
S1 AEC671X;AEC671X;C:\WINDOWS\system32\drivers\AEC671X.SYS
S1 DMX3191;DMX3191;C:\WINDOWS\system32\drivers\DMX3191.SYS
S2 UDNT;UDNT;C:\WINDOWS\system32\drivers\UDNT.sys
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys
S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINDOWS\system32\DRIVERS\epusbsto.sys
S3 NUVision;Pinnacle LINX;C:\WINDOWS\system32\DRIVERS\NUVision.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53de9c33-01c0-11dc-8070-0040ca587ccf}]
\Shell\AutoRun\command - G:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - G:\system\viewer\FlipVideoforPC.exe

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-07 19:54:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-07 20:01:43
C:\ComboFix2.txt ... 2007-12-05 11:37
C:\ComboFix3.txt ... 2007-12-04 10:01
.
--- E O F ---

[tetonbob]

Hi Hank -

Sorry if I wasn't clear...yes, please use the link I gave, if you're having difficulties attaching the file in this thread.

If Winzip poses a problem, Windows has a built in compression (zip) tool also.

Right click on the file, and on the context menu, it should look like this:

[Alexlonebear]

Hi TheBruce1,

The file is Zipped and is posted on the web site Tetonbob suggested. I used the same username "Alexlonebear" so you should have no problem finding it. Also, "Manage Attachment" has reappeared, along with the "Smiles" so I will also try to attach the file to this post.
Hank

[TheBruce1]

Hi Alex

Got the Panda zip file and thanks again to tetonbob for his help.

=================

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

SpyNoMore SpyNoMore was listed on this page because of concerns with false positives. Testing with the latest version of the program indicates that the problems with earlier versions have been satisfactorily resolved. Thus, we can no longer consider SpyNoMore to be "rogue/suspect" anti-spyware.
http://www.spywarewarrior.com/rogue_anti-spyware.htm

===================

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KillAll::

File::
C:\Documents and Settings\Hank\Favorites\Casino & Adult

Folder::
C:\Downloads\Adobe InDesign CS crack.zip
C:\Program Files\EvidenceNuker

Registry::
[-HKEY_CLASSES_ROOT\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}]

Save this as CFscript




Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

============================

I see you have Cleanup installed.Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users
• Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.. Once it's finished Cleanup will ask you to logoff/reboot. Please select NO as we will do this later.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

=========================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

===========================
Logs Required
C:\Combofix.txt
Hijackthis log

[TheBruce1]

Double post by mistake.

[Alexlonebear]

Hi TheBruce1,
You'll find the logs you requested below.
A couple notes on "Cleanup".
There was no "Empty Recycle Bins" under "Custom cleanup"
I checked the recycle bins on my desktop and Explore
and they are empty.
Neat sound effects on "Cleanup" though.
Thanks
Hank


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:00 AM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/channel/START
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 3233 bytes

---------------------------------------------------------------------------------------------

ComboFix 07-12-02.7 - Hank 2007-12-09 5:26:35.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.578 [GMT -5:00]
Running from: C:\Documents and Settings\Hank\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hank\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Hank\Favorites\Casino & Adult
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Downloads\Adobe InDesign CS crack.zip\
C:\Program Files\EvidenceNuker
C:\Program Files\EvidenceNuker\enuker.exe
C:\Program Files\EvidenceNuker\enuker.ini
C:\Program Files\EvidenceNuker\EvidenceNuker.chm
C:\Program Files\EvidenceNuker\mfc71.dll
C:\Program Files\EvidenceNuker\msvcp71.dll
C:\Program Files\EvidenceNuker\msvcr71.dll
C:\Program Files\EvidenceNuker\shellext0.dll
C:\Program Files\EvidenceNuker\uninstall.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.

2007-12-07 13:42 . 2007-12-07 13:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-07 13:42 . 2007-12-07 13:42 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-05 12:02 . 2007-12-05 14:51 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-05 12:02 . 2007-12-05 12:02 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-12-05 12:02 . 2007-12-05 12:02 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-05 12:02 . 2007-12-05 12:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-05 12:02 . 2007-12-05 12:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-04 10:07 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-04 10:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-04 10:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-04 10:07 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-03 17:47 . 2007-12-03 17:47 <DIR> d-------- C:\Deckard
2007-12-02 14:00 . 2007-12-02 14:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-02 00:22 . 2007-12-02 00:22 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-12-02 00:21 . 2007-12-09 02:00 <DIR> d-------- C:\Program Files\SpyNoMore
2007-12-02 00:20 . 2007-12-02 00:20 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-11-18 20:35 . 2007-11-18 20:35 <DIR> d-------- C:\Temp\PALM
2007-11-18 20:35 . 2007-11-18 20:35 <DIR> d-------- C:\Temp\2577

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 19:25 --------- d-----w C:\Program Files\Spyware Doctor
2007-12-05 19:10 --------- d-----w C:\Program Files\PC Tools AntiVirus
2007-12-04 14:47 --------- d-----w C:\Program Files\Opera
2007-10-15 03:10 139,432 ----a-w C:\Documents and Settings\Hank\Application Data\GDIPFONTCACHEV1.DAT
2006-03-17 08:16 22 ----a-w C:\Documents and Settings\Music Downloads\nik Color Efex Pro 2.0 (Photoshop Plug.zip
2006-02-03 17:21 2,255 ----a-w C:\Documents and Settings\Music Downloads\teps.zip
2005-12-12 03:00 4,126,240 ----a-w C:\Documents and Settings\Music Downloads\picasa2-current.exe
2005-12-12 03:00 3,707,944 ----a-w C:\Documents and Settings\Music Downloads\picasa-google-free.exe
2005-12-12 02:55 22 ----a-w C:\Documents and Settings\Music Downloads\Picasa 2.1.0.zip
2004-02-02 21:40 560 ----a-w C:\Documents and Settings\Hank\PCDOC.BAT
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 08:50 C:\WINDOWS\LOGI_MWX.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 13:46 C:\WINDOWS\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [2007-12-02 00:22]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-06-15 08:56]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-12-13 15:13]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2006-05-29 12:41:29]
HOTSYNCSHORTCUTNAME.lnk - C:\Palm\Hotsync.exe [2004-06-09 14:27:34]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2006-08-17 14:57 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 4.0.8.lnk]
backup=C:\WINDOWS\pss\LimeWire 4.0.8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PhotoCAL Startup.lnk]
backup=C:\WINDOWS\pss\PhotoCAL Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
backup=C:\WINDOWS\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Macromedia Licensing Service"=3 (0x3)

R1 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R3 SQTECH930B;Motion Track Webcam;C:\WINDOWS\system32\Drivers\Capt930b.sys
S1 AEC671X;AEC671X;C:\WINDOWS\system32\drivers\AEC671X.SYS
S1 DMX3191;DMX3191;C:\WINDOWS\system32\drivers\DMX3191.SYS
S2 UDNT;UDNT;C:\WINDOWS\system32\drivers\UDNT.sys
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys
S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINDOWS\system32\DRIVERS\epusbsto.sys
S3 NUVision;Pinnacle LINX;C:\WINDOWS\system32\DRIVERS\NUVision.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53de9c33-01c0-11dc-8070-0040ca587ccf}]
\Shell\AutoRun\command - G:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - G:\system\viewer\FlipVideoforPC.exe

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 05:35:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 5:41:54 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-07 20:01
C:\ComboFix3.txt ... 2007-12-05 11:37
.
--- E O F ---

[TheBruce1]

Hello again Hank

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

Java 2 Runtime Environment Standard Edition v1.3.1_04
Java 2 Runtime Environment, SE v1.4.2_03

Reboot when both have been removed

======================

Click start>run>type C:\WINDOWS
*Locate NOTEPAD.EXE and right-click on it.
*Select Copy

Now click start>run again>type> C:\WINDOWS\system32\dllcache click ok.
*Click on the Edit Button at top and select Paste.
*Close window.

Click start>run>type> C:\WINDOWS\system32 click ok.
*Click on the Edit Button at top and select Paste.
*Close window.

This will give you copies of notepad in dllcache and system32 folders.

===============================

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

DirLook::
C:\Temp\PALM
C:\Temp\2577

Save this as CFscript




Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

==============================

JAVA OUTDATED


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 U3.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser
• Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.

============================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

============================
Logs Required
C:\Combofix.txt
Hijackthis log

[Alexlonebear]

Hi again TheBruce1
Well I think I got everything you wanted done
without to much confusion.
Here are the asked for logs.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:02 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/channel/START
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 3617 bytes

--------------------------------------------------------------------------------------------

ComboFix 07-12-02.7 - Hank 2007-12-09 12:47:38.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.534 [GMT -5:00]
Running from: C:\Documents and Settings\Hank\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hank\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.

2007-12-09 12:43 . 2004-08-04 02:56 69,120 --a------ C:\WINDOWS\system32\notepad.exe
2007-12-09 12:43 . 2004-08-04 02:56 69,120 --a--c--- C:\WINDOWS\system32\dllcache\notepad.exe
2007-12-07 13:42 . 2007-12-07 13:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-07 13:42 . 2007-12-07 13:42 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-05 12:02 . 2007-12-05 14:51 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-05 12:02 . 2007-12-05 12:02 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-05 12:02 . 2007-12-05 12:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-05 12:02 . 2007-12-05 12:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-04 10:07 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-04 10:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-04 10:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-04 10:07 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-03 17:47 . 2007-12-03 17:47 <DIR> d-------- C:\Deckard
2007-12-02 14:00 . 2007-12-02 14:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-02 00:22 . 2007-12-02 00:22 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-12-02 00:21 . 2007-12-09 02:00 <DIR> d-------- C:\Program Files\SpyNoMore
2007-12-02 00:20 . 2007-12-02 00:20 <DIR> d-------- C:\Program Files\Common Files\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 19:25 --------- d-----w C:\Program Files\Spyware Doctor
2007-12-05 19:10 --------- d-----w C:\Program Files\PC Tools AntiVirus
2007-12-04 14:47 --------- d-----w C:\Program Files\Opera
2007-10-15 03:10 139,432 ----a-w C:\Documents and Settings\Hank\Application Data\GDIPFONTCACHEV1.DAT
2006-03-17 08:16 22 ----a-w C:\Documents and Settings\Music Downloads\nik Color Efex Pro 2.0 (Photoshop Plug.zip
2006-02-03 17:21 2,255 ----a-w C:\Documents and Settings\Music Downloads\teps.zip
2005-12-12 03:00 4,126,240 ----a-w C:\Documents and Settings\Music Downloads\picasa2-current.exe
2005-12-12 03:00 3,707,944 ----a-w C:\Documents and Settings\Music Downloads\picasa-google-free.exe
2005-12-12 02:55 22 ----a-w C:\Documents and Settings\Music Downloads\Picasa 2.1.0.zip
2004-02-02 21:40 560 ----a-w C:\Documents and Settings\Hank\PCDOC.BAT
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp\2577 ----

C:\Temp\2577\

---- Directory of C:\Temp\PALM ----

C:\Temp\PALM\


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 08:50 C:\WINDOWS\LOGI_MWX.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 13:46 C:\WINDOWS\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [2007-12-02 00:22]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-06-15 08:56]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-12-13 15:13]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2006-05-29 12:41:29]
HOTSYNCSHORTCUTNAME.lnk - C:\Palm\Hotsync.exe [2004-06-09 14:27:34]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2006-08-17 14:57 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 4.0.8.lnk]
backup=C:\WINDOWS\pss\LimeWire 4.0.8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PhotoCAL Startup.lnk]
backup=C:\WINDOWS\pss\PhotoCAL Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
backup=C:\WINDOWS\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Macromedia Licensing Service"=3 (0x3)

R1 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R3 SQTECH930B;Motion Track Webcam;C:\WINDOWS\system32\Drivers\Capt930b.sys
S1 AEC671X;AEC671X;C:\WINDOWS\system32\drivers\AEC671X.SYS
S1 DMX3191;DMX3191;C:\WINDOWS\system32\drivers\DMX3191.SYS
S2 UDNT;UDNT;C:\WINDOWS\system32\drivers\UDNT.sys
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys
S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINDOWS\system32\DRIVERS\epusbsto.sys
S3 NUVision;Pinnacle LINX;C:\WINDOWS\system32\DRIVERS\NUVision.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53de9c33-01c0-11dc-8070-0040ca587ccf}]
\Shell\AutoRun\command - G:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - G:\system\viewer\FlipVideoforPC.exe

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 12:51:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 12:54:41
C:\ComboFix2.txt ... 2007-12-09 05:41
C:\ComboFix3.txt ... 2007-12-07 20:01
.
--- E O F ---

[TheBruce1]

Well done Alex,your logs are clean.

Click start>run>type(or copy/paste command into run box):

ComboFix /u

Click ok.

============================

Clear IE6 cookies

*Open IE and click Tools
*Click on Internet Options
*Click on General Tab
*Click on Delte Temp Files & Cookies buttons.


Clear IE7 cookies

*On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
*On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too].
*Click OK, and then click OK again.


Clear Firefox cookies/cache

• Select "Tools"
• Select "Options".
• Select "Privacy".
• In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want.
• Click OK.
• In Private area click "Clear Now".

-------------------------------------------------------------------------------------------

MICROSOFT UPDATES

1.Click Start,Run, type sysdm.cpl, and then press OK.
2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended).

Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday".

------------------------------------------------------------------------------------------

Useful Information and Programs to keep you safe.

TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages:

* Content category
* Phishing scam detection
* Site reputation
* Page reputation

WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites.

WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites.
Note:Only compatible with Firefox 1.5 and higher.

Only install one of the above

--------------------------------------------------------------------------------------

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Avant
Firefox
Opera
K-Meleon

------------------------------------------------------------------------------------------

Free Antispyware Products
SuperAntiSpyware
AVG Antispyware Free
Ad-Aware
Spybot S&D
Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
Download Spyware Guard to catch and block spyware before it can execute.

------------------------------------------------------------------

IE-Spyad™ is a freeware utility that places more than 4000 dubious websites and domains in the Internet Explorer Restricted List.

Download and installation instructions for IE-Spyad™ Here

-----------------------------------------

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

If your having trouble downloading & extracting,see link below for guidance:
http://www.mvps.org/winhelp2002/hosts2.htm

Once you have extracted the host file,double click on it and a new window will open.

Double-click on mvps.batand follow the prompts

---------------------------------------------------------------

Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

----------------------------------------

SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

==============================================

Also, please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Please reply to this thread once more,as we may mark this as resolved,thanks.[/quote]

[Alexlonebear]

Hi TheBruce1,
It's great to hear that my log is finally clean.
You anticipated my next question.
How do I keep this from happening again?
I will take a look at all the software you wrote about
and download what will fit my purposes.
I already have AdAware and Spybot SD on my computer.
I also have ETRemover, PCTools AntiVirus (subscribed to)
Registry Smart, Spysweeper, Spyware Doctor, Avinstall and Spy no More.
What of these can I get rid of.
I already use Firefox as my browser so that is no problem.
For certain sites I have to use Internet Explorer.
I'm only using IE 6, should I upgrade to IE 7.
I still have one more problem.
Often when I click on a link, especially in my email, which is Eudora,
it loads a blank Internet Explorer page.
This is kind of important because several clients send me links
so I can work on their jobs.
Got any idea what the problem is?
Take care
Hank

[TheBruce1]

Hi Alex

Please read those articles in my last post on how best to protect yourself from infection in the future.PC Tools antivirus engine i believe comes from VirusBuster and is not one of the best,if your looking for a good free AV then Avira,Avast and AVG7 would be three of the best.For paid AV the three that are recommended are Avira(paid version),NOD32 and Kaspersky.

I would remove SpyNoMore as it was once on the rogue antispyware list and i think there are better products out there than that one.Is Avinstall part of PC Tools AV?

I found Spysweeper and Spyware Doctor to be extremely bloated on my system,i much prefer AVG antispyware and Superantispyware(see last post)as my antispyware programs.

As for Registry Smart these programs can cause more problems than they solve,be 100% sure you know what you are removing.

You should update to IE7 as it is safer than IE6.

As for the Eudora issue i think it would be best if you contact the official Eudora Forum