services.exe overload

[monaghan]

a couple of days ago my computer started slowing down dramatically. services.exe memory usage started increasing up and up until around 700,000 K. The computer pretty much freezes up. I ran avast and had a couple of hits for Win32:Trojan-gen and one Win32:Sinowal-CR. Now services.exe doesn't increase as much, but also uses ~13%CPU. Also, I can no longer hibernate. It just freezes on the "preparing to hibernate" screen.

Any help would be appreciated. I have followed steps 1-5 and will paste the log results.


Deckard's System Scanner v20071014.68
Run by Marcois on 2008-03-21 22:05:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
39: 2008-03-22 02:05:24 UTC - RP39 - Deckard's System Scanner Restore Point
38: 2008-03-21 15:13:48 UTC - RP38 - Software Distribution Service 3.0
37: 2008-03-21 13:05:11 UTC - RP37 - Software Distribution Service 3.0
36: 2008-03-21 12:52:37 UTC - RP36 - Software Distribution Service 3.0
35: 2008-03-21 12:16:13 UTC - RP35 - Removed Norton Security Center


-- First Restore Point --
1: 2008-01-23 18:31:06 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-21 22:07:18
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Marcois\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [RemoveWGA] C:\Documents and Settings\Marcois\Local Settings\Temporary Internet Files\Content.IE5\GJZZQCT9\RemoveWGA.exe -startup
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.67 85.255.112.108
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.67 85.255.112.108
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.67 85.255.112.108
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\WgaLogon.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O24 - Desktop Component 0: - file:///C:/DOCUME~1/Marcois/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8173 bytes

-- HijackThis Fixed Entries (C:\Documents and Settings\Marcois\Desktop\backups\) --------------------------------------------------------------------------------

backup-20080321-171847-310 O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
backup-20080321-172506-110 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080321-172506-138 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
backup-20080321-172506-275 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.actuality.fr.tc
backup-20080321-172506-296 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
backup-20080321-172506-308 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
backup-20080321-172506-933 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/notebookaccessories
backup-20080321-173226-274 O2 - BHO: (no name) - {63C1876E-8E8E-4C24-BB34-67723EA756D4} - C:\WINDOWS\system32\gebya.dll (file missing)
backup-20080321-173226-372 O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
backup-20080321-173226-505 O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
backup-20080321-173226-552 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080321-173226-603 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20080321-173226-662 O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
backup-20080321-173226-667 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080321-173226-747 O4 - HKCU\..\Policies\Explorer\Run: [{09ED71AC-06FE-1033-0804-050503310001}] "C:\Program Files\Common Files\{09ED71AC-06FE-1033-0804-050503310001}\Update.exe" mc-110-12-0000272
backup-20080321-173226-779 O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080321-173226-815 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080321-173226-829 O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
backup-20080321-173226-938 O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
backup-20080321-173226-952 O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Marcois/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>

S3 {FBE1D620-5418-4aae-A0F0-316D590663A1} - c:\windows\system32\{fbe1d620-5418-4aae-a0f0-316d590663a1} (file missing)
S3 BEHRINGER_2902 (usb-audio.de driver for BEHRINGER USB AUDIO) - c:\windows\system32\drivers\busb2902.sys <Not Verified; BEHRINGER; BEHRINGER USB AUDIO DRIVER>
S3 RDID1027 (EDIROL PCR) - c:\windows\system32\drivers\rdwm1027.sys <Not Verified; Roland Corporation; >
S3 RDID1047 (BOSS DR-880) - c:\windows\system32\drivers\rdwm1047.sys <Not Verified; Roland Corporation; >
S3 RDID1072 (Roland SP-555) - c:\windows\system32\drivers\rdwm1072.sys <Not Verified; Roland Corporation; >
S3 SamsonLLDriver (Samson LL Driver) - c:\windows\system32\drivers\samsonlldriver.sys <Not Verified; Samson; Samson MIC Family>
S3 SWWDM_multi (Samson Audio (WDM)) - c:\windows\system32\drivers\swaudwdm.sys <Not Verified; Samson; Samson Audio (WDM) Driver>
S3 TASCAM_US122144 (TASCAM USB 2.0 Audio Device driver) - c:\windows\system32\drivers\tascusb2.sys <Not Verified; TASCAM; TASCAM USB 2.0 Driver>
S3 TASCAM_US144_MIDI (TASCAM US-144 WDM MIDI Device) - c:\windows\system32\drivers\tscusb2m.sys <Not Verified; TASCAM; TASCAM US-122L/144 WDM MIDI Driver>
S3 TASCAM_US144_WDM (TASCAM US-144 WDM) - c:\windows\system32\drivers\tscusb2a.sys <Not Verified; TASCAM; TASCAM US-122L/144 WDM Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 EpsonBidirectionalService - c:\program files\common files\epson\ebapi\eebsvc.exe
R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>
R2 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>

S4 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-21 22:07:00 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-02-21 and 2008-03-21 -----------------------------

2008-03-21 21:11:53 0 d-------- C:\Program Files\SpywareBlaster
2008-03-21 19:52:28 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-21 19:52:23 0 d-------- C:\WINDOWS\LastGood
2008-03-20 22:36:28 0 d-------- C:\Program Files\Alwil Software
2008-03-13 14:57:06 0 d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
2008-03-07 00:58:09 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP


-- Find3M Report ---------------------------------------------------------------

2008-03-21 20:36:24 0 d-------- C:\Program Files\MSN Messenger
2008-03-21 20:25:17 0 d-------- C:\Program Files\Bonjour
2008-03-21 1734 0 d-------- C:\Program Files\Adware Away
2008-03-21 08:17:06 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-20 22:18:42 0 d-------- C:\Program Files\Common Files
2008-03-18 14:49:27 0 d-------- C:\Documents and Settings\Marcois\Application Data\uTorrent
2008-03-13 19:30:43 0 d-------- C:\Documents and Settings\Marcois\Application Data\AdobeUM
2008-02-15 20:11:35 0 d-------- C:\Documents and Settings\Marcois\Application Data\ZoomBrowser EX
2008-02-03 23:38:05 0 d-------- C:\Documents and Settings\Marcois\Application Data\Skype


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoveWGA"="C:\Documents and Settings\Marcois\Local Settings\Temporary Internet Files\Content.IE5\GJZZQCT9\RemoveWGA.exe" []
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [10/14/2004 04:54 PM]
"EPSON Stylus CX3200"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [07/01/2002 03:05 AM]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [12/03/2004 04:24 PM]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [02/17/2005 05:01 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/11/2005 01:00 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 09:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"IETI"=C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Marcois^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Marcois\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

*Newly Created Service* - RKPAVPROC



-- End of Deckard's System Scanner: finished at 2008-03-21 22:08:47 ------------

[monaghan]

Bumb!

[monaghan]

Bump!

[Ried]

Hello monaghan and welcome to TSF,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. Also be sure to carry out the instructions in the sequence listed below.

***************************************************

1. Please download FixWareout and save it to your desktop.


2. Download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware.

----------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Locate FixWareout on your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.

• The fix will begin, follow the prompts.
• You will be asked to reboot your computer, please do so.
• Your system may take longer than usual to load. This is normal.
• Once the desktop loads post the text that will open C:\fixwareout\report.txt which I will need in your next reply.

----------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you which I will need in your next reply for further review.

----------------------------------------------------------------

Run a new scan with HijackThis.exe and save the log.

----------------------------------------------------------------

Please include the following in your next reply:

C:\fixwareout\report.txt
C:\ComboFix.txt
New HijackThis log

[monaghan]

Username "Marcois" - 03/29/2008 23:19:29 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.67 85.255.112.108" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"RemoveWGA"="C:\\Documents and Settings\\Marcois\\Local Settings\\Temporary Internet Files\\Content.IE5\\GJZZQCT9\\RemoveWGA.exe -startup"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"EPSON Stylus CX3200"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P19 \"EPSON Stylus CX3200\" /O6 \"USB001\" /M \"Stylus CX3200\""
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~



ComboFix 08-03-21.2 - Marcois 2008-03-29 23:26:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.749 [GMT -4:00]
Running from: C:\Documents and Settings\Marcois\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-29 23:19 . 2008-03-29 23:23 <DIR> d-------- C:\fixwareout
2008-03-29 23:00 . 2008-03-29 23:00 244 --ah----- C:\sqmnoopt03.sqm
2008-03-29 23:00 . 2008-03-29 23:00 232 --ah----- C:\sqmdata03.sqm
2008-03-29 22:53 . 2008-03-29 22:53 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-27 23:36 . 2008-03-27 23:42 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-27 21:54 . 2008-03-27 21:54 <DIR> d-------- C:\Program Files\PrevxCSI
2008-03-27 21:54 . 2008-03-29 12:05 10,880 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-03-27 21:53 . 2008-03-29 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-03-21 22:05 . 2008-03-21 22:05 <DIR> d-------- C:\Deckard
2008-03-21 21:11 . 2008-03-21 23:45 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-21 19:52 . 2008-03-21 23:45 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-21 19:52 . 2008-03-21 19:52 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-21 19:52 . 2008-03-21 19:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-21 19:52 . 2008-03-21 19:52 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-21 09:06 . 2008-03-21 10:53 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-03-21 08:40 . 2007-07-09 09:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-21 08:26 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-21 08:26 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-21 08:26 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-21 08:26 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-20 22:37 . 2007-12-04 08:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-20 22:37 . 2007-12-04 10:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-20 22:37 . 2007-12-04 10:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-20 22:37 . 2007-12-04 10:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-20 22:36 . 2008-03-20 22:36 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-20 22:36 . 2007-12-04 09:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-20 22:36 . 2004-01-09 05:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-20 22:36 . 2007-12-04 10:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-20 22:36 . 2007-12-04 10:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-16 16:34 . 2008-03-16 16:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-16 16:34 . 2008-03-16 16:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-15 12:19 . 2008-03-15 12:19 268 --ah----- C:\sqmdata02.sqm
2008-03-15 12:19 . 2008-03-15 12:19 244 --ah----- C:\sqmnoopt02.sqm
2008-03-13 14:57 . 2008-03-13 14:57 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
2008-03-07 00:58 . 2008-03-22 00:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 03:59 --------- d-----w C:\Program Files\Adware Away
2008-03-22 03:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-22 00:36 --------- d-----w C:\Program Files\MSN Messenger
2008-03-22 00:25 --------- d-----w C:\Program Files\Bonjour
2008-03-21 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-18 18:49 --------- d-----w C:\Documents and Settings\Marcois\Application Data\uTorrent
2008-03-13 23:30 --------- d-----w C:\Documents and Settings\Marcois\Application Data\AdobeUM
2008-02-16 00:11 --------- d-----w C:\Documents and Settings\Marcois\Application Data\ZoomBrowser EX
2008-02-16 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-02-04 03:38 --------- d-----w C:\Documents and Settings\Marcois\Application Data\Skype
2008-01-14 20:47 99,712 ----a-w C:\WINDOWS\HPBroker.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-07 14:37 3,059,200 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 13:07 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2006-12-11 01:57 64,744 -c--a-w C:\Documents and Settings\Marcois\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-03-22_ 1.10.11.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-26 18:27:58 45,056 ----a-w C:\WINDOWS\devenum.exe
+ 2007-04-03 19:08:34 344,664 ----a-w C:\WINDOWS\Downloaded Program Files\HPBasicDetection3.dll
+ 2008-01-22 16:41:40 206,208 ----a-w C:\WINDOWS\Downloaded Program Files\HPISDataManager.dll
+ 2007-04-30 21:09:12 34,360 ----a-w C:\WINDOWS\Downloaded Program Files\HPProductDetails.dll
+ 2007-04-30 21:09:50 83,512 ----a-w C:\WINDOWS\Downloaded Program Files\LogInfo.dll
+ 2007-05-15 20:33:20 251,448 ----a-w C:\WINDOWS\Downloaded Program Files\SysInfo.dll
+ 2008-01-22 01:34:22 465,472 ----a-w C:\WINDOWS\Downloaded Program Files\wlscBase.dll
+ 2007-10-16 14:29:08 40,960 ----a-w C:\WINDOWS\hpmonZ.exe
+ 2008-03-30 02:53:46 32,768 ----a-r C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe
+ 2001-07-14 21:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
+ 2005-08-26 18:28:20 24,576 ----a-w C:\WINDOWS\shortcut.exe
+ 2004-08-04 13:00:00 209,408 ----a-w C:\WINDOWS\system32\dllcache\update.sys
- 2004-08-04 08:00:00 209,408 ----a-w C:\WINDOWS\system32\drivers\update.sys
+ 2004-08-04 13:00:00 209,408 ----a-w C:\WINDOWS\system32\drivers\update.sys
+ 2007-05-08 19:03:04 1,275,392 ----a-w C:\WINDOWS\system32\msxml4.dll
+ 2003-04-18 20:29:26 44,544 ----a-w C:\WINDOWS\system32\msxml4a.dll
+ 2003-04-18 20:29:26 82,432 ----a-w C:\WINDOWS\system32\msxml4r.dll
- 2008-03-22 04:19:34 64,966 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-30 03:25:59 64,966 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-22 04:19:34 408,648 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-30 03:25:59 408,648 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-30 03:21:19 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5a8.dat
+ 2005-08-26 18:28:34 143,360 ----a-w C:\WINDOWS\unzip.exe
+ 2007-05-08 1944 1,275,392 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
+ 2007-04-18 14:36:40 82,432 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoveWGA"="C:\Documents and Settings\Marcois\Local Settings\Temporary Internet Files\Content.IE5\GJZZQCT9\RemoveWGA.exe" [ ]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 16:54 253952]
"EPSON Stylus CX3200"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 03:05 74752]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 16:24 290816]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 17:01 233534]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 13:00 339968]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IETI"="C:\Program Files\Skype\Phone\IEPlugin\unins000.exe" [ ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Marcois^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Marcois\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-08-17 03:45 23120680 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2005-02-02 08:11 692316 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a--c--- 2005-02-02 08:12 102492 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kazaa Lite K++\\klrun.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"38037:TCP"= 38037:TCP:ppLive
"49035:UDP"= 49035:UDP:ppLive
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-03-29 12:05]
R2 CSIScanner;CSIScanner;"C:\Program Files\PrevxCSI\\PrevxCSI.exe" /service []
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 11:18]
S3 BEHRINGER_2902;usb-audio.de driver for BEHRINGER USB AUDIO;C:\WINDOWS\system32\Drivers\BUSB2902.sys [2006-07-03 07:34]
S3 RDID1027;EDIROL PCR;C:\WINDOWS\system32\Drivers\rdwm1027.sys [2003-10-31 06:59]
S3 RDID1047;BOSS DR-880;C:\WINDOWS\system32\Drivers\RDWM1047.SYS [2004-06-16 01:42]
S3 RDID1072;Roland SP-555;C:\WINDOWS\system32\Drivers\rdwm1072.sys [2007-04-13 01:17]
S3 SamsonLLDriver;Samson LL Driver;C:\WINDOWS\system32\Drivers\SamsonLLDriver.sys [2006-12-12 15:34]
S3 SWWDM_multi;Samson Audio (WDM);C:\WINDOWS\system32\drivers\SWAudWDM.sys [2006-12-12 15:34]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;C:\WINDOWS\system32\Drivers\tascusb2.sys [2007-02-01 14:38]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;C:\WINDOWS\system32\drivers\tscusb2m.sys [2007-02-01 14:38]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;C:\WINDOWS\system32\drivers\tscusb2a.sys [2007-02-01 14:38]
S3 XIRLINK;Veo Web Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [2003-05-08 21:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-30 03:27:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 23:30:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???????????????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-29 23:31:12
ComboFix-quarantined-files.txt 2008-03-30 03:30:50
ComboFix2.txt 2008-03-22 05:10:46
.
2008-03-30 02:53:47 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:40:13 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Marcois\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\taskmgr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [RemoveWGA] C:\Documents and Settings\Marcois\Local Settings\Temporary Internet Files\Content.IE5\GJZZQCT9\RemoveWGA.exe -startup
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Marcois/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8345 bytes

[Ried]

You ran ComboFix twice. I need to see the results of that first run.

Click Start>Run and copy/paste the following into the Run box, click OK:

C:\Qoobox\ComboFix2.txt

The report should pop up for you. Please post the contents of that report in your next reply, along with an update on system behavior.

[monaghan]

Before I got your reply, I ran a virus scan by PrevixCsi and it found a 'RootKey' thing which I removed and now services.exe seems to be acting normal again. However, I cannot boot in Safe Mode, computer hangs while loading up the drivers.



ComboFix 08-03-21.2 - Marcois 2008-03-22 0:51:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.727 [GMT -4:00]
Running from: C:\Documents and Settings\Marcois\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\{09ED7~1
C:\WINDOWS\system32\_000005_.tmp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{FBE1D620-5418-4AAE-A0F0-316D590663A1}
-------\Service_{FBE1D620-5418-4aae-A0F0-316D590663A1}


((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.

2008-03-21 22:05 . 2008-03-21 22:05 <DIR> d-------- C:\Deckard
2008-03-21 21:11 . 2008-03-21 23:45 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-21 19:52 . 2008-03-21 23:45 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-21 19:52 . 2008-03-21 19:52 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-21 19:52 . 2008-03-21 19:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-21 19:52 . 2008-03-21 19:52 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-21 09:06 . 2008-03-21 10:53 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-03-21 08:40 . 2007-07-09 09:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-21 08:26 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-21 08:26 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-21 08:26 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-21 08:26 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-20 22:37 . 2007-12-04 08:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-20 22:37 . 2007-12-04 10:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-20 22:37 . 2007-12-04 10:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-20 22:37 . 2007-12-04 10:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-20 22:36 . 2008-03-20 22:36 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-20 22:36 . 2007-12-04 09:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-20 22:36 . 2004-01-09 05:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-20 22:36 . 2007-12-04 10:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-20 22:36 . 2007-12-04 10:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-16 16:34 . 2008-03-16 16:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-16 16:34 . 2008-03-16 16:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-15 12:19 . 2008-03-15 12:19 268 --ah----- C:\sqmdata02.sqm
2008-03-15 12:19 . 2008-03-15 12:19 244 --ah----- C:\sqmnoopt02.sqm
2008-03-13 14:57 . 2008-03-13 14:57 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
2008-03-07 00:58 . 2008-03-22 00:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 03:59 --------- d-----w C:\Program Files\Adware Away
2008-03-22 03:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-22 00:36 --------- d-----w C:\Program Files\MSN Messenger
2008-03-22 00:25 --------- d-----w C:\Program Files\Bonjour
2008-03-21 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-18 18:49 --------- d-----w C:\Documents and Settings\Marcois\Application Data\uTorrent
2008-03-13 23:30 --------- d-----w C:\Documents and Settings\Marcois\Application Data\AdobeUM
2008-02-16 00:11 --------- d-----w C:\Documents and Settings\Marcois\Application Data\ZoomBrowser EX
2008-02-16 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-02-04 03:38 --------- d-----w C:\Documents and Settings\Marcois\Application Data\Skype
2006-12-11 01:57 64,744 -c--a-w C:\Documents and Settings\Marcois\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoveWGA"="C:\Documents and Settings\Marcois\Local Settings\Temporary Internet Files\Content.IE5\GJZZQCT9\RemoveWGA.exe" [ ]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 16:54 253952]
"EPSON Stylus CX3200"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 03:05 74752]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 16:24 290816]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 17:01 233534]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 13:00 339968]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IETI"="C:\Program Files\Skype\Phone\IEPlugin\unins000.exe" [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Marcois^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Marcois\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-08-17 03:45 23120680 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2005-02-02 08:11 692316 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a--c--- 2005-02-02 08:12 102492 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kazaa Lite K++\\klrun.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"38037:TCP"= 38037:TCP:ppLive
"49035:UDP"= 49035:UDP:ppLive
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 11:18]
S3 BEHRINGER_2902;usb-audio.de driver for BEHRINGER USB AUDIO;C:\WINDOWS\system32\Drivers\BUSB2902.sys [2006-07-03 07:34]
S3 RDID1027;EDIROL PCR;C:\WINDOWS\system32\Drivers\rdwm1027.sys [2003-10-31 06:59]
S3 RDID1047;BOSS DR-880;C:\WINDOWS\system32\Drivers\RDWM1047.SYS [2004-06-16 01:42]
S3 RDID1072;Roland SP-555;C:\WINDOWS\system32\Drivers\rdwm1072.sys [2007-04-13 01:17]
S3 SamsonLLDriver;Samson LL Driver;C:\WINDOWS\system32\Drivers\SamsonLLDriver.sys [2006-12-12 15:34]
S3 SWWDM_multi;Samson Audio (WDM);C:\WINDOWS\system32\drivers\SWAudWDM.sys [2006-12-12 15:34]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;C:\WINDOWS\system32\Drivers\tascusb2.sys [2007-02-01 14:38]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;C:\WINDOWS\system32\drivers\tscusb2m.sys [2007-02-01 14:38]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;C:\WINDOWS\system32\drivers\tscusb2a.sys [2007-02-01 14:38]
S3 XIRLINK;Veo Web Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [2003-05-08 21:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-22 05:07:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 01:02:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????5?3?0?0??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-22 1:10:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-22 05:10:33
.
2008-03-21 15:16:52 --- E O F ---

[Ried]

Quote:

I ran a virus scan by PrevixCsi and it found a 'RootKey' thing which I removed and now services.exe seems to be acting normal again.

Is there a report from that tool? Can you provide more detail--exactly what did it remove? I would need to full file path and file name, or registry entry that it removed.

[monaghan]

I can't find what it removed. I found the log of the scan it did before it "cleaned up" my system, maybe this will help. the log is attached, and below is what it said it found.



Summary:
ROOTKIT-\\.\PhysicalDrive0\MBR - [512] >> Hidden Disk Sectors
Note: Some of the above entries may be from previous scans or cleaned infections.


End of PrevxCSI Log - http://www.prevx.com

[Ried]

Quote:

I ran a virus scan by PrevixCsi and it found a 'RootKey' thing which I removed and now services.exe seems to be acting normal again. However, I cannot boot in Safe Mode, computer hangs while loading up the drivers.
.

1. When did that Prevx removal take place--before or after your second run of ComboFix (which you ran on 3/29 at 23:26)

2. Please run a new scan with dss.exe and post the main.txt

[monaghan]

The Prevx removal took place before the second Combo Fix scan.


Deckard's System Scanner v20071014.68
Run by Marcois on 2008-03-31 18:48:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Marcois.exe) ---------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-31 18:56:08
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Marcois\Desktop\dss.exe
C:\Program Files\Trend Micro\HijackThis\Marcois.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [RemoveWGA] C:\Documents and Settings\Marcois\Local Settings\Temporary Internet Files\Content.IE5\GJZZQCT9\RemoveWGA.exe -startup
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{AA05AABA-C23A-43CA-BA35-A14973738229}: NameServer = 207.69.188.187 207.69.188.186
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\WgaLogon.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O24 - Desktop Component 0: - file:///C:/DOCUME~1/Marcois/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 9321 bytes

-- Files created between 2008-02-29 and 2008-03-31 -----------------------------

2008-03-31 18:52:24 0 d-------- C:\Program Files\Trend Micro
2008-03-29 23:13:33 0 dr-hs---- C:\cmdcons
2008-03-29 23:13:31 0 d-------- C:\WINDOWS\setup.pss
2008-03-29 23:13:17 0 d-------- C:\WINDOWS\setupupd
2008-03-29 22:53:43 0 d-------- C:\Program Files\MSXML 4.0
2008-03-27 23:36:52 0 d-------- C:\Program Files\Windows Live Safety Center
2008-03-27 21:54:12 10880 --a------ C:\WINDOWS\system32\drivers\pxark.sys <Not Verified; ; Prevx CSI>
2008-03-27 21:54:11 0 d-------- C:\Program Files\PrevxCSI
2008-03-27 21:53:47 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-03-22 00:49:47 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-22 00:49:47 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-22 00:49:47 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-22 00:49:47 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-21 21:11:53 0 d-------- C:\Program Files\SpywareBlaster
2008-03-21 19:52:28 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-20 22:36:28 0 d-------- C:\Program Files\Alwil Software
2008-03-13 14:57:06 0 d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
2008-03-07 00:58:09 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP


-- Find3M Report ---------------------------------------------------------------

2008-03-22 00:56:03 0 d-------- C:\Program Files\Common Files
2008-03-21 23:59:24 0 d-------- C:\Program Files\Adware Away
2008-03-21 23:53:42 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-21 20:36:24 0 d-------- C:\Program Files\MSN Messenger
2008-03-21 20:25:17 0 d-------- C:\Program Files\Bonjour
2008-03-18 14:49:27 0 d-------- C:\Documents and Settings\Marcois\Application Data\uTorrent
2008-03-13 19:30:43 0 d-------- C:\Documents and Settings\Marcois\Application Data\AdobeUM
2008-02-15 20:11:35 0 d-------- C:\Documents and Settings\Marcois\Application Data\ZoomBrowser EX
2008-02-03 23:38:05 0 d-------- C:\Documents and Settings\Marcois\Application Data\Skype


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoveWGA"="C:\Documents and Settings\Marcois\Local Settings\Temporary Internet Files\Content.IE5\GJZZQCT9\RemoveWGA.exe" []
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [10/14/2004 04:54 PM]
"EPSON Stylus CX3200"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [07/01/2002 03:05 AM]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [12/03/2004 04:24 PM]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [02/17/2005 05:01 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/11/2005 01:00 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 09:00 AM]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [03/27/2008 09:53 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"IETI"=C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Marcois^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Marcois\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe




-- End of Deckard's System Scanner: finished at 2008-03-31 18:56:55 ------------

[Ried]

If there were an issue with Safe Mode boot, it would have been indicated in the second ComboFix.txt, and the main.txt as well.

Have you tried to entering Safe Mode since the 2nd run of ComboFix?

[monaghan]

Actually, not being able to load Safe Mode has been a problem for 2 years and is unrelated to the services.exe problem, just thought you might know something about that. Mainly just want to make sure I fixed the services.exe overload problem and that my scans look good. If you have any ideas about the safe mode thing that would be great too. I think it might be my hard drive. I ran the dard drive self test in the BIOS and it got a Fail message.

[Ried]

Since the focus of this section is malware removal, you'd really do best talking to the folks in the Hard Drive Support

========================

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

[monaghan]

OK, thanks a lot for your help.

[Ried]

You're welcome. Take care.