Not sure if something is wrong

videoman199 · 02-06-2008, 03:14 PM

I am having some general performance problems with my computer (i.e. running slow). Also my C drive is a red X but other wise functions as it should. Just wanted to make sure everything is ok. Please take a look.

Thank you,

Jason

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13, on 2008-02-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdvancedCleaner\ADC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\flfxsmij.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert .exe" /Startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [ws_uninst] C:\DOCUME~1\Jason\LOCALS~1\Temp\ws_uninst.exe -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skntws] C:\WINDOWS\?asks\m?hta.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} (VPlayer Control) - http://video.vividas.com/CDN1/5167_P...layer_ocx.jpeg
O20 - Winlogon Notify: flfxsmij - C:\WINDOWS\SYSTEM32\flfxsmij.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 6607 bytes

**Glaswegian** · 02-09-2008, 07:46 AM

Hi and welcome to TSF.

Apologies for any delay in replying, but we have been rather busy lately, and, of course, all our helpers are volunteers.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix

When the tool is finished, it will produce a report for you.
Please post C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

videoman199 · 02-09-2008, 08:38 AM

Thank you for your help. Here are the logs you requested.

ComboFix:

ComboFix 08-02.01.6 - Jason 2008-02-08 21:32:42.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.669 [GMT -6:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\flfxsmij.dllbox

.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-06 18:27 . 2008-02-07 18:15 <DIR> d-------- C:\Documents and Settings\Jason\.housecall6.6
2008-02-06 16:36 . 2008-02-06 16:36 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-06 16:36 . 2008-02-06 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-06 16:35 . 2008-02-06 16:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-06 16:31 . 2008-02-06 16:50 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\HouseCall 6.6
2008-02-06 16:29 . 2008-02-06 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 17:08 . 2008-02-05 17:08 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\ieSpell
2008-02-05 17:04 . 2008-02-05 17:04 <DIR> d-------- C:\Program Files\ieSpell
2008-02-02 10:30 . 2008-02-02 10:30 <DIR> d-------- C:\Program Files\Common Files\AdvancedCleaner
2008-02-02 10:03 . 2008-02-02 10:03 <DIR> d-------- C:\Program Files\InternetAnonymizer
2008-02-02 10:03 . 2008-02-02 10:03 <DIR> d-------- C:\Program Files\Common Files\InternetAnonymizer
2008-02-02 10:03 . 2008-02-02 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InternetAnonymizer
2008-02-02 10:03 . 2007-08-20 16:35 61,440 --a------ C:\WINDOWS\system32\anfapi.dll
2008-02-02 10:03 . 2007-08-10 10:48 14,336 --a------ C:\WINDOWS\system32\drivers\anftdird.sys
2008-02-02 09:52 . 2008-02-02 09:52 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\AdvancedCleaner
2008-02-02 09:51 . 2008-02-08 04:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AdvancedCleaner
2008-02-02 09:51 . 2007-08-18 11:34 98,816 --a------ C:\WINDOWS\system32\daila.exe
2008-02-01 18:59 . 2008-02-02 10:03 1,756,192 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-01 18:59 . 2008-02-08 06:02 4,384 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-01 18:59 . 2008-02-01 18:59 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-01 18:59 . 2008-02-01 18:59 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-01 18:56 . 2008-02-01 18:56 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-01 18:56 . 2008-02-07 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-01 18:55 . 2008-02-01 18:55 <DIR> d-------- C:\KAV
2008-02-01 18:36 . 2008-02-01 18:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 18:30 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-01 17:22 . 2008-02-01 17:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-01 07:07 . 2008-02-01 10:06 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\AdobeUM
2008-01-25 23:27 . 2008-01-25 23:27 <DIR> d-------- C:\WINDOWS\system32\E1E1E4E6DFE3E
2008-01-22 20:38 . 2008-01-22 20:38 0 --a------ C:\WINDOWS\system32\mssurun.dat
2008-01-22 15:34 . 2008-02-02 10:09 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-17 16:02 . 2008-01-18 19:11 <DIR> d-------- C:\WINDOWS\kowf
2008-01-17 16:01 . 2008-01-17 16:01 20,480 --a------ C:\WINDOWS\Imgtask .exe
2008-01-16 12:15 . 2008-01-16 12:15 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-16 12:10 . 2008-01-17 16:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-16 08:56 . 2008-01-16 08:56 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-01-15 18:50 . 2006-07-20 23:21 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-01-13 14:02 . 2008-02-08 06:00 <DIR> d-------- C:\Program Files\Super_DVD_Creator_9.5
2008-01-13 13:39 . 2008-01-15 18:11 <DIR> d-------- C:\Program Files\MWOPro
2008-01-11 20:04 . 2008-01-11 20:04 65 --a------ C:\WINDOWS\FISHUI.INI
2008-01-11 19:32 . 2007-08-24 15:06 110,592 --a------ C:\WINDOWS\system32\TG_DUMP0708.DLL
2008-01-11 19:32 . 2007-06-12 15:54 102,400 --a------ C:\WINDOWS\system32\TG_VIEW0607.DLL
2008-01-11 19:32 . 2007-06-12 15:54 90,112 --a------ C:\WINDOWS\system32\TG_SYNC.DLL
2008-01-11 19:26 . 2008-01-11 19:26 <DIR> d-------- C:\Program Files\XviD
2008-01-11 19:26 . 2005-05-03 09:33 299,008 --a------ C:\WINDOWS\system32\LAME_MP3.dll
2008-01-11 19:26 . 2008-01-11 19:26 65,024 --a------ C:\WINDOWS\IFinst26.exe
2008-01-11 19:23 . 2008-01-11 19:23 <DIR> d-------- C:\Program Files\Samsung
2008-01-11 19:23 . 2008-01-11 19:23 <DIR> d-------- C:\Program Files\MarkAny
2008-01-11 19:23 . 2008-01-11 19:23 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\DataCast
2008-01-09 17:25 . 2008-01-09 17:25 4,683 --a------ C:\WINDOWS\system32\suupdate.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 11:00 --------- d-----w C:\Documents and Settings\Jason\Application Data\LimeWire
2008-02-02 15:54 --------- d-----w C:\Program Files\Microsoft Works
2008-02-02 02:21 --------- d-----w C:\Program Files\QuickTime
2008-01-26 03:39 720 ----a-w C:\Documents and Settings\Jason\Application Data\wklnhst.dat
2008-01-16 00:12 --------- d-----w C:\Program Files\Rhapsody
2008-01-15 22:55 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-12 01:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 00:15 --------- d-----w C:\Program Files\music_now
2008-01-05 16:27 --------- d-----w C:\Program Files\NetWaiting
2008-01-05 16:19 --------- d-----w C:\Program Files\Google
2008-01-04 19:46 --------- d-----w C:\Program Files\eAcceleration
2008-01-04 17:55 --------- d-----w C:\Documents and Settings\Jason\Application Data\Apple Computer
2008-01-03 01:48 1,636,864 ----a-w C:\WINDOWS\system32\context.dll
2008-01-01 22:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Activision
2008-01-01 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\GameTap
2008-01-01 15:55 --------- d-----w C:\Program Files\GameTap
2008-01-01 15:54 --------- d-----w C:\Documents and Settings\Jason\Application Data\InstallShield
2007-12-31 03:44 --------- d-----w C:\Program Files\WinAce
2007-12-27 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-12-27 19:07 --------- d-----w C:\Program Files\iTunes
2007-12-27 19:07 --------- d-----w C:\Program Files\iPod
2007-12-27 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-27 19:06 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-27 19:06 --------- d-----w C:\Program Files\Apple Software Update
2007-12-27 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-26 19:12 --------- d-----w C:\Documents and Settings\Jason\Application Data\HP
2007-12-24 19:01 --------- d-----w C:\Documents and Settings\Jason\Application Data\CyberLink
2007-12-24 18:56 --------- d-----w C:\Program Files\CyberLink
2007-12-24 18:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-24 18:51 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5
2007-12-21 23:11 --------- d-----w C:\Documents and Settings\Jason\Application Data\Template
2007-12-15 16:48 --------- d-----w C:\Documents and Settings\Jason\Application Data\EPSON
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-11 00:12 --------- d-----w C:\Program Files\support.com
2007-12-11 00:12 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-12-09 20:13 958,464 ----a-w C:\WINDOWS\vsfilter.dll
2007-12-09 20:13 921,600 ----a-w C:\WINDOWS\vorbisenc.dll
2007-12-09 20:13 92,728 ----a-w C:\WINDOWS\bass.dll
2007-12-09 20:13 892,928 ----a-w C:\WINDOWS\iconv.dll
2007-12-09 20:13 8,664 ----a-w C:\WINDOWS\bass_tta.dll
2007-12-09 20:13 66,048 ----a-w C:\WINDOWS\MP4.dll
2007-12-09 20:13 45,056 ----a-w C:\WINDOWS\ogg.dll
2007-12-09 20:13 438,272 ----a-w C:\WINDOWS\MpegAudio.dll
2007-12-09 20:13 33,240 ----a-w C:\WINDOWS\bass_ape.dll
2007-12-09 20:13 290,816 ----a-w C:\WINDOWS\MpegVideo.dll
2007-12-09 20:13 237,568 ----a-w C:\WINDOWS\OggDS.dll
2007-12-09 20:13 23,616 ----a-w C:\WINDOWS\bass_flac.dll
2007-12-09 20:13 23,552 ----a-w C:\WINDOWS\mkunicode.dll
2007-12-09 20:13 188,416 ----a-w C:\WINDOWS\vorbis.dll
2007-12-09 20:13 150,520 ----a-w C:\WINDOWS\bass_aac.dll
2007-12-09 20:13 12,784 ----a-w C:\WINDOWS\bass_alac.dll
2007-12-09 20:13 106,496 ----a-w C:\WINDOWS\GenDMOProp.dll
2007-12-09 19:53 --------- d-----w C:\Program Files\Common Files\Real
2007-12-09 19:51 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys
2007-12-09 19:51 --------- d-----w C:\Program Files\Real
2007-12-02 18:15 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

Code:

<pre>
----a-w            81,920 2008-01-17 22:01:38  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w           136,904 2008-01-17 22:01:45  C:\Program Files\eAcceleration\Station\station .exe
----a-w            40,960 2008-01-17 22:01:39  C:\Program Files\Hewlett-Packard\Default Settings\cpqset .exe
----a-w            49,152 2008-01-17 22:01:37  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w           458,752 2008-01-17 22:01:37  C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe
----a-w         1,694,208 2008-01-31 22:06:40  C:\Program Files\Messenger\msmsgs .exe
----a-w            20,480 2008-01-17 22:01:41  C:\WINDOWS\Imgtask .exe
----a-w         1,187,840 2008-01-17 22:01:40  C:\WINDOWS\SMINST\RecGuard .exe
----a-w            15,360 2008-02-02 16:09:14  C:\WINDOWS\system32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 14:00 15360]
"Skntws"="C:\WINDOWS\?asks\m?hta.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 02:00 86016]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 18:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 12:33 163840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"eanth_system_patcher"="C:\Program Files\Acceleration Software\SystemPatcher\sys_alert .exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 02:00 7585792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\flfxsmij]
flfxsmij.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-03-15 14:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 22:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
--------- 2006-11-22 21:10 151552 C:\Program Files\CyberLink\PCM4Everio\EverioService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAAgent]
--a------ 2007-01-30 20:36 57344 C:\Program Files\MarkAny\ContentSafer\MAAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-08-18 02:00 7585792 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-18 02:00 1617920 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2006-07-11 22:55 102400 C:\Program Files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Super Utilities]
C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-31 23:01 761946 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

R0 PEP_HKA;PEP_HKA;C:\WINDOWS\system32\Drivers\PEP_HKA.SYS [2007-11-12 16:19]
R0 pepbus;pepbus;C:\WINDOWS\system32\DRIVERS\pepbus.sys [2007-11-20 17:54]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-12-13 13:52]
R3 Belkin Belkin 11Mbps Wireless USB Network Adapter(R);Belkin Belkin 11Mbps Wireless USB Network Adapter(R) Service for Belkin 11Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\bkusbxp.sys [2003-04-09 10:29]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-05 17:49]
S3 pepscsi;pepscsi;C:\WINDOWS\system32\DRIVERS\pepscsi.sys [2007-11-20 17:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79f97ae6-a91c-11dc-a8ca-0030bd642131}]
\Shell\AutoRun\command - G:\Imageviewer.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-27 19

46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 21:34:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-08 21:34:30
ComboFix-quarantined-files.txt 2008-02-09 03:34:28
ComboFix2.txt 2008-02-02 16:40:52
ComboFix3.txt 2008-02-02 00:47:03
ComboFix4.txt 2008-02-02 00:21:14
.
2008-01-17 20:17:30 --- E O F ---

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:05 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert .exe" /Startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skntws] C:\WINDOWS\?asks\m?hta.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} (VPlayer Control) - http://video.vividas.com/CDN1/5167_P...layer_ocx.jpeg
O20 - Winlogon Notify: flfxsmij - flfxsmij.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7011 bytes

**Glaswegian** · 02-09-2008, 09:26 AM

Hi again Jason

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

You have an infection that tries to amend legitimate programme files. When we are finished, you may have to re-install some programmes. Hopefully it won’t come to that.

Combofix

Close any open browsers.
Open notepad and copy/paste the text in the box below into it:

Code:

RenV::
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\Program Files\eAcceleration\Station\station .exe
C:\Program Files\Hewlett-Packard\Default Settings\cpqset .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe
C:\Program Files\Messenger\msmsgs .exe
C:\WINDOWS\Imgtask .exe
C:\WINDOWS\SMINST\RecGuard .exe
C:\WINDOWS\system32\ctfmon .exe

Folder::
C:\WINDOWS\?asks

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skntws"=-
-[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\flfxsmij]

Looking at the image below as an example

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!

Please post the log C:\ComboFix.txt along with a fresh HijackThis Log for further review.

videoman199 · 02-09-2008, 03:31 PM

Thank you for your quick replies!

ComboFix 08-02.01.6 - Jason 2008-02-09 16:24:41.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.625 [GMT -6:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jason\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-06 18:27 . 2008-02-07 18:15 <DIR> d-------- C:\Documents and Settings\Jason\.housecall6.6
2008-02-06 16:36 . 2008-02-06 16:36 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-06 16:36 . 2008-02-06 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-06 16:35 . 2008-02-06 16:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-06 16:31 . 2008-02-06 16:50 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\HouseCall 6.6
2008-02-06 16:29 . 2008-02-06 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 17:08 . 2008-02-05 17:08 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\ieSpell
2008-02-05 17:04 . 2008-02-05 17:04 <DIR> d-------- C:\Program Files\ieSpell
2008-02-02 10:30 . 2008-02-02 10:30 <DIR> d-------- C:\Program Files\Common Files\AdvancedCleaner
2008-02-02 10:03 . 2008-02-02 10:03 <DIR> d-------- C:\Program Files\InternetAnonymizer
2008-02-02 10:03 . 2008-02-02 10:03 <DIR> d-------- C:\Program Files\Common Files\InternetAnonymizer
2008-02-02 10:03 . 2008-02-02 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InternetAnonymizer
2008-02-02 10:03 . 2007-08-20 16:35 61,440 --a------ C:\WINDOWS\system32\anfapi.dll
2008-02-02 10:03 . 2007-08-10 10:48 14,336 --a------ C:\WINDOWS\system32\drivers\anftdird.sys
2008-02-02 09:52 . 2008-02-02 09:52 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\AdvancedCleaner
2008-02-02 09:51 . 2008-02-08 04:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AdvancedCleaner
2008-02-02 09:51 . 2007-08-18 11:34 98,816 --a------ C:\WINDOWS\system32\daila.exe
2008-02-01 18:59 . 2008-02-02 10:03 1,756,192 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-01 18:59 . 2008-02-08 06:02 4,384 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-01 18:59 . 2008-02-01 18:59 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-01 18:59 . 2008-02-01 18:59 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-01 18:56 . 2008-02-01 18:56 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-01 18:56 . 2008-02-07 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-01 18:55 . 2008-02-01 18:55 <DIR> d-------- C:\KAV
2008-02-01 18:36 . 2008-02-01 18:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 18:30 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-01 17:22 . 2008-02-01 17:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-01 07:07 . 2008-02-01 10:06 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\AdobeUM
2008-01-25 23:27 . 2008-01-25 23:27 <DIR> d-------- C:\WINDOWS\system32\E1E1E4E6DFE3E
2008-01-22 20:38 . 2008-01-22 20:38 0 --a------ C:\WINDOWS\system32\mssurun.dat
2008-01-17 16:02 . 2008-01-18 19:11 <DIR> d-------- C:\WINDOWS\kowf
2008-01-17 16:01 . 2008-01-17 16:01 20,480 --a------ C:\WINDOWS\Imgtask.exe
2008-01-16 12:15 . 2008-01-16 12:15 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-16 12:10 . 2008-01-17 16:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-16 08:56 . 2008-01-16 08:56 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-01-15 18:50 . 2006-07-20 23:21 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-01-13 14:02 . 2008-02-08 06:00 <DIR> d-------- C:\Program Files\Super_DVD_Creator_9.5
2008-01-13 13:39 . 2008-01-15 18:11 <DIR> d-------- C:\Program Files\MWOPro
2008-01-11 20:04 . 2008-01-11 20:04 65 --a------ C:\WINDOWS\FISHUI.INI
2008-01-11 19:32 . 2007-08-24 15:06 110,592 --a------ C:\WINDOWS\system32\TG_DUMP0708.DLL
2008-01-11 19:32 . 2007-06-12 15:54 102,400 --a------ C:\WINDOWS\system32\TG_VIEW0607.DLL
2008-01-11 19:32 . 2007-06-12 15:54 90,112 --a------ C:\WINDOWS\system32\TG_SYNC.DLL
2008-01-11 19:26 . 2008-01-11 19:26 <DIR> d-------- C:\Program Files\XviD
2008-01-11 19:26 . 2005-05-03 09:33 299,008 --a------ C:\WINDOWS\system32\LAME_MP3.dll
2008-01-11 19:26 . 2008-01-11 19:26 65,024 --a------ C:\WINDOWS\IFinst26.exe
2008-01-11 19:23 . 2008-01-11 19:23 <DIR> d-------- C:\Program Files\Samsung
2008-01-11 19:23 . 2008-01-11 19:23 <DIR> d-------- C:\Program Files\MarkAny
2008-01-11 19:23 . 2008-01-11 19:23 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\DataCast
2008-01-09 17:25 . 2008-01-09 17:25 4,683 --a------ C:\WINDOWS\system32\suupdate.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 11:00 --------- d-----w C:\Documents and Settings\Jason\Application Data\LimeWire
2008-02-02 15:54 --------- d-----w C:\Program Files\Microsoft Works
2008-02-02 02:21 --------- d-----w C:\Program Files\QuickTime
2008-01-26 03:39 720 ----a-w C:\Documents and Settings\Jason\Application Data\wklnhst.dat
2008-01-16 00:12 --------- d-----w C:\Program Files\Rhapsody
2008-01-15 22:55 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-12 01:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 00:15 --------- d-----w C:\Program Files\music_now
2008-01-05 16:27 --------- d-----w C:\Program Files\NetWaiting
2008-01-05 16:19 --------- d-----w C:\Program Files\Google
2008-01-04 19:46 --------- d-----w C:\Program Files\eAcceleration
2008-01-04 17:55 --------- d-----w C:\Documents and Settings\Jason\Application Data\Apple Computer
2008-01-01 22:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Activision
2008-01-01 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\GameTap
2008-01-01 15:55 --------- d-----w C:\Program Files\GameTap
2008-01-01 15:54 --------- d-----w C:\Documents and Settings\Jason\Application Data\InstallShield
2007-12-31 03:44 --------- d-----w C:\Program Files\WinAce
2007-12-27 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-12-27 19:07 --------- d-----w C:\Program Files\iTunes
2007-12-27 19:07 --------- d-----w C:\Program Files\iPod
2007-12-27 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-27 19:06 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-27 19:06 --------- d-----w C:\Program Files\Apple Software Update
2007-12-27 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-26 19:12 --------- d-----w C:\Documents and Settings\Jason\Application Data\HP
2007-12-24 19:01 --------- d-----w C:\Documents and Settings\Jason\Application Data\CyberLink
2007-12-24 18:56 --------- d-----w C:\Program Files\CyberLink
2007-12-24 18:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-24 18:51 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5
2007-12-21 23:11 --------- d-----w C:\Documents and Settings\Jason\Application Data\Template
2007-12-15 16:48 --------- d-----w C:\Documents and Settings\Jason\Application Data\EPSON
2007-12-11 00:12 --------- d-----w C:\Program Files\support.com
2007-12-11 00:12 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-12-09 20:13 958,464 ----a-w C:\WINDOWS\vsfilter.dll
2007-12-09 20:13 921,600 ----a-w C:\WINDOWS\vorbisenc.dll
2007-12-09 20:13 92,728 ----a-w C:\WINDOWS\bass.dll
2007-12-09 20:13 892,928 ----a-w C:\WINDOWS\iconv.dll
2007-12-09 20:13 8,664 ----a-w C:\WINDOWS\bass_tta.dll
2007-12-09 20:13 66,048 ----a-w C:\WINDOWS\MP4.dll
2007-12-09 20:13 45,056 ----a-w C:\WINDOWS\ogg.dll
2007-12-09 20:13 438,272 ----a-w C:\WINDOWS\MpegAudio.dll
2007-12-09 20:13 33,240 ----a-w C:\WINDOWS\bass_ape.dll
2007-12-09 20:13 290,816 ----a-w C:\WINDOWS\MpegVideo.dll
2007-12-09 20:13 237,568 ----a-w C:\WINDOWS\OggDS.dll
2007-12-09 20:13 23,616 ----a-w C:\WINDOWS\bass_flac.dll
2007-12-09 20:13 23,552 ----a-w C:\WINDOWS\mkunicode.dll
2007-12-09 20:13 188,416 ----a-w C:\WINDOWS\vorbis.dll
2007-12-09 20:13 150,520 ----a-w C:\WINDOWS\bass_aac.dll
2007-12-09 20:13 12,784 ----a-w C:\WINDOWS\bass_alac.dll
2007-12-09 20:13 106,496 ----a-w C:\WINDOWS\GenDMOProp.dll
2007-12-09 19:53 --------- d-----w C:\Program Files\Common Files\Real
2007-12-09 19:51 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys
2007-12-09 19:51 --------- d-----w C:\Program Files\Real
2007-12-02 18:15 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 14:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Skntws"="C:\WINDOWS\?asks\m?hta.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 02:00 86016]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 18:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 12:33 163840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"eanth_system_patcher"="C:\Program Files\Acceleration Software\SystemPatcher\sys_alert .exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 02:00 7585792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\flfxsmij]
flfxsmij.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-03-15 14:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 22:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
--------- 2006-11-22 21:10 151552 C:\Program Files\CyberLink\PCM4Everio\EverioService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAAgent]
--a------ 2007-01-30 20:36 57344 C:\Program Files\MarkAny\ContentSafer\MAAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-08-18 02:00 7585792 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-18 02:00 1617920 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2006-07-11 22:55 102400 C:\Program Files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Super Utilities]
C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-31 23:01 761946 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

R0 PEP_HKA;PEP_HKA;C:\WINDOWS\system32\Drivers\PEP_HKA.SYS [2007-11-12 16:19]
R0 pepbus;pepbus;C:\WINDOWS\system32\DRIVERS\pepbus.sys [2007-11-20 17:54]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-12-13 13:52]
R3 Belkin Belkin 11Mbps Wireless USB Network Adapter(R);Belkin Belkin 11Mbps Wireless USB Network Adapter(R) Service for Belkin 11Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\bkusbxp.sys [2003-04-09 10:29]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-05 17:49]
S3 pepscsi;pepscsi;C:\WINDOWS\system32\DRIVERS\pepscsi.sys [2007-11-20 17:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79f97ae6-a91c-11dc-a8ca-0030bd642131}]
\Shell\AutoRun\command - G:\Imageviewer.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-27 19

46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 16:26:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-02-09 16:27:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 22:27:52
ComboFix2.txt 2008-02-09 03:34:31
ComboFix3.txt 2008-02-02 16:40:52
ComboFix4.txt 2008-02-02 00:47:03
ComboFix5.txt 2008-02-02 00:21:14
.
2008-01-17 20:17:30 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:51 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert .exe" /Startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} (VPlayer Control) - http://video.vividas.com/CDN1/5167_P...layer_ocx.jpeg
O20 - Winlogon Notify: flfxsmij - flfxsmij.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 6899 bytes

**Glaswegian** · 02-10-2008, 08:42 AM

Hi again

How is your system running now?

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Combofix

Close any open browsers.
Open notepad and copy/paste the text in the box below into it:

Code:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\flfxsmij]

Looking at the image below as an example

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!

Please post the log C:\ComboFix.txt along with a fresh HijackThis Log for further review.

HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O20 - Winlogon Notify: flfxsmij - flfxsmij.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

Online Scan
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner

Next Click on Kaspersky Online Scanner

A Welcome screen will appear - click 'Accept' at the bottom. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan: Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.
Copy and paste that information in your next post.

Take note of the name(s) and location(s) of any file(s) it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

Logs required
C:\ComboFix.txt
Kaspersky Log
HijackThis Log

videoman199 · 02-12-2008, 04:44 PM

Sorry it took me so long to respond. My computer has been running better.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:39 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert .exe" /Startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} (VPlayer Control) - http://video.vividas.com/CDN1/5167_P...layer_ocx.jpeg
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 6974 bytes

ComboFix 08-02.01.6 - Jason 2008-02-10 16:24:57.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.671 [GMT -6:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jason\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-09 17:34 . 2008-02-09 19:14 179 --a------ C:\WINDOWS\123CopyDVD.INI
2008-02-09 17:33 . 2008-02-09 17:33 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-02-09 17:27 . 2008-02-09 17:27 3,120 --a------ C:\WINDOWS\system32\PMVCIH2J.ocx
2008-02-09 17:27 . 2008-02-09 17:27 3,120 --a------ C:\WINDOWS\553VKVT8.ocx
2008-02-09 17:25 . 2008-02-09 17:34 <DIR> d-------- C:\Program Files\123CopyDVD
2008-02-06 18:27 . 2008-02-07 18:15 <DIR> d-------- C:\Documents and Settings\Jason\.housecall6.6
2008-02-06 16:36 . 2008-02-06 16:36 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-06 16:36 . 2008-02-06 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-06 16:35 . 2008-02-06 16:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-06 16:31 . 2008-02-06 16:50 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\HouseCall 6.6
2008-02-06 16:29 . 2008-02-06 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 17:08 . 2008-02-05 17:08 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\ieSpell
2008-02-05 17:04 . 2008-02-05 17:04 <DIR> d-------- C:\Program Files\ieSpell
2008-02-02 10:30 . 2008-02-02 10:30 <DIR> d-------- C:\Program Files\Common Files\AdvancedCleaner
2008-02-02 10:03 . 2008-02-02 10:03 <DIR> d-------- C:\Program Files\InternetAnonymizer
2008-02-02 10:03 . 2008-02-02 10:03 <DIR> d-------- C:\Program Files\Common Files\InternetAnonymizer
2008-02-02 10:03 . 2008-02-02 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InternetAnonymizer
2008-02-02 10:03 . 2007-08-20 16:35 61,440 --a------ C:\WINDOWS\system32\anfapi.dll
2008-02-02 10:03 . 2007-08-10 10:48 14,336 --a------ C:\WINDOWS\system32\drivers\anftdird.sys
2008-02-02 09:52 . 2008-02-02 09:52 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\AdvancedCleaner
2008-02-02 09:51 . 2008-02-08 04:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AdvancedCleaner
2008-02-02 09:51 . 2007-08-18 11:34 98,816 --a------ C:\WINDOWS\system32\daila.exe
2008-02-01 18:59 . 2008-02-02 10:03 1,756,192 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-01 18:59 . 2008-02-08 06:02 4,384 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-01 18:59 . 2008-02-01 18:59 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-01 18:59 . 2008-02-01 18:59 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-01 18:56 . 2008-02-01 18:56 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-01 18:56 . 2008-02-10 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-01 18:55 . 2008-02-01 18:55 <DIR> d-------- C:\KAV
2008-02-01 18:36 . 2008-02-01 18:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 18:30 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-01 17:22 . 2008-02-01 17:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-01 07:07 . 2008-02-01 10:06 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\AdobeUM
2008-01-25 23:27 . 2008-01-25 23:27 <DIR> d-------- C:\WINDOWS\system32\E1E1E4E6DFE3E
2008-01-22 20:38 . 2008-01-22 20:38 0 --a------ C:\WINDOWS\system32\mssurun.dat
2008-01-17 16:02 . 2008-01-18 19:11 <DIR> d-------- C:\WINDOWS\kowf
2008-01-17 16:01 . 2008-01-17 16:01 20,480 --a------ C:\WINDOWS\Imgtask.exe
2008-01-16 12:15 . 2008-01-16 12:15 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-16 12:10 . 2008-01-17 16:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-16 08:56 . 2008-01-16 08:56 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-01-15 18:50 . 2006-07-20 23:21 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-01-13 14:02 . 2008-02-08 06:00 <DIR> d-------- C:\Program Files\Super_DVD_Creator_9.5
2008-01-13 13:39 . 2008-01-15 18:11 <DIR> d-------- C:\Program Files\MWOPro
2008-01-11 20:04 . 2008-01-11 20:04 65 --a------ C:\WINDOWS\FISHUI.INI
2008-01-11 19:32 . 2007-08-24 15:06 110,592 --a------ C:\WINDOWS\system32\TG_DUMP0708.DLL
2008-01-11 19:32 . 2007-06-12 15:54 102,400 --a------ C:\WINDOWS\system32\TG_VIEW0607.DLL
2008-01-11 19:32 . 2007-06-12 15:54 90,112 --a------ C:\WINDOWS\system32\TG_SYNC.DLL
2008-01-11 19:26 . 2008-01-11 19:26 <DIR> d-------- C:\Program Files\XviD
2008-01-11 19:26 . 2005-05-03 09:33 299,008 --a------ C:\WINDOWS\system32\LAME_MP3.dll
2008-01-11 19:26 . 2008-01-11 19:26 65,024 --a------ C:\WINDOWS\IFinst26.exe
2008-01-11 19:23 . 2008-01-11 19:23 <DIR> d-------- C:\Program Files\Samsung
2008-01-11 19:23 . 2008-01-11 19:23 <DIR> d-------- C:\Program Files\MarkAny
2008-01-11 19:23 . 2008-01-11 19:23 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\DataCast

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 20:11 --------- d-----w C:\Documents and Settings\Jason\Application Data\LimeWire
2008-02-02 15:54 --------- d-----w C:\Program Files\Microsoft Works
2008-02-02 02:21 --------- d-----w C:\Program Files\QuickTime
2008-01-26 03:39 720 ----a-w C:\Documents and Settings\Jason\Application Data\wklnhst.dat
2008-01-16 00:12 --------- d-----w C:\Program Files\Rhapsody
2008-01-15 22:55 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-12 01:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 23:25 4,683 ----a-w C:\WINDOWS\system32\suupdate.zip
2008-01-07 00:15 --------- d-----w C:\Program Files\music_now
2008-01-05 16:27 --------- d-----w C:\Program Files\NetWaiting
2008-01-05 16:19 --------- d-----w C:\Program Files\Google
2008-01-04 19:46 --------- d-----w C:\Program Files\eAcceleration
2008-01-04 17:55 --------- d-----w C:\Documents and Settings\Jason\Application Data\Apple Computer
2008-01-03 01:48 1,636,864 ----a-w C:\WINDOWS\system32\context.dll
2008-01-01 22:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Activision
2008-01-01 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\GameTap
2008-01-01 15:55 --------- d-----w C:\Program Files\GameTap
2008-01-01 15:54 --------- d-----w C:\Documents and Settings\Jason\Application Data\InstallShield
2007-12-31 03:44 --------- d-----w C:\Program Files\WinAce
2007-12-27 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-12-27 19:07 --------- d-----w C:\Program Files\iTunes
2007-12-27 19:07 --------- d-----w C:\Program Files\iPod
2007-12-27 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-27 19:06 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-27 19:06 --------- d-----w C:\Program Files\Apple Software Update
2007-12-27 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-26 19:12 --------- d-----w C:\Documents and Settings\Jason\Application Data\HP
2007-12-24 19:01 --------- d-----w C:\Documents and Settings\Jason\Application Data\CyberLink
2007-12-24 18:56 --------- d-----w C:\Program Files\CyberLink
2007-12-24 18:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-24 18:51 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5
2007-12-21 23:11 --------- d-----w C:\Documents and Settings\Jason\Application Data\Template
2007-12-15 16:48 --------- d-----w C:\Documents and Settings\Jason\Application Data\EPSON
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-11 00:12 --------- d-----w C:\Program Files\support.com
2007-12-11 00:12 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-12-09 20:13 958,464 ----a-w C:\WINDOWS\vsfilter.dll
2007-12-09 20:13 921,600 ----a-w C:\WINDOWS\vorbisenc.dll
2007-12-09 20:13 92,728 ----a-w C:\WINDOWS\bass.dll
2007-12-09 20:13 892,928 ----a-w C:\WINDOWS\iconv.dll
2007-12-09 20:13 8,664 ----a-w C:\WINDOWS\bass_tta.dll
2007-12-09 20:13 66,048 ----a-w C:\WINDOWS\MP4.dll
2007-12-09 20:13 45,056 ----a-w C:\WINDOWS\ogg.dll
2007-12-09 20:13 438,272 ----a-w C:\WINDOWS\MpegAudio.dll
2007-12-09 20:13 33,240 ----a-w C:\WINDOWS\bass_ape.dll
2007-12-09 20:13 290,816 ----a-w C:\WINDOWS\MpegVideo.dll
2007-12-09 20:13 237,568 ----a-w C:\WINDOWS\OggDS.dll
2007-12-09 20:13 23,616 ----a-w C:\WINDOWS\bass_flac.dll
2007-12-09 20:13 23,552 ----a-w C:\WINDOWS\mkunicode.dll
2007-12-09 20:13 188,416 ----a-w C:\WINDOWS\vorbis.dll
2007-12-09 20:13 150,520 ----a-w C:\WINDOWS\bass_aac.dll
2007-12-09 20:13 12,784 ----a-w C:\WINDOWS\bass_alac.dll
2007-12-09 20:13 106,496 ----a-w C:\WINDOWS\GenDMOProp.dll
2007-12-02 18:15 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 14:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 02:00 86016]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 18:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 12:33 163840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"eanth_system_patcher"="C:\Program Files\Acceleration Software\SystemPatcher\sys_alert .exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 02:00 7585792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-03-15 14:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 22:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
--------- 2006-11-22 21:10 151552 C:\Program Files\CyberLink\PCM4Everio\EverioService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAAgent]
--a------ 2007-01-30 20:36 57344 C:\Program Files\MarkAny\ContentSafer\MAAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-08-18 02:00 7585792 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-18 02:00 1617920 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2006-07-11 22:55 102400 C:\Program Files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Super Utilities]
C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-31 23:01 761946 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

R0 PEP_HKA;PEP_HKA;C:\WINDOWS\system32\Drivers\PEP_HKA.SYS [2007-11-12 16:19]
R0 pepbus;pepbus;C:\WINDOWS\system32\DRIVERS\pepbus.sys [2007-11-20 17:54]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-12-13 13:52]
R3 Belkin Belkin 11Mbps Wireless USB Network Adapter(R);Belkin Belkin 11Mbps Wireless USB Network Adapter(R) Service for Belkin 11Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\bkusbxp.sys [2003-04-09 10:29]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-05 17:49]
S3 pepscsi;pepscsi;C:\WINDOWS\system32\DRIVERS\pepscsi.sys [2007-11-20 17:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79f97ae6-a91c-11dc-a8ca-0030bd642131}]
\Shell\AutoRun\command - G:\Imageviewer.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-27 19

46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 16:26:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-10 16:26:40
ComboFix-quarantined-files.txt 2008-02-10 22:26:38
ComboFix2.txt 2008-02-09 22:27:56
ComboFix3.txt 2008-02-09 03:34:31
ComboFix4.txt 2008-02-02 16:40:52
ComboFix5.txt 2008-02-02 00:47:03
.
2008-01-17 20:17:30 --- E O F ---

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 12, 2008 5:37:56 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/02/2008
Kaspersky Anti-Virus database records: 560167
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 62782
Number of viruses found: 5
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 01:16:34

Infected Object Name / Virus Name / Last Action
C:\bf307892f25138a5503b3c002c906049\update\update.exe Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-12_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\Jason\.housecall6.6\Quarantine\A0027249.exe.bac_a03816 Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Jason\.housecall6.6\Quarantine\A0027258.dll.bac_a03816 Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\Documents and Settings\Jason\.housecall6.6\Quarantine\awvvs.exe.vir.bac_a03816 Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Jason\.housecall6.6\Quarantine\catchme2008-02-02_103919.95.zip.bac_a03816/awvvs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\Documents and Settings\Jason\.housecall6.6\Quarantine\catchme2008-02-02_103919.95.zip.bac_a03816/flfxsmij.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Jason\.housecall6.6\Quarantine\catchme2008-02-02_103919.95.zip.bac_a03816 ZIP: infected - 2 skipped
C:\Documents and Settings\Jason\.housecall6.6\Quarantine\catchme2008-02-02_103919.95.zip.bac_a03816 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\Jason\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jason\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jason\Local Settings\Temp\hsperfdata_Jason\2468 Object is locked skipped
C:\Documents and Settings\Jason\Local Settings\Temp\~DF57DA.tmp Object is locked skipped
C:\Documents and Settings\Jason\Local Settings\Temp\~DF5817.tmp Object is locked skipped
C:\Documents and Settings\Jason\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jason\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Jason\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jason\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\AdvancedCleaner\ADCcw.exe Infected: not-a-virus:FraudTool.Win32.AdvancedCleaner.a skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\aiqtadxc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\flfxsmij.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mhppjlrb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ottjrnxr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qvmfyqdb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\uxypsxgw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wraeaqdn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyvtts.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-01_181946.60.zip/hgggdbx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-01_181946.60.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\catchme2008-02-02_103919.95.zip/flfxsmij.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-02_103919.95.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP69\A0026011.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP69\A0026012.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP69\A0026014.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP69\A0026067.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0026186.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP73\A0026187.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP77\A0026349.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP77\A0027217.exe Infected: not-a-virus:FraudTool.Win32.AdvancedCleaner.a skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0027250.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0027251.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0027259.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP79\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP81\A0027384.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP81\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP86\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FF4AE350-D3A2-40B0-B884-3610DE1C1DED}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\msmq\storage\QMLog Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

**Glaswegian** · 02-13-2008, 09:13 AM

Hi again

Looking good.

Advanced Cleaner is a rogue application – have a look here

http://www.symantec.com/security_res...073111-4727-99

Although I don’t see it installed, there is a stray folder

Delete the following Folder indicated in BLUE if it still exists.

C:\Program Files\Common Files\AdvancedCleaner

Note: If it proves to be stubborn, you may have to boot to Safe Mode to delete it.

As for your C: drive, download the attached zip file to your desktop. Double click the zip and extract Query.bat to your desktop. Double click Query.bat to run it. Say yes to any prompts to merge with the Registry.

Let me know if that helps and how your system is running now.

videoman199 · 02-13-2008, 02:51 PM

I think that did it! I no longer have the red x of death and my computer seems to be running great! Thank you so much for all your time and help! I owe you a drink or something!

Thank you again!

Jason

**Glaswegian** · 02-13-2008, 02:55 PM

LOL - you are most welcome. Pint of lager will do nicely thanks.

All your logs are clean. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure.

Reset Hidden/System Files
To reset your hidden and system files:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Referring to the image below

Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK:

ComboFix /u

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.

Ad-aware
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.

IE-SPYAD
IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here.

SnoopFree
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems.

MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Maxthon

Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Comodo Personal Firewall
Sygate Personal Firewall
ZoneAlarm

Anti Virus Software
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners:
Anti-Spyware Tutorial

Here are three very good free Antivirus products which are available:
BitDefender Free
Avast!
AVG

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

ERUNT & NTREGOPT
ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash.
NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system

Additional Reading
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.

Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.

videoman199 · 02-13-2008, 05:05 PM

Thank you again for all your help. My computer is running great and I will definitly take your advice on those programs.

Thanks!

Jason

02-06-2008, 03:14 PM	#1 (permalink)
videoman199 Registered User Join Date: Feb 2008 Posts: 7 OS: xp home edition	Not sure if something is wrong I am having some general performance problems with my computer (i.e. running slow). Also my C drive is a red X but other wise functions as it should. Just wanted to make sure everything is ok. Please take a look. Thank you, Jason Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:13, on 2008-02-06 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AdvancedCleaner\ADC.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\flfxsmij.dll O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert .exe" /Startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\RunOnce: [ws_uninst] C:\DOCUME~1\Jason\LOCALS~1\Temp\ws_uninst.exe -s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skntws] C:\WINDOWS\?asks\m?hta.exe O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user') O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} (VPlayer Control) - http://video.vividas.com/CDN1/5167_P...layer_ocx.jpeg O20 - Winlogon Notify: flfxsmij - C:\WINDOWS\SYSTEM32\flfxsmij.dll O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- End of file - 6607 bytes

02-09-2008, 07:46 AM	#2 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,499 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Not sure if something is wrong Hi and welcome to TSF. Apologies for any delay in replying, but we have been rather busy lately, and, of course, all our helpers are volunteers. My name is Iain and I will be helping you clean your system. You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please ensure that you follow the instructions in the order I have them listed. We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix When the tool is finished, it will produce a report for you. Please post C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

02-09-2008, 08:38 AM	#3 (permalink)
videoman199 Registered User Join Date: Feb 2008 Posts: 7 OS: xp home edition	Re: Not sure if something is wrong Thank you for your help. Here are the logs you requested. ComboFix: ComboFix 08-02.01.6 - Jason 2008-02-08 21:32:42.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.669 [GMT -6:00] Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\flfxsmij.dllbox . ((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 ))))))))))))))))))))))))))))))) . 2008-02-06 18:27 . 2008-02-07 18:15 <DIR> d-------- C:\Documents and Settings\Jason\.housecall6.6 2008-02-06 16:36 . 2008-02-06 16:36 <DIR> d-------- C:\Program Files\Lavasoft 2008-02-06 16:36 . 2008-02-06 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-02-06 16:35 . 2008-02-06 16:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-02-06 16:31 . 2008-02-06 16:50 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\HouseCall 6.6 2008-02-06 16:29 . 2008-02-06 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-02-05 17:08 . 2008-02-05 17:08 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\ieSpell 2008-02-05 17:04 . 2008-02-05 17:04 <DIR> d-------- C:\Program Files\ieSpell 2008-02-02 10:30 . 2008-02-02 10:30 <DIR> d-------- C:\Program Files\Common Files\AdvancedCleaner 2008-02-02 10:03 . 2008-02-02 10:03 <DIR> d-------- C:\Program Files\InternetAnonymizer 2008-02-02 10:03 . 2008-02-02 10:03 <DIR> d-------- C:\Program Files\Common Files\InternetAnonymizer 2008-02-02 10:03 . 2008-02-02 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InternetAnonymizer 2008-02-02 10:03 . 2007-08-20 16:35 61,440 --a------ C:\WINDOWS\system32\anfapi.dll 2008-02-02 10:03 . 2007-08-10 10:48 14,336 --a------ C:\WINDOWS\system32\drivers\anftdird.sys 2008-02-02 09:52 . 2008-02-02 09:52 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\AdvancedCleaner 2008-02-02 09:51 . 2008-02-08 04:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AdvancedCleaner 2008-02-02 09:51 . 2007-08-18 11:34 98,816 --a------ C:\WINDOWS\system32\daila.exe 2008-02-01 18:59 . 2008-02-02 10:03 1,756,192 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-02-01 18:59 . 2008-02-08 06:02 4,384 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-02-01 18:59 . 2008-02-01 18:59 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2008-02-01 18:59 . 2008-02-01 18:59 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-02-01 18:56 . 2008-02-01 18:56 <DIR> d-------- C:\Program Files\Kaspersky Lab 2008-02-01 18:56 . 2008-02-07 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-02-01 18:55 . 2008-02-01 18:55 <DIR> d-------- C:\KAV 2008-02-01 18:36 . 2008-02-01 18:36 <DIR> d-------- C:\Program Files\Trend Micro 2008-02-01 18:30 . 2004-08-03 23:00 260,272 --a------ C:\cmldr 2008-02-01 17:22 . 2008-02-01 17:22 <DIR> d-------- C:\WINDOWS\ERUNT 2008-02-01 07:07 . 2008-02-01 10:06 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\AdobeUM 2008-01-25 23:27 . 2008-01-25 23:27 <DIR> d-------- C:\WINDOWS\system32\E1E1E4E6DFE3E 2008-01-22 20:38 . 2008-01-22 20:38 0 --a------ C:\WINDOWS\system32\mssurun.dat 2008-01-22 15:34 . 2008-02-02 10:09 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe 2008-01-17 16:02 . 2008-01-18 19:11 <DIR> d-------- C:\WINDOWS\kowf 2008-01-17 16:01 . 2008-01-17 16:01 20,480 --a------ C:\WINDOWS\Imgtask .exe 2008-01-16 12:15 . 2008-01-16 12:15 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll 2008-01-16 12:10 . 2008-01-17 16:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-01-16 08:56 . 2008-01-16 08:56 <DIR> d-------- C:\Program Files\SystemRequirementsLab 2008-01-15 18:50 . 2006-07-20 23:21 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2008-01-13 14:02 . 2008-02-08 06:00 <DIR> d-------- C:\Program Files\Super_DVD_Creator_9.5 2008-01-13 13:39 . 2008-01-15 18:11 <DIR> d-------- C:\Program Files\MWOPro 2008-01-11 20:04 . 2008-01-11 20:04 65 --a------ C:\WINDOWS\FISHUI.INI 2008-01-11 19:32 . 2007-08-24 15:06 110,592 --a------ C:\WINDOWS\system32\TG_DUMP0708.DLL 2008-01-11 19:32 . 2007-06-12 15:54 102,400 --a------ C:\WINDOWS\system32\TG_VIEW0607.DLL 2008-01-11 19:32 . 2007-06-12 15:54 90,112 --a------ C:\WINDOWS\system32\TG_SYNC.DLL 2008-01-11 19:26 . 2008-01-11 19:26 <DIR> d-------- C:\Program Files\XviD 2008-01-11 19:26 . 2005-05-03 09:33 299,008 --a------ C:\WINDOWS\system32\LAME_MP3.dll 2008-01-11 19:26 . 2008-01-11 19:26 65,024 --a------ C:\WINDOWS\IFinst26.exe 2008-01-11 19:23 . 2008-01-11 19:23 <DIR> d-------- C:\Program Files\Samsung 2008-01-11 19:23 . 2008-01-11 19:23 <DIR> d-------- C:\Program Files\MarkAny 2008-01-11 19:23 . 2008-01-11 19:23 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\DataCast 2008-01-09 17:25 . 2008-01-09 17:25 4,683 --a------ C:\WINDOWS\system32\suupdate.zip . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-08 11:00 --------- d-----w C:\Documents and Settings\Jason\Application Data\LimeWire 2008-02-02 15:54 --------- d-----w C:\Program Files\Microsoft Works 2008-02-02 02:21 --------- d-----w C:\Program Files\QuickTime 2008-01-26 03:39 720 ----a-w C:\Documents and Settings\Jason\Application Data\wklnhst.dat 2008-01-16 00:12 --------- d-----w C:\Program Files\Rhapsody 2008-01-15 22:55 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-01-12 01:23 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-07 00:15 --------- d-----w C:\Program Files\music_now 2008-01-05 16:27 --------- d-----w C:\Program Files\NetWaiting 2008-01-05 16:19 --------- d-----w C:\Program Files\Google 2008-01-04 19:46 --------- d-----w C:\Program Files\eAcceleration 2008-01-04 17:55 --------- d-----w C:\Documents and Settings\Jason\Application Data\Apple Computer 2008-01-03 01:48 1,636,864 ----a-w C:\WINDOWS\system32\context.dll 2008-01-01 22:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Activision 2008-01-01 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\GameTap 2008-01-01 15:55 --------- d-----w C:\Program Files\GameTap 2008-01-01 15:54 --------- d-----w C:\Documents and Settings\Jason\Application Data\InstallShield 2007-12-31 03:44 --------- d-----w C:\Program Files\WinAce 2007-12-27 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2007-12-27 19:07 --------- d-----w C:\Program Files\iTunes 2007-12-27 19:07 --------- d-----w C:\Program Files\iPod 2007-12-27 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2007-12-27 19:06 --------- d-----w C:\Program Files\Common Files\Apple 2007-12-27 19:06 --------- d-----w C:\Program Files\Apple Software Update 2007-12-27 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2007-12-26 19:12 --------- d-----w C:\Documents and Settings\Jason\Application Data\HP 2007-12-24 19:01 --------- d-----w C:\Documents and Settings\Jason\Application Data\CyberLink 2007-12-24 18:56 --------- d-----w C:\Program Files\CyberLink 2007-12-24 18:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink 2007-12-24 18:51 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5 2007-12-21 23:11 --------- d-----w C:\Documents and Settings\Jason\Application Data\Template 2007-12-15 16:48 --------- d-----w C:\Documents and Settings\Jason\Application Data\EPSON 2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2007-12-11 00:12 --------- d-----w C:\Program Files\support.com 2007-12-11 00:12 --------- d-----w C:\Program Files\Common Files\SupportSoft 2007-12-09 20:13 958,464 ----a-w C:\WINDOWS\vsfilter.dll 2007-12-09 20:13 921,600 ----a-w C:\WINDOWS\vorbisenc.dll 2007-12-09 20:13 92,728 ----a-w C:\WINDOWS\bass.dll 2007-12-09 20:13 892,928 ----a-w C:\WINDOWS\iconv.dll 2007-12-09 20:13 8,664 ----a-w C:\WINDOWS\bass_tta.dll 2007-12-09 20:13 66,048 ----a-w C:\WINDOWS\MP4.dll 2007-12-09 20:13 45,056 ----a-w C:\WINDOWS\ogg.dll 2007-12-09 20:13 438,272 ----a-w C:\WINDOWS\MpegAudio.dll 2007-12-09 20:13 33,240 ----a-w C:\WINDOWS\bass_ape.dll 2007-12-09 20:13 290,816 ----a-w C:\WINDOWS\MpegVideo.dll 2007-12-09 20:13 237,568 ----a-w C:\WINDOWS\OggDS.dll 2007-12-09 20:13 23,616 ----a-w C:\WINDOWS\bass_flac.dll 2007-12-09 20:13 23,552 ----a-w C:\WINDOWS\mkunicode.dll 2007-12-09 20:13 188,416 ----a-w C:\WINDOWS\vorbis.dll 2007-12-09 20:13 150,520 ----a-w C:\WINDOWS\bass_aac.dll 2007-12-09 20:13 12,784 ----a-w C:\WINDOWS\bass_alac.dll 2007-12-09 20:13 106,496 ----a-w C:\WINDOWS\GenDMOProp.dll 2007-12-09 19:53 --------- d-----w C:\Program Files\Common Files\Real 2007-12-09 19:51 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys 2007-12-09 19:51 --------- d-----w C:\Program Files\Real 2007-12-02 18:15 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE 2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll . Code: <pre> ----a-w 81,920 2008-01-17 22:01:38 C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe ----a-w 136,904 2008-01-17 22:01:45 C:\Program Files\eAcceleration\Station\station .exe ----a-w 40,960 2008-01-17 22:01:39 C:\Program Files\Hewlett-Packard\Default Settings\cpqset .exe ----a-w 49,152 2008-01-17 22:01:37 C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe ----a-w 458,752 2008-01-17 22:01:37 C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe ----a-w 1,694,208 2008-01-31 22:06:40 C:\Program Files\Messenger\msmsgs .exe ----a-w 20,480 2008-01-17 22:01:41 C:\WINDOWS\Imgtask .exe ----a-w 1,187,840 2008-01-17 22:01:40 C:\WINDOWS\SMINST\RecGuard .exe ----a-w 15,360 2008-02-02 16:09:14 C:\WINDOWS\system32\ctfmon .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 14:00 15360] "Skntws"="C:\WINDOWS\?asks\m?hta.exe" [ ] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 02:00 86016] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 18:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 12:33 163840] "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ] "eanth_system_patcher"="C:\Program Files\Acceleration Software\SystemPatcher\sys_alert .exe" [ ] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 02:00 7585792] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\flfxsmij] flfxsmij.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2006-03-15 14:00 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] --a------ 2005-08-05 22:56 64512 C:\WINDOWS\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService] --------- 2006-11-22 21:10 151552 C:\Program Files\CyberLink\PCM4Everio\EverioService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAAgent] --a------ 2007-01-30 20:36 57344 C:\Program Files\MarkAny\ContentSafer\MAAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2006-08-18 02:00 7585792 C:\WINDOWS\system32\NvCpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2006-08-18 02:00 1617920 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService] --a------ 2006-07-11 22:55 102400 C:\Program Files\HP\QuickPlay\QPService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Super Utilities] C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] --a------ 2006-03-31 23:01 761946 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] --------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe R0 PEP_HKA;PEP_HKA;C:\WINDOWS\system32\Drivers\PEP_HKA.SYS [2007-11-12 16:19] R0 pepbus;pepbus;C:\WINDOWS\system32\DRIVERS\pepbus.sys [2007-11-20 17:54] R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-12-13 13:52] R3 Belkin Belkin 11Mbps Wireless USB Network Adapter(R);Belkin Belkin 11Mbps Wireless USB Network Adapter(R) Service for Belkin 11Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\bkusbxp.sys [2003-04-09 10:29] R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-05 17:49] S3 pepscsi;pepscsi;C:\WINDOWS\system32\DRIVERS\pepscsi.sys [2007-11-20 17:54] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79f97ae6-a91c-11dc-a8ca-0030bd642131}] \Shell\AutoRun\command - G:\Imageviewer.exe . Contents of the 'Scheduled Tasks' folder "2007-12-27 1946 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-08 21:34:10 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-02-08 21:34:30 ComboFix-quarantined-files.txt 2008-02-09 03:34:28 ComboFix2.txt 2008-02-02 16:40:52 ComboFix3.txt 2008-02-02 00:47:03 ComboFix4.txt 2008-02-02 00:21:14 . 2008-01-17 20:17:30 --- E O F --- HijackThis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:38:05 PM, on 2/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\mqsvc.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert .exe" /Startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skntws] C:\WINDOWS\?asks\m?hta.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user') O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} (VPlayer Control) - http://video.vividas.com/CDN1/5167_P...layer_ocx.jpeg O20 - Winlogon Notify: flfxsmij - flfxsmij.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- End of file - 7011 bytes

02-09-2008, 09:26 AM	#4 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,499 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Not sure if something is wrong Hi again Jason Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. You have an infection that tries to amend legitimate programme files. When we are finished, you may have to re-install some programmes. Hopefully it won’t come to that. Combofix Close any open browsers. Open notepad and copy/paste the text in the box below into it: Code: RenV:: C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe C:\Program Files\eAcceleration\Station\station .exe C:\Program Files\Hewlett-Packard\Default Settings\cpqset .exe C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe C:\Program Files\Messenger\msmsgs .exe C:\WINDOWS\Imgtask .exe C:\WINDOWS\SMINST\RecGuard .exe C:\WINDOWS\system32\ctfmon .exe Folder:: C:\WINDOWS\?asks Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skntws"=- -[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\flfxsmij] Looking at the image below as an example Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it will produce a log for you at "C:\ComboFix.txt" Do not mouseclick combofix's window whilst it's running. This may cause it to stall. CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows! Please post the log C:\ComboFix.txt along with a fresh HijackThis Log for further review. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

02-09-2008, 03:31 PM	#5 (permalink)
videoman199 Registered User Join Date: Feb 2008 Posts: 7 OS: xp home edition	Re: Not sure if something is wrong Thank you for your quick replies! ComboFix 08-02.01.6 - Jason 2008-02-09 16:24:41.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.625 [GMT -6:00] Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Jason\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 ))))))))))))))))))))))))))))))) . 2008-02-06 18:27 . 2008-02-07 18:15 <DIR> d-------- C:\Documents and Settings\Jason\.housecall6.6 2008-02-06 16:36 . 2008-02-06 16:36 <DIR> d-------- C:\Program Files\Lavasoft 2008-02-06 16:36 . 2008-02-06 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-02-06 16:35 . 2008-02-06 16:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-02-06 16:31 . 2008-02-06 16:50 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\HouseCall 6.6 2008-02-06 16:29 . 2008-02-06 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-02-05 17:08 . 2008-02-05 17:08 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\ieSpell 2008-02-05 17:04 . 2008-02-05 17:04 <DIR> d-------- C:\Program Files\ieSpell 2008-02-02 10:30 . 2008-02-02 10:30 <DIR> d-------- C:\Program Files\Common Files\AdvancedCleaner 2008-02-02 10:03 . 2008-02-02 10:03 <DIR> d-------- C:\Program Files\InternetAnonymizer 2008-02-02 10:03 . 2008-02-02 10:03 <DIR> d-------- C:\Program Files\Common Files\InternetAnonymizer 2008-02-02 10:03 . 2008-02-02 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InternetAnonymizer 2008-02-02 10:03 . 2007-08-20 16:35 61,440 --a------ C:\WINDOWS\system32\anfapi.dll 2008-02-02 10:03 . 2007-08-10 10:48 14,336 --a------ C:\WINDOWS\system32\drivers\anftdird.sys 2008-02-02 09:52 . 2008-02-02 09:52 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\AdvancedCleaner 2008-02-02 09:51 . 2008-02-08 04:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AdvancedCleaner 2008-02-02 09:51 . 2007-08-18 11:34 98,816 --a------ C:\WINDOWS\system32\daila.exe 2008-02-01 18:59 . 2008-02-02 10:03 1,756,192 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-02-01 18:59 . 2008-02-08 06:02 4,384 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-02-01 18:59 . 2008-02-01 18:59 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2008-02-01 18:59 . 2008-02-01 18:59 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-02-01 18:56 . 2008-02-01 18:56 <DIR> d-------- C:\Program Files\Kaspersky Lab 2008-02-01 18:56 . 2008-02-07 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-02-01 18:55 . 2008-02-01 18:55 <DIR> d-------- C:\KAV 2008-02-01 18:36 . 2008-02-01 18:36 <DIR> d-------- C:\Program Files\Trend Micro 2008-02-01 18:30 . 2004-08-03 23:00 260,272 --a------ C:\cmldr 2008-02-01 17:22 . 2008-02-01 17:22 <DIR> d-------- C:\WINDOWS\ERUNT 2008-02-01 07:07 . 2008-02-01 10:06 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\AdobeUM 2008-01-25 23:27 . 2008-01-25 23:27 <DIR> d-------- C:\WINDOWS\system32\E1E1E4E6DFE3E 2008-01-22 20:38 . 2008-01-22 20:38 0 --a------ C:\WINDOWS\system32\mssurun.dat 2008-01-17 16:02 . 2008-01-18 19:11 <DIR> d-------- C:\WINDOWS\kowf 2008-01-17 16:01 . 2008-01-17 16:01 20,480 --a------ C:\WINDOWS\Imgtask.exe 2008-01-16 12:15 . 2008-01-16 12:15 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll 2008-01-16 12:10 . 2008-01-17 16:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-01-16 08:56 . 2008-01-16 08:56 <DIR> d-------- C:\Program Files\SystemRequirementsLab 2008-01-15 18:50 . 2006-07-20 23:21 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2008-01-13 14:02 . 2008-02-08 06:00 <DIR> d-------- C:\Program Files\Super_DVD_Creator_9.5 2008-01-13 13:39 . 2008-01-15 18:11 <DIR> d-------- C:\Program Files\MWOPro 2008-01-11 20:04 . 2008-01-11 20:04 65 --a------ C:\WINDOWS\FISHUI.INI 2008-01-11 19:32 . 2007-08-24 15:06 110,592 --a------ C:\WINDOWS\system32\TG_DUMP0708.DLL 2008-01-11 19:32 . 2007-06-12 15:54 102,400 --a------ C:\WINDOWS\system32\TG_VIEW0607.DLL 2008-01-11 19:32 . 2007-06-12 15:54 90,112 --a------ C:\WINDOWS\system32\TG_SYNC.DLL 2008-01-11 19:26 . 2008-01-11 19:26 <DIR> d-------- C:\Program Files\XviD 2008-01-11 19:26 . 2005-05-03 09:33 299,008 --a------ C:\WINDOWS\system32\LAME_MP3.dll 2008-01-11 19:26 . 2008-01-11 19:26 65,024 --a------ C:\WINDOWS\IFinst26.exe 2008-01-11 19:23 . 2008-01-11 19:23 <DIR> d-------- C:\Program Files\Samsung 2008-01-11 19:23 . 2008-01-11 19:23 <DIR> d-------- C:\Program Files\MarkAny 2008-01-11 19:23 . 2008-01-11 19:23 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\DataCast 2008-01-09 17:25 . 2008-01-09 17:25 4,683 --a------ C:\WINDOWS\system32\suupdate.zip . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-08 11:00 --------- d-----w C:\Documents and Settings\Jason\Application Data\LimeWire 2008-02-02 15:54 --------- d-----w C:\Program Files\Microsoft Works 2008-02-02 02:21 --------- d-----w C:\Program Files\QuickTime 2008-01-26 03:39 720 ----a-w C:\Documents and Settings\Jason\Application Data\wklnhst.dat 2008-01-16 00:12 --------- d-----w C:\Program Files\Rhapsody 2008-01-15 22:55 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-01-12 01:23 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-07 00:15 --------- d-----w C:\Program Files\music_now 2008-01-05 16:27 --------- d-----w C:\Program Files\NetWaiting 2008-01-05 16:19 --------- d-----w C:\Program Files\Google 2008-01-04 19:46 --------- d-----w C:\Program Files\eAcceleration 2008-01-04 17:55 --------- d-----w C:\Documents and Settings\Jason\Application Data\Apple Computer 2008-01-01 22:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Activision 2008-01-01 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\GameTap 2008-01-01 15:55 --------- d-----w C:\Program Files\GameTap 2008-01-01 15:54 --------- d-----w C:\Documents and Settings\Jason\Application Data\InstallShield 2007-12-31 03:44 --------- d-----w C:\Program Files\WinAce 2007-12-27 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2007-12-27 19:07 --------- d-----w C:\Program Files\iTunes 2007-12-27 19:07 --------- d-----w C:\Program Files\iPod 2007-12-27 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2007-12-27 19:06 --------- d-----w C:\Program Files\Common Files\Apple 2007-12-27 19:06 --------- d-----w C:\Program Files\Apple Software Update 2007-12-27 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2007-12-26 19:12 --------- d-----w C:\Documents and Settings\Jason\Application Data\HP 2007-12-24 19:01 --------- d-----w C:\Documents and Settings\Jason\Application Data\CyberLink 2007-12-24 18:56 --------- d-----w C:\Program Files\CyberLink 2007-12-24 18:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink 2007-12-24 18:51 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5 2007-12-21 23:11 --------- d-----w C:\Documents and Settings\Jason\Application Data\Template 2007-12-15 16:48 --------- d-----w C:\Documents and Settings\Jason\Application Data\EPSON 2007-12-11 00:12 --------- d-----w C:\Program Files\support.com 2007-12-11 00:12 --------- d-----w C:\Program Files\Common Files\SupportSoft 2007-12-09 20:13 958,464 ----a-w C:\WINDOWS\vsfilter.dll 2007-12-09 20:13 921,600 ----a-w C:\WINDOWS\vorbisenc.dll 2007-12-09 20:13 92,728 ----a-w C:\WINDOWS\bass.dll 2007-12-09 20:13 892,928 ----a-w C:\WINDOWS\iconv.dll 2007-12-09 20:13 8,664 ----a-w C:\WINDOWS\bass_tta.dll 2007-12-09 20:13 66,048 ----a-w C:\WINDOWS\MP4.dll 2007-12-09 20:13 45,056 ----a-w C:\WINDOWS\ogg.dll 2007-12-09 20:13 438,272 ----a-w C:\WINDOWS\MpegAudio.dll 2007-12-09 20:13 33,240 ----a-w C:\WINDOWS\bass_ape.dll 2007-12-09 20:13 290,816 ----a-w C:\WINDOWS\MpegVideo.dll 2007-12-09 20:13 237,568 ----a-w C:\WINDOWS\OggDS.dll 2007-12-09 20:13 23,616 ----a-w C:\WINDOWS\bass_flac.dll 2007-12-09 20:13 23,552 ----a-w C:\WINDOWS\mkunicode.dll 2007-12-09 20:13 188,416 ----a-w C:\WINDOWS\vorbis.dll 2007-12-09 20:13 150,520 ----a-w C:\WINDOWS\bass_aac.dll 2007-12-09 20:13 12,784 ----a-w C:\WINDOWS\bass_alac.dll 2007-12-09 20:13 106,496 ----a-w C:\WINDOWS\GenDMOProp.dll 2007-12-09 19:53 --------- d-----w C:\Program Files\Common Files\Real 2007-12-09 19:51 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys 2007-12-09 19:51 --------- d-----w C:\Program Files\Real 2007-12-02 18:15 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 14:00 15360] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] "Skntws"="C:\WINDOWS\?asks\m?hta.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 02:00 86016] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 18:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 12:33 163840] "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ] "eanth_system_patcher"="C:\Program Files\Acceleration Software\SystemPatcher\sys_alert .exe" [ ] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 02:00 7585792] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\flfxsmij] flfxsmij.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2006-03-15 14:00 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] --a------ 2005-08-05 22:56 64512 C:\WINDOWS\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService] --------- 2006-11-22 21:10 151552 C:\Program Files\CyberLink\PCM4Everio\EverioService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAAgent] --a------ 2007-01-30 20:36 57344 C:\Program Files\MarkAny\ContentSafer\MAAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2006-08-18 02:00 7585792 C:\WINDOWS\system32\NvCpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2006-08-18 02:00 1617920 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService] --a------ 2006-07-11 22:55 102400 C:\Program Files\HP\QuickPlay\QPService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Super Utilities] C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] --a------ 2006-03-31 23:01 761946 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] --------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe R0 PEP_HKA;PEP_HKA;C:\WINDOWS\system32\Drivers\PEP_HKA.SYS [2007-11-12 16:19] R0 pepbus;pepbus;C:\WINDOWS\system32\DRIVERS\pepbus.sys [2007-11-20 17:54] R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-12-13 13:52] R3 Belkin Belkin 11Mbps Wireless USB Network Adapter(R);Belkin Belkin 11Mbps Wireless USB Network Adapter(R) Service for Belkin 11Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\bkusbxp.sys [2003-04-09 10:29] R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-05 17:49] S3 pepscsi;pepscsi;C:\WINDOWS\system32\DRIVERS\pepscsi.sys [2007-11-20 17:54] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79f97ae6-a91c-11dc-a8ca-0030bd642131}] \Shell\AutoRun\command - G:\Imageviewer.exe . Contents of the 'Scheduled Tasks' folder "2007-12-27 1946 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-09 16:26:23 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\msdtc.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\Program Files\Windows Media Player\WMPNetwk.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\dllhost.exe . ************************************************************************ . Completion time: 2008-02-09 16:27:55 - machine was rebooted ComboFix-quarantined-files.txt 2008-02-09 22:27:52 ComboFix2.txt 2008-02-09 03:34:31 ComboFix3.txt 2008-02-02 16:40:52 ComboFix4.txt 2008-02-02 00:47:03 ComboFix5.txt 2008-02-02 00:21:14 . 2008-01-17 20:17:30 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:30:51 PM, on 2/9/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert .exe" /Startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user') O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} (VPlayer Control) - http://video.vividas.com/CDN1/5167_P...layer_ocx.jpeg O20 - Winlogon Notify: flfxsmij - flfxsmij.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- End of file - 6899 bytes

02-10-2008, 08:42 AM	#6 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,499 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Not sure if something is wrong Hi again How is your system running now? Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Combofix Close any open browsers. Open notepad and copy/paste the text in the box below into it: Code: Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\flfxsmij] Looking at the image below as an example Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it will produce a log for you at "C:\ComboFix.txt" Do not mouseclick combofix's window whilst it's running. This may cause it to stall. CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows! Please post the log C:\ComboFix.txt along with a fresh HijackThis Log for further review. HijackThis Entries Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O20 - Winlogon Notify: flfxsmij - flfxsmij.dll (file missing) Please remember to close all other windows, including browsers then click Fix checked. Online Scan Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner Next Click on Kaspersky Online Scanner A Welcome screen will appear - click 'Accept' at the bottom. You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Take note of the name(s) and location(s) of any file(s) it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%. Logs required C:\ComboFix.txt Kaspersky Log HijackThis Log __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

02-13-2008, 09:13 AM	#8 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,499 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Not sure if something is wrong Hi again Looking good. Advanced Cleaner is a rogue application – have a look here http://www.symantec.com/security_res...073111-4727-99 Although I don’t see it installed, there is a stray folder Delete the following Folder indicated in BLUE if it still exists. C:\Program Files\Common Files\AdvancedCleaner Note: If it proves to be stubborn, you may have to boot to Safe Mode to delete it. As for your C: drive, download the attached zip file to your desktop. Double click the zip and extract Query.bat to your desktop. Double click Query.bat to run it. Say yes to any prompts to merge with the Registry. Let me know if that helps and how your system is running now. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner Last edited by Glaswegian; 03-27-2008 at 04:10 PM.

02-13-2008, 02:51 PM	#9 (permalink)
videoman199 Registered User Join Date: Feb 2008 Posts: 7 OS: xp home edition	Re: Not sure if something is wrong I think that did it! I no longer have the red x of death and my computer seems to be running great! Thank you so much for all your time and help! I owe you a drink or something! Thank you again! Jason

02-13-2008, 02:55 PM	#10 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,499 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Not sure if something is wrong LOL - you are most welcome. Pint of lager will do nicely thanks. All your logs are clean. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure. Reset Hidden/System Files To reset your hidden and system files: Click *Start.* Open *My Computer.* Select the *Tools menu* and click *Folder Options.* Select the *View* tab. Deselect the *Show hidden files and folders* option. Select the *Hide file extensions for known types* option. Select the *Hide protected operating system files* option. Click *Yes* to confirm. Click *OK.* The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Referring to the image below Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK: ComboFix /u Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: Spyware Blaster to help prevent spyware from installing in the first place. Spyware Guard to catch and block spyware before it can execute. Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here. Ad-aware Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here. IE-SPYAD IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here. SnoopFree SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems. MVPS Hosts File The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Firefox Opera Maxthon Firewalls A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use: Comodo Personal Firewall Sygate Personal Firewall ZoneAlarm Anti Virus Software It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial Here are three very good free Antivirus products which are available: BitDefender Free Avast! AVG It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Other Protection Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. ERUNT & NTREGOPT ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash. NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system Additional Reading In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles PC Safety & Security - What Do I Need?. Making Internet Explorer Safer. Keep clean and safe and enjoy your computing! Please respond to this thread one more time so we can mark this thread as resolved. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

02-13-2008, 05:05 PM	#11 (permalink)
videoman199 Registered User Join Date: Feb 2008 Posts: 7 OS: xp home edition	Re: Not sure if something is wrong Thank you again for all your help. My computer is running great and I will definitly take your advice on those programs. Thanks! Jason