IE POP UPS still

tolowmp5 · 10-05-2008, 06:34 PM

i had a problem with the task bar being taken with virus alert beside the clock and my local drive disappeared so i followed steps i found on a thread here. i used malwarebytes anti-malware that fixed 99.9 percent of the problems but i still have a advertisement pop-up coming up in IE which i don't use at all so since then i have run full scan of windows defender mcafee virus scan enterprise 8.5.0i and malwarebytes again but they all find nothing so here is my HJT log file hopefully some one can help thanks
Logfile of HijackThis v1.99.1
Scan saved at 7:53:46 PM, on 10/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\windows\system32\CTHELPER.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Mike\Application Data\Gool\Gool.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Documents and Settings\Mike\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: (no name) - {62CC302E-8074-4416-BADC-C2306E39538C} - (no file)
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Mike\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Gool] "C:\Documents and Settings\Mike\Application Data\Gool\Gool.exe"
O4 - Global Startup: APC UPS Status.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

**amateur** · 10-08-2008, 01:03 PM

Hello and welcome to TSF.

Apologies for the long delay in response. We have a large number of HijackThis logs to handle and it's taking us longer to catch up. If you haven't received help elsewhere already and still require assistance please perform the following:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.

===========================

The version of the HijackThis you are using is outdated. Please do the following to download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:

Save HJTInstall.exe to your desktop.
Double-click on HJTInstall.exe to run the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis.
Accept the license agreement by clicking the "I Accept" button.
Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
Click "Save log" to save the log file and then the log will open in Notepad.
Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
Come back here to this thread and paste the log in your next reply.
Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

You may uninstall/delete the older version once you have successfully downloaded and installed the latest version of HijackThis v2.0.2.

Please note that the forum is very busy and if I don't hear from you in three days this thread will be closed.

tolowmp5 · 10-08-2008, 02:53 PM

I had ran SDFix as it is part of the first 5 steps but forgot to put that in last post sorry here is the report.txt and the new HJT log Thanks for your help Mike

SDFix: Version 1.231
Run by Administrator on Sun 10/05/2008 at 11:50 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\Mike\Application Data\Adobe\crc.dat - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-05 11:59:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:78,08,75,11,62,e5,7e,e2,ab,32,62,98,7f,8b,79,ab,17,b0,01,87,04,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,69,d6,d8,8f,dc,87,74,66,09,44,0c,3e,d7,07,b7,ff,5f,..
"hdf12"=hex:93,b4,f2,0c,45,df,a0,7f,9a,19,2e,3c,23,e4,8d,00,16,b9,43,ec,f3,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:6c,ba,07,79,05,65,68,63,4b,21,56,15,4f,a9,4a,ed,a3,2f,ae,8f,54,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:78,08,75,11,62,e5,7e,e2,ab,32,62,98,7f,8b,79,ab,17,b0,01,87,04,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,69,d6,d8,8f,dc,87,74,66,09,44,0c,3e,d7,07,b7,ff,5f,..
"hdf12"=hex:93,b4,f2,0c,45,df,a0,7f,9a,19,2e,3c,23,e4,8d,00,16,b9,43,ec,f3,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:6c,ba,07,79,05,65,68,63,4b,21,56,15,4f,a9,4a,ed,a3,2f,ae,8f,54,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"F:\\SETUP.EXE"="F:\\SETUP.EXE:*:Enabled:Setup"
"C:\\Documents and Settings\\Mike\\Application Data\\mjusbsp\\magicJack.exe"="C:\\Documents and Settings\\Mike\\Application Data\\mjusbsp\\magicJack.exe:*:Enabled:magicJack"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 24 Sep 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 3 Oct 2008 0 A..H. --- "C:\Documents and Settings\Mike\Local Settings\Temp\BIT9.tmp"
Fri 22 Aug 2008 714,376 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\ar00000\install.exe"
Fri 22 Aug 2008 7,397,344 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\in00000\setup.exe"
Fri 22 Aug 2008 714,376 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\Upgrade\install1.exe"
Fri 22 Aug 2008 7,397,344 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\Upgrade\setup1.exe"

Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:51 PM, on 10/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\windows\system32\CTHELPER.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Mike\Application Data\Gool\Gool.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Documents and Settings\Mike\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\windows\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: (no name) - {62CC302E-8074-4416-BADC-C2306E39538C} - (no file)
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Mike\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Gool] "C:\Documents and Settings\Mike\Application Data\Gool\Gool.exe"
O4 - Global Startup: APC UPS Status.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

--
End of file - 9490 bytes

**amateur** · 10-08-2008, 03:20 PM

Hi,

Quote:

I had ran SDFix as it is part of the first 5 steps

You must be mistaken. I am pretty sure that nowhere in the 5 Steps scanning with SDFix is required.

Please re-do it with my instructions in Safe Mode <====this is important.

================================

Next, please visit this webpage for download links, and instructions to run Combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first. (use the instructions for "If you use Windows XP and do not have the WindowsCD")

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

tolowmp5 · 10-08-2008, 07:30 PM

so i did sdfix in safe mode combofix and i can't run or RE-install HJT as it just causes an error because MSVBVM60.DLL WAS NOT FOUND and after running these 2 programs the pop ups still come up hopefully these logs will help thanks
SDFix: Version 1.231
Run by Mike on Wed 10/08/2008 at 08:49 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\DOCUME~1\Mike\LOCALS~1\Temp\pwrmgr.exe.bat - Deleted
C:\DOCUME~1\Mike\LOCALS~1\Temp\smchk.exe.bat - Deleted
C:\DOCUME~1\Mike\LOCALS~1\Temp\windfr.exe.bat - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-08 20:58:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:78,08,75,11,62,e5,7e,e2,ab,32,62,98,7f,8b,79,ab,17,b0,01,87,04,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,69,d6,d8,8f,dc,87,74,66,09,44,0c,3e,d7,07,b7,ff,5f,..
"hdf12"=hex:93,b4,f2,0c,45,df,a0,7f,9a,19,2e,3c,23,e4,8d,00,16,b9,43,ec,f3,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:55,70,d4,f0,6d,33,24,40,7a,e2,05,36,db,52,81,7e,ad,cd,df,0c,06,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:78,08,75,11,62,e5,7e,e2,ab,32,62,98,7f,8b,79,ab,17,b0,01,87,04,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,69,d6,d8,8f,dc,87,74,66,09,44,0c,3e,d7,07,b7,ff,5f,..
"hdf12"=hex:93,b4,f2,0c,45,df,a0,7f,9a,19,2e,3c,23,e4,8d,00,16,b9,43,ec,f3,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:55,70,d4,f0,6d,33,24,40,7a,e2,05,36,db,52,81,7e,ad,cd,df,0c,06,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"F:\\SETUP.EXE"="F:\\SETUP.EXE:*:Enabled:Setup"
"C:\\Documents and Settings\\Mike\\Application Data\\mjusbsp\\magicJack.exe"="C:\\Documents and Settings\\Mike\\Application Data\\mjusbsp\\magicJack.exe:*:Enabled:magicJack"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 24 Sep 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 22 Aug 2008 714,376 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\ar00000\install.exe"
Fri 22 Aug 2008 7,397,344 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\in00000\setup.exe"
Fri 22 Aug 2008 714,376 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\Upgrade\install1.exe"
Fri 22 Aug 2008 7,397,344 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\Upgrade\setup1.exe"

Finished!

ComboFix 08-10-08.02 - Mike 2008-10-08 21:14:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1570 [GMT -4:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\CPV.stt
C:\windows\ppatch~1
J:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.

2008-10-08 19:07 . 2008-10-08 19:08 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\vlc
2008-10-08 19:04 . 2008-10-08 19:04 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-08 18:47 . 2008-10-08 18:51 <DIR> d-------- C:\Program Files\SatelliteTVforPC
2008-10-08 18:46 . 2008-10-08 18:51 <DIR> d-------- C:\WINDOWS\uninstall
2008-10-08 17:27 . 2008-10-08 17:27 <DIR> d-------- C:\WINDOWS\Solcache
2008-10-08 17:27 . 1997-07-24 09:18 621,568 --a------ C:\WINDOWS\system32\SIERRANW.DLL
2008-10-08 17:27 . 1997-07-24 10:06 228,352 --a------ C:\WINDOWS\system32\SNWVALID.DLL
2008-10-08 17:27 . 1997-04-16 09:33 18,798 --a------ C:\WINDOWS\system32\SIGS.DIB
2008-10-08 17:27 . 1997-04-15 15:54 10,700 --a------ C:\WINDOWS\system32\SNWVALID.HLP
2008-10-08 17:22 . 2008-10-08 17:22 <DIR> d-------- C:\SIERRA
2008-10-08 17:22 . 2008-10-08 17:45 <DIR> d-------- C:\Program Files\Sierra On-Line
2008-10-08 17:21 . 2008-10-08 17:21 <DIR> d-------- C:\Documents and Settings\Mike\WINDOWS
2008-10-08 17:21 . 1997-07-14 17:42 314,880 --a------ C:\WINDOWS\IsUninst.exe
2008-10-08 17:21 . 2008-10-08 17:45 710 --a------ C:\WINDOWS\SIERRA.INI
2008-10-08 16:52 . 2008-10-08 16:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-06 20:14 . 2008-10-06 20:16 18,073 --a------ C:\WINDOWS\CSTBox.INI
2008-10-06 20:11 . 2008-10-06 20:16 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Canon
2008-10-06 09:38 . 2008-10-08 12:06 <DIR> d-------- C:\Documents and Settings\Mike\awc_ontcuple
2008-10-05 20:14 . 2008-10-05 20:15 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-10-05 20:14 . 2008-10-05 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-05 20:14 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-10-05 11:49 . 2008-10-05 11:49 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-10-05 11:47 . 2008-10-05 11:47 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-05 11:41 . 2008-10-08 21:00 <DIR> d-------- C:\SDFix
2008-10-05 02:20 . 2008-04-13 14:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-10-05 02:20 . 2008-04-13 14:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-10-05 02:05 . 2008-10-05 02:06 <DIR> d--h----- C:\CanoScan
2008-10-05 02:05 . 2002-05-24 03:04 389,180 --a------ C:\WINDOWS\system32\UCS32P.DLL
2008-10-05 02:05 . 2003-09-17 17:35 339,968 --a------ C:\WINDOWS\system32\N067UFW.DLL
2008-10-05 02:05 . 2002-09-12 01:07 36,864 --a------ C:\WINDOWS\system32\CNQU70.DLL
2008-10-04 23:09 . 2008-10-04 23:09 <DIR> d--h----- C:\Program Files\Zenographics
2008-10-04 23:09 . 2005-05-31 17:46 282,624 -ra------ C:\WINDOWS\system32\zshp2600.exe
2008-10-04 23:09 . 2005-05-31 17:46 155,648 -ra------ C:\WINDOWS\system32\HP2600IR.dll
2008-10-04 23:09 . 2005-05-31 17:46 114,688 -ra------ C:\WINDOWS\system32\vshp2600.dll
2008-10-04 23:09 . 2005-05-31 17:46 86,016 -ra------ C:\WINDOWS\system32\ZSPOOL.DLL
2008-10-04 23:09 . 2005-05-31 17:46 86,016 -ra------ C:\WINDOWS\system32\zlhp2600.dll
2008-10-04 23:09 . 2005-05-31 17:46 28,672 -ra------ C:\WINDOWS\system32\zlm.dll
2008-10-04 23:09 . 2005-05-31 17:46 24,576 -ra------ C:\WINDOWS\system32\ZTAG32.DLL
2008-10-04 23:09 . 2005-05-31 17:46 7,294 -ra------ C:\WINDOWS\system32\ZSHP2600.HLP
2008-10-04 23:08 . 2008-10-04 23:09 628 --a------ C:\WINDOWS\hpntwksetup.ini
2008-10-04 23:04 . 2008-10-04 23:09 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-10-04 22:22 . 2008-10-04 22:22 <DIR> d-------- C:\Program Files\Canon
2008-10-04 18:15 . 2008-10-04 19:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-04 18:15 . 2008-10-04 18:15 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-10-04 18:15 . 2008-10-04 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-04 18:15 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-04 18:15 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-03 23:33 . 2008-10-03 23:33 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Gool
2008-10-03 23:31 . 2008-10-03 23:31 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-10-03 23:31 . 2008-10-03 23:31 <DIR> d-------- C:\Documents and Settings\Mike\Incomplete
2008-10-03 20:24 . 2008-10-03 23:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-10-02 21:22 . 2008-10-02 21:22 <DIR> d-------- C:\Program Files\GameHouse
2008-10-02 12:16 . 2008-10-02 12:16 <DIR> d-------- C:\WINDOWS\Samsung
2008-10-02 12:16 . 2006-03-24 01:18 454,656 --a------ C:\WINDOWS\ssndii.exe
2008-10-02 12:16 . 2003-04-18 16:29 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-10-02 12:16 . 2000-08-04 01:52 21,776 --a------ C:\WINDOWS\system32\msxml2a.dll
2008-10-02 12:15 . 2008-10-02 12:15 <DIR> d-------- C:\WINDOWS\system32\drivers\Samsung
2008-10-02 12:15 . 2008-10-03 23:23 <DIR> d-------- C:\WINDOWS\ML-2510_GDI
2008-10-02 12:15 . 2008-10-02 12:15 <DIR> d-------- C:\Program Files\Samsung
2008-10-02 12:15 . 2005-03-03 13:32 151,552 --a------ C:\WINDOWS\system32\SUGO3CI.exe
2008-10-02 12:15 . 2005-03-03 19:09 57,344 --a------ C:\WINDOWS\system32\SUGO3CI.dll
2008-10-02 12:15 . 2004-08-11 15:39 41,984 --------- C:\WINDOWS\system32\drivers\DGIVECP.SYS
2008-10-02 12:15 . 2008-04-13 14:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-10-02 12:15 . 2008-04-13 14:47 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-10-02 12:15 . 2006-01-02 15:42 22,663 --a------ C:\WINDOWS\system32\sugo3LMK.DLL
2008-10-02 12:15 . 2005-07-09 05:54 11,502 --------- C:\WINDOWS\Dr. Printer Icon.ico
2008-10-02 12:15 . 2005-12-13 16:03 555 --a------ C:\WINDOWS\system32\sugo3LMK.SMT
2008-10-01 23:47 . 2008-10-03 23:23 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\DivX
2008-10-01 23:46 . 2008-10-03 23:23 <DIR> d-------- C:\Program Files\DivX
2008-10-01 21:40 . 2008-10-01 21:40 <DIR> d-------- C:\Program Files\HalloweenPack
2008-10-01 20:20 . 2008-10-01 20:20 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Thinstall
2008-10-01 20:07 . 2008-10-03 22:57 <DIR> d-------- C:\Documents and Settings\Mike\Shared
2008-10-01 20:06 . 2008-10-03 23:25 <DIR> d-------- C:\Program Files\LimeWire
2008-10-01 20:06 . 2008-10-03 23:25 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\LimeWire
2008-09-29 23:41 . 2008-10-08 18:55 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-09-29 22:05 . 2008-09-29 22:05 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Nero
2008-09-29 22:03 . 2008-09-29 22:03 <DIR> d-------- C:\Program Files\Nero
2008-09-29 22:03 . 2008-10-03 23:26 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-09-29 22:03 . 2008-10-03 23:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-09-28 18:06 . 2008-09-28 18:06 87,800 --a------ C:\WINDOWS\WinVerCheck.exe
2008-09-25 19:51 . 2008-09-25 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-25 09:43 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-25 09:43 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-24 23:38 . 2008-09-24 23:38 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-09-24 23:35 . 2008-09-24 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-09-24 23:10 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-09-24 23:10 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-09-24 23:02 . 2008-09-24 23:02 <DIR> d-------- C:\Program Files\Bonjour
2008-09-24 22:57 . 2008-09-24 22:57 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-09-24 22:54 . 2008-09-24 23:42 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-09-24 22:52 . 2008-09-24 22:52 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\DAEMON Tools Pro
2008-09-24 22:51 . 2008-09-24 22:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-09-24 22:50 . 2008-09-24 22:54 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-09-24 19:34 . 2008-09-24 19:34 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-09-24 19:32 . 2008-10-08 01:48 <DIR> d-------- C:\QUARANTINE
2008-09-24 17:40 . 2008-09-24 17:40 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-24 17:32 . 2008-09-24 17:32 <DIR> d-------- C:\Program Files\APC
2008-09-24 17:32 . 2004-08-10 15:35 4,142,592 --a------ C:\WINDOWS\system32\qtintf.dll
2008-09-24 17:21 . 2008-04-13 14:36 10,240 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2008-09-24 17:21 . 2008-04-13 14:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\compbatt.sys
2008-09-24 17:20 . 2008-04-13 14:36 20,352 --a------ C:\WINDOWS\system32\drivers\hidbatt.sys
2008-09-24 17:20 . 2008-04-13 14:36 20,352 --a--c--- C:\WINDOWS\system32\dllcache\hidbatt.sys
2008-09-24 17:20 . 2008-04-13 14:36 14,208 --a------ C:\WINDOWS\system32\drivers\battc.sys
2008-09-24 17:20 . 2008-04-13 14:36 14,208 --a--c--- C:\WINDOWS\system32\dllcache\battc.sys
2008-09-24 16:54 . 2008-04-13 20:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-09-24 16:14 . 2003-01-20 09:46 140,288 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2008-09-24 16:14 . 2003-01-20 09:46 140,288 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys
2008-09-24 16:14 . 2001-06-22 10:25 53,248 --a------ C:\WINDOWS\system32\Prounstl.exe
2008-09-24 16:14 . 2001-07-20 06:40 23,040 --a------ C:\WINDOWS\system32\IntelNic.dll
2008-09-24 16:14 . 2001-06-29 17:53 2,983 --a------ C:\WINDOWS\system32\net82557.din
2008-09-24 16:10 . 2008-09-24 16:10 <DIR> d-------- C:\WINDOWS\Sun
2008-09-24 16:09 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-24 16:08 . 2008-09-24 16:09 <DIR> d-------- C:\Program Files\Java
2008-09-24 16:08 . 2008-09-24 16:08 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-24 16:01 . 2008-09-24 16:01 <DIR> d-------- C:\Program Files\uTorrent
2008-09-24 16:01 . 2008-10-08 20:43 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\uTorrent
2008-09-24 15:57 . 2008-10-01 17:58 <DIR> d-------- C:\Documents and Settings\Mike\Contacts
2008-09-24 15:52 . 2008-10-04 23:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-09-24 15:49 . 2008-09-24 15:52 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-09-24 15:48 . 2008-10-03 23:19 <DIR> d-------- C:\Program Files\Windows Live
2008-09-24 15:48 . 2008-09-24 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-09-24 15:36 . 2008-09-24 15:36 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-24 15:36 . 2008-09-24 15:36 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-09-24 15:26 . 2008-10-08 20:43 31,532 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000008-00001102-00000004-10031102}.rfx
2008-09-24 15:26 . 2008-10-08 20:43 31,532 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-00000008-00001102-00000004-10031102}.rfx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 17:58 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-19 02:10 94,920 ----a-w C:\windows\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\windows\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\windows\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\windows\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\windows\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\windows\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\windows\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\windows\system32\wuaueng.dll
2008-07-19 02:07 210,976 ----a-w C:\windows\system32\muweb.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="C:\Documents and Settings\Mike\Application Data\mjusbsp\cdloader2.exe" [2008-08-22 50520]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"Google Update"="C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-25 133104]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"Gool"="C:\Documents and Settings\Mike\Application Data\Gool\Gool.exe" [2008-10-03 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-09-11 53248]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]
"CTHelper"="CTHELPER.EXE" [2002-09-03 C:\WINDOWS\system32\CTHELPER.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2008-09-24 221247]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Documents and Settings\\Mike\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\windows\system32\DRIVERS\A3AB.sys [2003-10-22 344800]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-08 C:\windows\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-25 21:39]

2008-10-09 C:\windows\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{62CC302E-8074-4416-BADC-C2306E39538C} - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\md0jsybj.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://canada.aol.com/netscape/
FF -: plugin - C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-08 21:16:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-08 21:17:53
ComboFix-quarantined-files.txt 2008-10-09 01:17:39

Pre-Run: 67,951,828,992 bytes free
Post-Run: 68,031,467,520 bytes free

231 --- E O F --- 2008-09-30 22:59:32

**amateur** · 10-08-2008, 08:47 PM

Hi,

Please download visual basic runtime 6.0 files. It contains the missing file. You should be able to run HijackThis next time.

===============================

I see references to LimeWire and uTorrent in your logs. I would like to warn you that the nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. Also by default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple, file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft.
I recommend very strongly that you remove it from your system via Add/Remove Programs in Control Panel.

Once they are removed, you can delete their folders using Window Explorer(right click on Start, click on Explore) to locate them:

C:\Program Files\LimeWire
C:\Documents and Settings\Mike\Application Data\LimeWire
C:\Program Files\uTorrent

===============================

Quote:

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

We need to install the Windows Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Download the file from the following Microsoft page:

http://www.microsoft.com/downloads/d...displaylang=en

Although this file is for SP2 and you have SP3 installed, you don't need to worry as it will work on both.

Save it as it is originally named to your Desktop.

Now close all open windows and programs, including all antivirus and antispyware programs. Get help here

Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:

Please continue as follows:

Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
Please click No to exit Combofix.

=============================

Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won't work)
Copy the entire contents of the Quote Box below to Notepad.
Name the file as CFScript.txt
Change the Save as Type to All Files
and Save it on the desktop
Click Format and ensure Wordwrap is unchecked.

Code:

KILLALL::

File::
C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000008-00001102-00000004-10031102}.rfx
C:\WINDOWS\system32\BMXState-{00000002-00000000-00000008-00001102-00000004-10031102}.rfx

Folder::
C:\Documents and Settings\Mike\Application Data\Gool
C:\Documents and Settings\Mike\awc_ontcuple
C:\Documents and Settings\Mike\Application Data\LimeWire
C:\Documents and Settings\Mike\Application Data\uTorrent


Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gool"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

================================

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

==============================

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
In the drop down box labeled Files of type change the type to Text file.
Save the file to your desktop.
Copy and paste that information in your next post.

==============================

Please post back the Combofix.txt, Kaspersky report and the Add-Remove Programs.txt and a fresh HijackThis log in your next reply.

tolowmp5 · 10-09-2008, 08:13 PM

Ok here is combofix.txt, Add-Remove Programs.txt and HJT log i didn't delete limewire or u torrent and the RECOVERY CONSOLE could not install error that comes up is (boot partition cannot be enumerated correctly). as far as kaspersky it is at 7% after 8 hours i have alot of RAR files which seem to take forever to scan, thanks again for your help sorry it is taking so long

ComboFix 08-10-08.05 - Mike 2008-10-09 13:18:42.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1639 [GMT -4:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\BMXState-{00000002-00000000-00000008-00001102-00000004-10031102}.rfx
C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000008-00001102-00000004-10031102}.rfx
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mike\Application Data\Gool
C:\Documents and Settings\Mike\Application Data\Gool\Gool.exe
C:\Documents and Settings\Mike\awc_ontcuple
C:\Documents and Settings\Mike\awc_ontcuple\allow.txt
C:\Documents and Settings\Mike\awc_ontcuple\ban.txt
C:\Documents and Settings\Mike\awc_ontcuple\favcam.txt
C:\Documents and Settings\Mike\awc_ontcuple\favchat.txt
C:\Documents and Settings\Mike\awc_ontcuple\language_4_EN.properties
C:\Documents and Settings\Mike\awc_ontcuple\log.txt
C:\Documents and Settings\Mike\awc_ontcuple\settings_en_US.properties
C:\Documents and Settings\Mike\awc_ontcuple\shortcuts.txt
C:\WINDOWS\system32\BMXState-{00000002-00000000-00000008-00001102-00000004-10031102}.rfx
C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000008-00001102-00000004-10031102}.rfx

.
((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.

2008-10-08 19:07 . 2008-10-08 19:08 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\vlc
2008-10-08 19:04 . 2008-10-08 19:04 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-08 18:47 . 2008-10-08 18:51 <DIR> d-------- C:\Program Files\SatelliteTVforPC
2008-10-08 18:46 . 2008-10-08 18:51 <DIR> d-------- C:\WINDOWS\uninstall
2008-10-08 17:27 . 2008-10-08 17:27 <DIR> d-------- C:\WINDOWS\Solcache
2008-10-08 17:27 . 1997-07-24 09:18 621,568 --a------ C:\WINDOWS\system32\SIERRANW.DLL
2008-10-08 17:27 . 1997-07-24 10:06 228,352 --a------ C:\WINDOWS\system32\SNWVALID.DLL
2008-10-08 17:27 . 1997-04-16 09:33 18,798 --a------ C:\WINDOWS\system32\SIGS.DIB
2008-10-08 17:27 . 1997-04-15 15:54 10,700 --a------ C:\WINDOWS\system32\SNWVALID.HLP
2008-10-08 17:22 . 2008-10-08 17:22 <DIR> d-------- C:\SIERRA
2008-10-08 17:22 . 2008-10-08 17:45 <DIR> d-------- C:\Program Files\Sierra On-Line
2008-10-08 17:21 . 2008-10-08 17:21 <DIR> d-------- C:\Documents and Settings\Mike\WINDOWS
2008-10-08 17:21 . 1997-07-14 17:42 314,880 --a------ C:\WINDOWS\IsUninst.exe
2008-10-08 17:21 . 2008-10-08 17:45 710 --a------ C:\WINDOWS\SIERRA.INI
2008-10-08 16:52 . 2008-10-08 16:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-06 20:14 . 2008-10-06 20:16 18,073 --a------ C:\WINDOWS\CSTBox.INI
2008-10-06 20:11 . 2008-10-06 20:16 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Canon
2008-10-05 20:14 . 2008-10-05 20:15 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-10-05 20:14 . 2008-10-05 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-05 20:14 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-10-05 11:49 . 2008-10-05 11:49 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-10-05 11:47 . 2008-10-05 11:47 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-05 11:41 . 2008-10-08 21:00 <DIR> d-------- C:\SDFix
2008-10-05 02:20 . 2008-04-13 14:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-10-05 02:20 . 2008-04-13 14:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-10-05 02:05 . 2008-10-05 02:06 <DIR> d--h----- C:\CanoScan
2008-10-05 02:05 . 2002-05-24 03:04 389,180 --a------ C:\WINDOWS\system32\UCS32P.DLL
2008-10-05 02:05 . 2003-09-17 17:35 339,968 --a------ C:\WINDOWS\system32\N067UFW.DLL
2008-10-05 02:05 . 2002-09-12 01:07 36,864 --a------ C:\WINDOWS\system32\CNQU70.DLL
2008-10-04 23:09 . 2008-10-04 23:09 <DIR> d--h----- C:\Program Files\Zenographics
2008-10-04 23:09 . 2005-05-31 17:46 282,624 -ra------ C:\WINDOWS\system32\zshp2600.exe
2008-10-04 23:09 . 2005-05-31 17:46 155,648 -ra------ C:\WINDOWS\system32\HP2600IR.dll
2008-10-04 23:09 . 2005-05-31 17:46 114,688 -ra------ C:\WINDOWS\system32\vshp2600.dll
2008-10-04 23:09 . 2005-05-31 17:46 86,016 -ra------ C:\WINDOWS\system32\ZSPOOL.DLL
2008-10-04 23:09 . 2005-05-31 17:46 86,016 -ra------ C:\WINDOWS\system32\zlhp2600.dll
2008-10-04 23:09 . 2005-05-31 17:46 28,672 -ra------ C:\WINDOWS\system32\zlm.dll
2008-10-04 23:09 . 2005-05-31 17:46 24,576 -ra------ C:\WINDOWS\system32\ZTAG32.DLL
2008-10-04 23:09 . 2005-05-31 17:46 7,294 -ra------ C:\WINDOWS\system32\ZSHP2600.HLP
2008-10-04 23:08 . 2008-10-04 23:09 628 --a------ C:\WINDOWS\hpntwksetup.ini
2008-10-04 23:04 . 2008-10-04 23:09 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-10-04 22:22 . 2008-10-04 22:22 <DIR> d-------- C:\Program Files\Canon
2008-10-04 18:15 . 2008-10-04 19:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-04 18:15 . 2008-10-04 18:15 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-10-04 18:15 . 2008-10-04 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-04 18:15 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-04 18:15 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-03 23:31 . 2008-10-03 23:31 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-10-03 23:31 . 2008-10-03 23:31 <DIR> d-------- C:\Documents and Settings\Mike\Incomplete
2008-10-03 20:24 . 2008-10-03 23:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-10-02 21:22 . 2008-10-02 21:22 <DIR> d-------- C:\Program Files\GameHouse
2008-10-02 12:16 . 2008-10-02 12:16 <DIR> d-------- C:\WINDOWS\Samsung
2008-10-02 12:16 . 2006-03-24 01:18 454,656 --a------ C:\WINDOWS\ssndii.exe
2008-10-02 12:16 . 2003-04-18 16:29 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-10-02 12:16 . 2000-08-04 01:52 21,776 --a------ C:\WINDOWS\system32\msxml2a.dll
2008-10-02 12:15 . 2008-10-02 12:15 <DIR> d-------- C:\WINDOWS\system32\drivers\Samsung
2008-10-02 12:15 . 2008-10-03 23:23 <DIR> d-------- C:\WINDOWS\ML-2510_GDI
2008-10-02 12:15 . 2008-10-02 12:15 <DIR> d-------- C:\Program Files\Samsung
2008-10-02 12:15 . 2005-03-03 13:32 151,552 --a------ C:\WINDOWS\system32\SUGO3CI.exe
2008-10-02 12:15 . 2005-03-03 19:09 57,344 --a------ C:\WINDOWS\system32\SUGO3CI.dll
2008-10-02 12:15 . 2004-08-11 15:39 41,984 --------- C:\WINDOWS\system32\drivers\DGIVECP.SYS
2008-10-02 12:15 . 2008-04-13 14:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-10-02 12:15 . 2008-04-13 14:47 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-10-02 12:15 . 2006-01-02 15:42 22,663 --a------ C:\WINDOWS\system32\sugo3LMK.DLL
2008-10-02 12:15 . 2005-07-09 05:54 11,502 --------- C:\WINDOWS\Dr. Printer Icon.ico
2008-10-02 12:15 . 2005-12-13 16:03 555 --a------ C:\WINDOWS\system32\sugo3LMK.SMT
2008-10-01 23:47 . 2008-10-03 23:23 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\DivX
2008-10-01 23:46 . 2008-10-03 23:23 <DIR> d-------- C:\Program Files\DivX
2008-10-01 21:40 . 2008-10-01 21:40 <DIR> d-------- C:\Program Files\HalloweenPack
2008-10-01 20:20 . 2008-10-01 20:20 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Thinstall
2008-10-01 20:07 . 2008-10-03 22:57 <DIR> d-------- C:\Documents and Settings\Mike\Shared
2008-10-01 20:06 . 2008-10-03 23:25 <DIR> d-------- C:\Program Files\LimeWire
2008-10-01 20:06 . 2008-10-03 23:25 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\LimeWire
2008-09-29 23:41 . 2008-10-08 18:55 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-09-29 22:05 . 2008-09-29 22:05 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Nero
2008-09-29 22:03 . 2008-09-29 22:03 <DIR> d-------- C:\Program Files\Nero
2008-09-29 22:03 . 2008-10-03 23:26 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-09-29 22:03 . 2008-10-03 23:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-09-28 18:06 . 2008-09-28 18:06 87,800 --a------ C:\WINDOWS\WinVerCheck.exe
2008-09-25 19:51 . 2008-09-25 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-25 09:43 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-25 09:43 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-24 23:38 . 2008-09-24 23:38 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-09-24 23:35 . 2008-09-24 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-09-24 23:10 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-09-24 23:10 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-09-24 23:02 . 2008-09-24 23:02 <DIR> d-------- C:\Program Files\Bonjour
2008-09-24 22:57 . 2008-09-24 22:57 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-09-24 22:54 . 2008-09-24 23:42 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-09-24 22:52 . 2008-09-24 22:52 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\DAEMON Tools Pro
2008-09-24 22:51 . 2008-09-24 22:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-09-24 22:50 . 2008-09-24 22:54 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-09-24 19:34 . 2008-09-24 19:34 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-09-24 19:32 . 2008-10-09 12:59 <DIR> d-------- C:\QUARANTINE
2008-09-24 17:40 . 2008-09-24 17:40 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-24 17:32 . 2008-09-24 17:32 <DIR> d-------- C:\Program Files\APC
2008-09-24 17:32 . 2004-08-10 15:35 4,142,592 --a------ C:\WINDOWS\system32\qtintf.dll
2008-09-24 17:21 . 2008-04-13 14:36 10,240 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2008-09-24 17:21 . 2008-04-13 14:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\compbatt.sys
2008-09-24 17:20 . 2008-04-13 14:36 20,352 --a------ C:\WINDOWS\system32\drivers\hidbatt.sys
2008-09-24 17:20 . 2008-04-13 14:36 20,352 --a--c--- C:\WINDOWS\system32\dllcache\hidbatt.sys
2008-09-24 17:20 . 2008-04-13 14:36 14,208 --a------ C:\WINDOWS\system32\drivers\battc.sys
2008-09-24 17:20 . 2008-04-13 14:36 14,208 --a--c--- C:\WINDOWS\system32\dllcache\battc.sys
2008-09-24 16:54 . 2008-04-13 20:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-09-24 16:14 . 2003-01-20 09:46 140,288 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2008-09-24 16:14 . 2003-01-20 09:46 140,288 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys
2008-09-24 16:14 . 2001-06-22 10:25 53,248 --a------ C:\WINDOWS\system32\Prounstl.exe
2008-09-24 16:14 . 2001-07-20 06:40 23,040 --a------ C:\WINDOWS\system32\IntelNic.dll
2008-09-24 16:14 . 2001-06-29 17:53 2,983 --a------ C:\WINDOWS\system32\net82557.din
2008-09-24 16:10 . 2008-09-24 16:10 <DIR> d-------- C:\WINDOWS\Sun
2008-09-24 16:09 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-24 16:08 . 2008-09-24 16:09 <DIR> d-------- C:\Program Files\Java
2008-09-24 16:08 . 2008-09-24 16:08 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-24 16:01 . 2008-09-24 16:01 <DIR> d-------- C:\Program Files\uTorrent
2008-09-24 16:01 . 2008-10-08 20:43 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\uTorrent
2008-09-24 15:57 . 2008-10-01 17:58 <DIR> d-------- C:\Documents and Settings\Mike\Contacts
2008-09-24 15:52 . 2008-10-04 23:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-09-24 15:49 . 2008-09-24 15:52 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-09-24 15:48 . 2008-10-03 23:19 <DIR> d-------- C:\Program Files\Windows Live
2008-09-24 15:48 . 2008-09-24 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-09-24 15:36 . 2008-09-24 15:36 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-24 15:36 . 2008-09-24 15:36 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-09-24 15:26 . 2008-10-09 13:20 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-09-24 15:26 . 2008-10-09 13:20 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-09-24 15:26 . 2008-10-09 13:20 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000008-00001102-00000004-10031102}.dat
2008-09-24 15:26 . 2008-10-09 13:20 288 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000008-00001102-00000004-10031102}.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 17:58 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-19 02:10 94,920 ----a-w C:\windows\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\windows\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\windows\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\windows\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\windows\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\windows\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\windows\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\windows\system32\wuaueng.dll
2008-07-19 02:07 210,976 ----a-w C:\windows\system32\muweb.dll
.

((((((((((((((((((((((((((((( snapshot@2008-10-08_21.17.18.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 1998-06-24 17:43:54 1,409,024 ----a-w C:\windows\system32\MSVBVM60.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="C:\Documents and Settings\Mike\Application Data\mjusbsp\cdloader2.exe" [2008-08-22 50520]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"Google Update"="C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-25 133104]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-09-11 53248]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]
"CTHelper"="CTHELPER.EXE" [2002-09-03 C:\WINDOWS\system32\CTHELPER.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2008-09-24 221247]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Documents and Settings\\Mike\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\windows\system32\DRIVERS\A3AB.sys [2003-10-22 344800]
.
Contents of the 'Scheduled Tasks' folder

2008-10-09 C:\windows\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-25 21:39]

2008-10-09 C:\windows\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 13:22:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Documents and Settings\Mike\Application Data\mjusbsp\st00000\mjsetup.exe
C:\Documents and Settings\Mike\Application Data\mjusbsp\magicJack.exe
.
**************************************************************************
.
Completion time: 2008-10-09 13:27:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-09 17:27:02
ComboFix2.txt 2008-10-09 17:05:52
ComboFix3.txt 2008-10-09 01:17:54

Pre-Run: 68,064,317,440 bytes free
Post-Run: 67,984,941,056 bytes free

256 --- E O F --- 2008-09-30 22:59:32

µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Add or Remove Adobe Creative Suite 3 Master Collection --> C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Setup.exe
Adobe After Effects CS3 --> MsiExec.exe /I{EB0202F7-016A-410C-ADE4-40F848CCC661}
Adobe After Effects CS3 Presets --> MsiExec.exe /I{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe BridgeTalk Plugin CS3 --> MsiExec.exe /I{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Contribute CS3 --> MsiExec.exe /I{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}
Adobe Creative Suite 3 Master Collection --> MsiExec.exe /I{8718DC03-D066-4957-94E5-50C3C5042E8E}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Dreamweaver CS3 --> MsiExec.exe /I{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}
Adobe Encore CS3 --> MsiExec.exe /I{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}
Adobe Encore CS3 Codecs --> MsiExec.exe /I{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Extension Manager CS3 --> MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Fireworks CS3 --> MsiExec.exe /I{7DFC1012-D346-46CE-B03E-FF79125AE029}
Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{7ACFB90E-8FD0-4397-AD3A-5195412623A3}
Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe InDesign CS3 --> MsiExec.exe /I{CB3F8375-B600-4B9F-83C9-238ED1E583FD}
Adobe InDesign CS3 Icon Handler --> MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe MotionPicture Color Files --> MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Premiere Pro CS3 --> MsiExec.exe /I{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}
Adobe Premiere Pro CS3 Functional Content --> MsiExec.exe /I{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}
Adobe Premiere Pro CS3 Third Party Content --> MsiExec.exe /I{485ACF57-F364-440A-8496-E1E81C8FA1AA}
Adobe Setup --> MsiExec.exe /I{4458C442-7376-4CF9-AF58-E8CEA6722363}
Adobe SING CS3 --> MsiExec.exe /I{B671CBFD-4109-4D35-9252-3062D3CCB7B2}
Adobe Soundbooth CS3 --> MsiExec.exe /I{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}
Adobe Soundbooth CS3 Codecs --> MsiExec.exe /I{0327FA9D-975C-448C-A086-577D57BB25B8}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe Version Cue CS3 Server --> MsiExec.exe /I{1D58229F-C505-45CA-8223-F35F3A34B963}
Adobe Video Profiles --> MsiExec.exe /I{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}
Adobe WAS CS3 --> MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP DVA Panels CS3 --> MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F}
Adobe XMP Panels CS3 --> MsiExec.exe /I{D5A31AB1-345D-47C7-A87B-036A669F6DF1}
AHV content for Acrobat and Flash --> MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}
APC PowerChute Personal Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5A0C892E-FD1C-4203-941E-0956AED20A6A}\Setup.exe" -l0x9
Canon CanoScan Toolbox 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BCE46757-7674-4416-BEDB-68205A60409E}\Setup.exe" -l0x9 anything
Color LaserJet 2600n --> C:\Program Files\Zenographics\{6B342E7A-6F3E-4A7E-8C6F-72A5E225E475}\setup.exe -u "HPCLJKCInstaller.dll=CLJ2600.INF"
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Google Chrome --> "C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\Application\0.2.149.30\Installer\setup.exe" --uninstall
Google Gears --> MsiExec.exe /I{552171BC-30F8-3B29-9C4F-E3FE590B7CAC}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683) --> "C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287) --> "C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel(R) PRO Ethernet Adapter and Software --> Prounstl.exe
Intel(R) PROSet II --> MsiExec.exe /I{01A4AEDE-F219-49A2-B855-16A016EAF9A4}
Java(TM) 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Lords of the Realm2 --> C:\windows\IsUninst.exe -fC:\SIERRA\Lords2\Uninst.isu
Lords2 Siege Pack --> C:\windows\IsUninst.exe -fC:\SIERRA\Lords2\Uninst.isu
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs --> "C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs --> "C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
Nero 8 --> MsiExec.exe /X{3C5F1B30-B10B-4579-86DD-D00F662E1033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Samsung ML-2510 Series --> C:\Program Files\Samsung\Samsung ML-2510 Series\Install\Setup.exe /R
Security Update for Windows Internet Explorer 7 (KB938127-v2) --> "C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838) --> "C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782) --> "C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154) --> "C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789) --> C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464) --> "C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648) --> "C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762) --> "C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974) --> "C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066) --> "C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2) --> "C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698) --> "C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748) --> "C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954) --> "C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839) --> "C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Sound Blaster Audigy 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E82BF103-904F-49C0-B77F-6EC110B71E87}\SETUP.EXE" -l0x9
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Super Mah Jong from GameHouse --> C:\PROGRA~1\GAMEHO~1\Mahjong\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\Mahjong\INSTALL.LOG
Update for Windows XP (KB951072-v2) --> "C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978) --> "C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VLC media player 0.9.4 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Genuine Advantage Validation Tool (KB892130) -->
Windows Internet Explorer 7 --> "C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Media Format 11 runtime --> "C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11 --> "C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11 --> "C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:44 PM, on 10/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\windows\system32\svchost.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Documents and Settings\Mike\Application Data\mjusbsp\magicJack.exe
C:\windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\wscntfy.exe
C:\Documents and Settings\Mike\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Mike\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

--
End of file - 8514 bytes

**amateur** · 10-09-2008, 09:01 PM

Hi,

I'll wait for the Kaspersky results.

Quote:

i didn't delete limewire or u torrent

A few years back, p2p file sharing was fairly safe. That's no longer true. Malware writers are increasingly and agressively exploiting them to spread their wares. There's a significant increase in the number of people infected via the use of P2P programs.
Many forums are now taking a stronger stance against the presence of p2p file sharing programs in the logs refusing help altogether if P2P programs are installed. We don't do that yet, but in future we may.

I would recommend strongly that you re consider removing them.

Some related links:

Comparison of Unwanted Software Installed by P2P Programs
Trojan Infects More Than 500,000 PCs

Update: Seattle man arrested for p-to-p ID theft

Identity Thieves Lurk in P-to-P Networks

Risks of File-Sharing Technology

Woman Fined $222,000 for Music Sharing

Malware: Help prevent the Infection

IM And P2P Malware Threats Nearly Triple

Cyber-criminals Use P2P Tools for Identity Theft, Security Analyst Warns

How to Prevent the Online Invasion of Spyware and Adware

tolowmp5 · 10-10-2008, 07:31 AM

so here it is it found nothing but i haven't seen a pop up in about a day so hopefully everything is good thanks for your help is there any thing else you need me to do?? Thanks again Mike
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, October 10, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, October 09, 2008 18:02:59
Records in database: 1301411
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 309761
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 19:36:59

No malware has been detected. The scan area is clean.

The selected area was scanned.

**amateur** · 10-10-2008, 07:36 AM

Hi,

If you have no further malware issues, you're all set to go. The logs are clean.

Click Start then Run
Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing and Think Prevention!

tolowmp5 · 10-10-2008, 07:50 AM

Thanks its all done

**amateur** · 10-10-2008, 07:54 AM

You're welcome. We are glad to have helped. Stay safe!

10-05-2008, 06:34 PM	#1 (permalink)
tolowmp5 Registered User Join Date: Oct 2008 Posts: 6 OS: xp sp3	IE POP UPS still i had a problem with the task bar being taken with virus alert beside the clock and my local drive disappeared so i followed steps i found on a thread here. i used malwarebytes anti-malware that fixed 99.9 percent of the problems but i still have a advertisement pop-up coming up in IE which i don't use at all so since then i have run full scan of windows defender mcafee virus scan enterprise 8.5.0i and malwarebytes again but they all find nothing so here is my HJT log file hopefully some one can help thanks Logfile of HijackThis v1.99.1 Scan saved at 7:53:46 PM, on 10/5/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\windows\System32\svchost.exe C:\windows\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\IoctlSvc.exe C:\windows\system32\svchost.exe C:\windows\Explorer.EXE C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\windows\system32\CTHELPER.EXE C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe C:\Program Files\Windows Defender\MSASCui.exe C:\windows\system32\ctfmon.exe C:\Program Files\DAEMON Tools Pro\DTProAgent.exe C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Documents and Settings\Mike\Application Data\Gool\Gool.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Documents and Settings\Mike\Application Data\mjusbsp\magicJack.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\HijackThis\HijackThis.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O3 - Toolbar: (no name) - {62CC302E-8074-4416-BADC-C2306E39538C} - (no file) O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Mike\Application Data\mjusbsp\cdloader2.exe" MAGICJACK O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O4 - HKCU\..\Run: [Gool] "C:\Documents and Settings\Mike\Application Data\Gool\Gool.exe" O4 - Global Startup: APC UPS Status.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing) O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing) O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

10-08-2008, 01:03 PM	#2 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,463 OS: XP SP3	Re: IE POP UPS still Hello and welcome to TSF. Apologies for the long delay in response. We have a large number of HijackThis logs to handle and it's taking us longer to catch up. If you haven't received help elsewhere already and still require assistance please perform the following: Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum with a new HijackThis log. =========================== The version of the HijackThis you are using is outdated. Please do the following to download and install the latest version of HijackThis v2.0.2: CLICK HERE to download the HijackThis Installer: Save HJTInstall.exe to your desktop. Double-click on HJTInstall.exe to run the program. By default it will install to C:\Program Files\Trend Micro\HijackThis. Accept the license agreement by clicking the "I Accept" button. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. Click "Save log" to save the log file and then the log will open in Notepad. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log. Come back here to this thread and paste the log in your next reply. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required. You may uninstall/delete the older version once you have successfully downloaded and installed the latest version of HijackThis v2.0.2. Please note that the forum is very busy and if I don't hear from you in three days this thread will be closed. __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 Last edited by amateur; 10-08-2008 at 01:06 PM.

10-08-2008, 02:53 PM	#3 (permalink)
tolowmp5 Registered User Join Date: Oct 2008 Posts: 6 OS: xp sp3	Re: IE POP UPS still I had ran SDFix as it is part of the first 5 steps but forgot to put that in last post sorry here is the report.txt and the new HJT log Thanks for your help Mike SDFix: Version 1.231 Run by Administrator on Sun 10/05/2008 at 11:50 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted C:\Documents and Settings\Mike\Application Data\Adobe\crc.dat - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-05 11:59:39 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC] "p0"="C:\Program Files\DAEMON Tools Pro\" "h0"=dword:00000000 "hdf12"=hex:78,08,75,11,62,e5,7e,e2,ab,32,62,98,7f,8b,79,ab,17,b0,01,87,04,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001] "a0"=hex:20,01,00,00,69,d6,d8,8f,dc,87,74,66,09,44,0c,3e,d7,07,b7,ff,5f,.. "hdf12"=hex:93,b4,f2,0c,45,df,a0,7f,9a,19,2e,3c,23,e4,8d,00,16,b9,43,ec,f3,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0] "hdf12"=hex:6c,ba,07,79,05,65,68,63,4b,21,56,15,4f,a9,4a,ed,a3,2f,ae,8f,54,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC] "p0"="C:\Program Files\DAEMON Tools Pro\" "h0"=dword:00000000 "hdf12"=hex:78,08,75,11,62,e5,7e,e2,ab,32,62,98,7f,8b,79,ab,17,b0,01,87,04,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001] "a0"=hex:20,01,00,00,69,d6,d8,8f,dc,87,74,66,09,44,0c,3e,d7,07,b7,ff,5f,.. "hdf12"=hex:93,b4,f2,0c,45,df,a0,7f,9a,19,2e,3c,23,e4,8d,00,16,b9,43,ec,f3,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0] "hdf12"=hex:6c,ba,07,79,05,65,68,63,4b,21,56,15,4f,a9,4a,ed,a3,2f,ae,8f,54,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe::Enabled:McAfee Framework Service" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe::Enabled:æTorrent" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe::Enabled:Bonjour" "C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe::Enabled:Adobe Version Cue CS3 Server" "F:\\SETUP.EXE"="F:\\SETUP.EXE::Enabled:Setup" "C:\\Documents and Settings\\Mike\\Application Data\\mjusbsp\\magicJack.exe"="C:\\Documents and Settings\\Mike\\Application Data\\mjusbsp\\magicJack.exe::Enabled:magicJack" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" Remaining Files* : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe" Wed 24 Sep 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Fri 3 Oct 2008 0 A..H. --- "C:\Documents and Settings\Mike\Local Settings\Temp\BIT9.tmp" Fri 22 Aug 2008 714,376 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\ar00000\install.exe" Fri 22 Aug 2008 7,397,344 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\in00000\setup.exe" Fri 22 Aug 2008 714,376 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\Upgrade\install1.exe" Fri 22 Aug 2008 7,397,344 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\Upgrade\setup1.exe" Finished! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:52:51 PM, on 10/8/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\windows\System32\svchost.exe C:\windows\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\IoctlSvc.exe C:\windows\system32\svchost.exe C:\windows\Explorer.EXE C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\windows\system32\CTHELPER.EXE C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe C:\Program Files\Windows Defender\MSASCui.exe C:\windows\system32\ctfmon.exe C:\Program Files\DAEMON Tools Pro\DTProAgent.exe C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Documents and Settings\Mike\Application Data\Gool\Gool.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Documents and Settings\Mike\Application Data\mjusbsp\magicJack.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\uTorrent\uTorrent.exe C:\windows\System32\svchost.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O3 - Toolbar: (no name) - {62CC302E-8074-4416-BADC-C2306E39538C} - (no file) O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Mike\Application Data\mjusbsp\cdloader2.exe" MAGICJACK O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O4 - HKCU\..\Run: [Gool] "C:\Documents and Settings\Mike\Application Data\Gool\Gool.exe" O4 - Global Startup: APC UPS Status.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing) -- End of file - 9490 bytes Last edited by tolowmp5; 10-08-2008 at 02:55 PM.*

10-08-2008, 07:30 PM	#5 (permalink)
tolowmp5 Registered User Join Date: Oct 2008 Posts: 6 OS: xp sp3	Re: IE POP UPS still so i did sdfix in safe mode combofix and i can't run or RE-install HJT as it just causes an error because MSVBVM60.DLL WAS NOT FOUND and after running these 2 programs the pop ups still come up hopefully these logs will help thanks SDFix: Version 1.231 Run by Mike on Wed 10/08/2008 at 08:49 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\DOCUME~1\Mike\LOCALS~1\Temp\pwrmgr.exe.bat - Deleted C:\DOCUME~1\Mike\LOCALS~1\Temp\smchk.exe.bat - Deleted C:\DOCUME~1\Mike\LOCALS~1\Temp\windfr.exe.bat - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-08 20:58:31 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC] "p0"="C:\Program Files\DAEMON Tools Pro\" "h0"=dword:00000000 "hdf12"=hex:78,08,75,11,62,e5,7e,e2,ab,32,62,98,7f,8b,79,ab,17,b0,01,87,04,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001] "a0"=hex:20,01,00,00,69,d6,d8,8f,dc,87,74,66,09,44,0c,3e,d7,07,b7,ff,5f,.. "hdf12"=hex:93,b4,f2,0c,45,df,a0,7f,9a,19,2e,3c,23,e4,8d,00,16,b9,43,ec,f3,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0] "hdf12"=hex:55,70,d4,f0,6d,33,24,40,7a,e2,05,36,db,52,81,7e,ad,cd,df,0c,06,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC] "p0"="C:\Program Files\DAEMON Tools Pro\" "h0"=dword:00000000 "hdf12"=hex:78,08,75,11,62,e5,7e,e2,ab,32,62,98,7f,8b,79,ab,17,b0,01,87,04,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001] "a0"=hex:20,01,00,00,69,d6,d8,8f,dc,87,74,66,09,44,0c,3e,d7,07,b7,ff,5f,.. "hdf12"=hex:93,b4,f2,0c,45,df,a0,7f,9a,19,2e,3c,23,e4,8d,00,16,b9,43,ec,f3,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0] "hdf12"=hex:55,70,d4,f0,6d,33,24,40,7a,e2,05,36,db,52,81,7e,ad,cd,df,0c,06,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe::Enabled:McAfee Framework Service" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe::Enabled:æTorrent" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe::Enabled:Bonjour" "C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe::Enabled:Adobe Version Cue CS3 Server" "F:\\SETUP.EXE"="F:\\SETUP.EXE::Enabled:Setup" "C:\\Documents and Settings\\Mike\\Application Data\\mjusbsp\\magicJack.exe"="C:\\Documents and Settings\\Mike\\Application Data\\mjusbsp\\magicJack.exe::Enabled:magicJack" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" Remaining Files* : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe" Wed 24 Sep 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Fri 22 Aug 2008 714,376 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\ar00000\install.exe" Fri 22 Aug 2008 7,397,344 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\in00000\setup.exe" Fri 22 Aug 2008 714,376 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\Upgrade\install1.exe" Fri 22 Aug 2008 7,397,344 A..H. --- "C:\Documents and Settings\Mike\Application Data\mjusbsp\Upgrade\setup1.exe" Finished! ComboFix 08-10-08.02 - Mike 2008-10-08 21:14:40.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1570 [GMT -4:00] Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\bestwiner.stt C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\CPV.stt C:\windows\ppatch~1 J:\autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 ))))))))))))))))))))))))))))))) . 2008-10-08 19:07 . 2008-10-08 19:08 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\vlc 2008-10-08 19:04 . 2008-10-08 19:04 <DIR> d-------- C:\Program Files\VideoLAN 2008-10-08 18:47 . 2008-10-08 18:51 <DIR> d-------- C:\Program Files\SatelliteTVforPC 2008-10-08 18:46 . 2008-10-08 18:51 <DIR> d-------- C:\WINDOWS\uninstall 2008-10-08 17:27 . 2008-10-08 17:27 <DIR> d-------- C:\WINDOWS\Solcache 2008-10-08 17:27 . 1997-07-24 09:18 621,568 --a------ C:\WINDOWS\system32\SIERRANW.DLL 2008-10-08 17:27 . 1997-07-24 10:06 228,352 --a------ C:\WINDOWS\system32\SNWVALID.DLL 2008-10-08 17:27 . 1997-04-16 09:33 18,798 --a------ C:\WINDOWS\system32\SIGS.DIB 2008-10-08 17:27 . 1997-04-15 15:54 10,700 --a------ C:\WINDOWS\system32\SNWVALID.HLP 2008-10-08 17:22 . 2008-10-08 17:22 <DIR> d-------- C:\SIERRA 2008-10-08 17:22 . 2008-10-08 17:45 <DIR> d-------- C:\Program Files\Sierra On-Line 2008-10-08 17:21 . 2008-10-08 17:21 <DIR> d-------- C:\Documents and Settings\Mike\WINDOWS 2008-10-08 17:21 . 1997-07-14 17:42 314,880 --a------ C:\WINDOWS\IsUninst.exe 2008-10-08 17:21 . 2008-10-08 17:45 710 --a------ C:\WINDOWS\SIERRA.INI 2008-10-08 16:52 . 2008-10-08 16:52 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-06 20:14 . 2008-10-06 20:16 18,073 --a------ C:\WINDOWS\CSTBox.INI 2008-10-06 20:11 . 2008-10-06 20:16 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Canon 2008-10-06 09:38 . 2008-10-08 12:06 <DIR> d-------- C:\Documents and Settings\Mike\awc_ontcuple 2008-10-05 20:14 . 2008-10-05 20:15 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-10-05 20:14 . 2008-10-05 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-05 20:14 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2008-10-05 11:49 . 2008-10-05 11:49 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll 2008-10-05 11:47 . 2008-10-05 11:47 <DIR> d-------- C:\WINDOWS\ERUNT 2008-10-05 11:41 . 2008-10-08 21:00 <DIR> d-------- C:\SDFix 2008-10-05 02:20 . 2008-04-13 14:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2008-10-05 02:20 . 2008-04-13 14:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys 2008-10-05 02:05 . 2008-10-05 02:06 <DIR> d--h----- C:\CanoScan 2008-10-05 02:05 . 2002-05-24 03:04 389,180 --a------ C:\WINDOWS\system32\UCS32P.DLL 2008-10-05 02:05 . 2003-09-17 17:35 339,968 --a------ C:\WINDOWS\system32\N067UFW.DLL 2008-10-05 02:05 . 2002-09-12 01:07 36,864 --a------ C:\WINDOWS\system32\CNQU70.DLL 2008-10-04 23:09 . 2008-10-04 23:09 <DIR> d--h----- C:\Program Files\Zenographics 2008-10-04 23:09 . 2005-05-31 17:46 282,624 -ra------ C:\WINDOWS\system32\zshp2600.exe 2008-10-04 23:09 . 2005-05-31 17:46 155,648 -ra------ C:\WINDOWS\system32\HP2600IR.dll 2008-10-04 23:09 . 2005-05-31 17:46 114,688 -ra------ C:\WINDOWS\system32\vshp2600.dll 2008-10-04 23:09 . 2005-05-31 17:46 86,016 -ra------ C:\WINDOWS\system32\ZSPOOL.DLL 2008-10-04 23:09 . 2005-05-31 17:46 86,016 -ra------ C:\WINDOWS\system32\zlhp2600.dll 2008-10-04 23:09 . 2005-05-31 17:46 28,672 -ra------ C:\WINDOWS\system32\zlm.dll 2008-10-04 23:09 . 2005-05-31 17:46 24,576 -ra------ C:\WINDOWS\system32\ZTAG32.DLL 2008-10-04 23:09 . 2005-05-31 17:46 7,294 -ra------ C:\WINDOWS\system32\ZSHP2600.HLP 2008-10-04 23:08 . 2008-10-04 23:09 628 --a------ C:\WINDOWS\hpntwksetup.ini 2008-10-04 23:04 . 2008-10-04 23:09 <DIR> d-------- C:\Program Files\Hewlett-Packard 2008-10-04 22:22 . 2008-10-04 22:22 <DIR> d-------- C:\Program Files\Canon 2008-10-04 18:15 . 2008-10-04 19:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-04 18:15 . 2008-10-04 18:15 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes 2008-10-04 18:15 . 2008-10-04 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-10-04 18:15 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-04 18:15 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-03 23:33 . 2008-10-03 23:33 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Gool 2008-10-03 23:31 . 2008-10-03 23:31 <DIR> d-------- C:\Program Files\MSXML 4.0 2008-10-03 23:31 . 2008-10-03 23:31 <DIR> d-------- C:\Documents and Settings\Mike\Incomplete 2008-10-03 20:24 . 2008-10-03 23:22 <DIR> d-------- C:\Program Files\Windows Defender 2008-10-02 21:22 . 2008-10-02 21:22 <DIR> d-------- C:\Program Files\GameHouse 2008-10-02 12:16 . 2008-10-02 12:16 <DIR> d-------- C:\WINDOWS\Samsung 2008-10-02 12:16 . 2006-03-24 01:18 454,656 --a------ C:\WINDOWS\ssndii.exe 2008-10-02 12:16 . 2003-04-18 16:29 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll 2008-10-02 12:16 . 2000-08-04 01:52 21,776 --a------ C:\WINDOWS\system32\msxml2a.dll 2008-10-02 12:15 . 2008-10-02 12:15 <DIR> d-------- C:\WINDOWS\system32\drivers\Samsung 2008-10-02 12:15 . 2008-10-03 23:23 <DIR> d-------- C:\WINDOWS\ML-2510_GDI 2008-10-02 12:15 . 2008-10-02 12:15 <DIR> d-------- C:\Program Files\Samsung 2008-10-02 12:15 . 2005-03-03 13:32 151,552 --a------ C:\WINDOWS\system32\SUGO3CI.exe 2008-10-02 12:15 . 2005-03-03 19:09 57,344 --a------ C:\WINDOWS\system32\SUGO3CI.dll 2008-10-02 12:15 . 2004-08-11 15:39 41,984 --------- C:\WINDOWS\system32\drivers\DGIVECP.SYS 2008-10-02 12:15 . 2008-04-13 14:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2008-10-02 12:15 . 2008-04-13 14:47 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys 2008-10-02 12:15 . 2006-01-02 15:42 22,663 --a------ C:\WINDOWS\system32\sugo3LMK.DLL 2008-10-02 12:15 . 2005-07-09 05:54 11,502 --------- C:\WINDOWS\Dr. Printer Icon.ico 2008-10-02 12:15 . 2005-12-13 16:03 555 --a------ C:\WINDOWS\system32\sugo3LMK.SMT 2008-10-01 23:47 . 2008-10-03 23:23 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\DivX 2008-10-01 23:46 . 2008-10-03 23:23 <DIR> d-------- C:\Program Files\DivX 2008-10-01 21:40 . 2008-10-01 21:40 <DIR> d-------- C:\Program Files\HalloweenPack 2008-10-01 20:20 . 2008-10-01 20:20 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Thinstall 2008-10-01 20:07 . 2008-10-03 22:57 <DIR> d-------- C:\Documents and Settings\Mike\Shared 2008-10-01 20:06 . 2008-10-03 23:25 <DIR> d-------- C:\Program Files\LimeWire 2008-10-01 20:06 . 2008-10-03 23:25 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\LimeWire 2008-09-29 23:41 . 2008-10-08 18:55 69 --a------ C:\WINDOWS\NeroDigital.ini 2008-09-29 22:05 . 2008-09-29 22:05 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Nero 2008-09-29 22:03 . 2008-09-29 22:03 <DIR> d-------- C:\Program Files\Nero 2008-09-29 22:03 . 2008-10-03 23:26 <DIR> d-------- C:\Program Files\Common Files\Nero 2008-09-29 22:03 . 2008-10-03 23:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero 2008-09-28 18:06 . 2008-09-28 18:06 87,800 --a------ C:\WINDOWS\WinVerCheck.exe 2008-09-25 19:51 . 2008-09-25 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-09-25 09:43 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll 2008-09-25 09:43 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2008-09-24 23:38 . 2008-09-24 23:38 <DIR> d-------- C:\Program Files\Common Files\Control Panels 2008-09-24 23:35 . 2008-09-24 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM 2008-09-24 23:10 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll 2008-09-24 23:10 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe 2008-09-24 23:02 . 2008-09-24 23:02 <DIR> d-------- C:\Program Files\Bonjour 2008-09-24 22:57 . 2008-09-24 22:57 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared 2008-09-24 22:54 . 2008-09-24 23:42 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-09-24 22:52 . 2008-09-24 22:52 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\DAEMON Tools Pro 2008-09-24 22:51 . 2008-09-24 22:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro 2008-09-24 22:50 . 2008-09-24 22:54 <DIR> d-------- C:\Program Files\DAEMON Tools Pro 2008-09-24 19:34 . 2008-09-24 19:34 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2008-09-24 19:32 . 2008-10-08 01:48 <DIR> d-------- C:\QUARANTINE 2008-09-24 17:40 . 2008-09-24 17:40 <DIR> d-------- C:\Documents and Settings\Administrator 2008-09-24 17:32 . 2008-09-24 17:32 <DIR> d-------- C:\Program Files\APC 2008-09-24 17:32 . 2004-08-10 15:35 4,142,592 --a------ C:\WINDOWS\system32\qtintf.dll 2008-09-24 17:21 . 2008-04-13 14:36 10,240 --a------ C:\WINDOWS\system32\drivers\compbatt.sys 2008-09-24 17:21 . 2008-04-13 14:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\compbatt.sys 2008-09-24 17:20 . 2008-04-13 14:36 20,352 --a------ C:\WINDOWS\system32\drivers\hidbatt.sys 2008-09-24 17:20 . 2008-04-13 14:36 20,352 --a--c--- C:\WINDOWS\system32\dllcache\hidbatt.sys 2008-09-24 17:20 . 2008-04-13 14:36 14,208 --a------ C:\WINDOWS\system32\drivers\battc.sys 2008-09-24 17:20 . 2008-04-13 14:36 14,208 --a--c--- C:\WINDOWS\system32\dllcache\battc.sys 2008-09-24 16:54 . 2008-04-13 20:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-09-24 16:14 . 2003-01-20 09:46 140,288 --a------ C:\WINDOWS\system32\drivers\e100b325.sys 2008-09-24 16:14 . 2003-01-20 09:46 140,288 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys 2008-09-24 16:14 . 2001-06-22 10:25 53,248 --a------ C:\WINDOWS\system32\Prounstl.exe 2008-09-24 16:14 . 2001-07-20 06:40 23,040 --a------ C:\WINDOWS\system32\IntelNic.dll 2008-09-24 16:14 . 2001-06-29 17:53 2,983 --a------ C:\WINDOWS\system32\net82557.din 2008-09-24 16:10 . 2008-09-24 16:10 <DIR> d-------- C:\WINDOWS\Sun 2008-09-24 16:09 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-09-24 16:08 . 2008-09-24 16:09 <DIR> d-------- C:\Program Files\Java 2008-09-24 16:08 . 2008-09-24 16:08 <DIR> d-------- C:\Program Files\Common Files\Java 2008-09-24 16:01 . 2008-09-24 16:01 <DIR> d-------- C:\Program Files\uTorrent 2008-09-24 16:01 . 2008-10-08 20:43 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\uTorrent 2008-09-24 15:57 . 2008-10-01 17:58 <DIR> d-------- C:\Documents and Settings\Mike\Contacts 2008-09-24 15:52 . 2008-10-04 23:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE 2008-09-24 15:49 . 2008-09-24 15:52 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2008-09-24 15:48 . 2008-10-03 23:19 <DIR> d-------- C:\Program Files\Windows Live 2008-09-24 15:48 . 2008-09-24 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-09-24 15:36 . 2008-09-24 15:36 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2008-09-24 15:36 . 2008-09-24 15:36 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF 2008-09-24 15:26 . 2008-10-08 20:43 31,532 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000008-00001102-00000004-10031102}.rfx 2008-09-24 15:26 . 2008-10-08 20:43 31,532 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-00000008-00001102-00000004-10031102}.rfx . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-24 17:58 --------- d-----w C:\Program Files\microsoft frontpage 2008-07-19 02:10 94,920 ----a-w C:\windows\system32\cdm.dll 2008-07-19 02:10 53,448 ----a-w C:\windows\system32\wuauclt.exe 2008-07-19 02:10 45,768 ----a-w C:\windows\system32\wups2.dll 2008-07-19 02:10 36,552 ----a-w C:\windows\system32\wups.dll 2008-07-19 02:09 563,912 ----a-w C:\windows\system32\wuapi.dll 2008-07-19 02:09 325,832 ----a-w C:\windows\system32\wucltui.dll 2008-07-19 02:09 205,000 ----a-w C:\windows\system32\wuweb.dll 2008-07-19 02:09 1,811,656 ----a-w C:\windows\system32\wuaueng.dll 2008-07-19 02:07 210,976 ----a-w C:\windows\system32\muweb.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "cdloader"="C:\Documents and Settings\Mike\Application Data\mjusbsp\cdloader2.exe" [2008-08-22 50520] "ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136] "Google Update"="C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-25 133104] "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136] "Gool"="C:\Documents and Settings\Mike\Application Data\Gool\Gool.exe" [2008-10-03 61440] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-09-11 53248] "CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112] "ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952] "McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248] "Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160] "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664] "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352] "Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904] "CTHelper"="CTHELPER.EXE" [2002-09-03 C:\WINDOWS\system32\CTHELPER.EXE] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2008-09-24 221247] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"= "C:\\Documents and Settings\\Mike\\Application Data\\mjusbsp\\magicJack.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\windows\system32\DRIVERS\A3AB.sys [2003-10-22 344800] Newly Created Service - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-10-08 C:\windows\Tasks\GoogleUpdateTaskUser.job - C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-25 21:39] 2008-10-09 C:\windows\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20] . - - - - ORPHANS REMOVED - - - - Toolbar-{62CC302E-8074-4416-BADC-C2306E39538C} - (no file) . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\md0jsybj.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://canada.aol.com/netscape/ FF -: plugin - C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll FF -: plugin - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-08 21:16:53 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-10-08 21:17:53 ComboFix-quarantined-files.txt 2008-10-09 01:17:39 Pre-Run: 67,951,828,992 bytes free Post-Run: 68,031,467,520 bytes free 231 --- E O F --- 2008-09-30 22:59:32

10-09-2008, 08:13 PM	#7 (permalink)
tolowmp5 Registered User Join Date: Oct 2008 Posts: 6 OS: xp sp3	Re: IE POP UPS still Ok here is combofix.txt, Add-Remove Programs.txt and HJT log i didn't delete limewire or u torrent and the RECOVERY CONSOLE could not install error that comes up is (boot partition cannot be enumerated correctly). as far as kaspersky it is at 7% after 8 hours i have alot of RAR files which seem to take forever to scan, thanks again for your help sorry it is taking so long ComboFix 08-10-08.05 - Mike 2008-10-09 13:18:42.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1639 [GMT -4:00] Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Mike\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\system32\BMXState-{00000002-00000000-00000008-00001102-00000004-10031102}.rfx C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000008-00001102-00000004-10031102}.rfx . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Mike\Application Data\Gool C:\Documents and Settings\Mike\Application Data\Gool\Gool.exe C:\Documents and Settings\Mike\awc_ontcuple C:\Documents and Settings\Mike\awc_ontcuple\allow.txt C:\Documents and Settings\Mike\awc_ontcuple\ban.txt C:\Documents and Settings\Mike\awc_ontcuple\favcam.txt C:\Documents and Settings\Mike\awc_ontcuple\favchat.txt C:\Documents and Settings\Mike\awc_ontcuple\language_4_EN.properties C:\Documents and Settings\Mike\awc_ontcuple\log.txt C:\Documents and Settings\Mike\awc_ontcuple\settings_en_US.properties C:\Documents and Settings\Mike\awc_ontcuple\shortcuts.txt C:\WINDOWS\system32\BMXState-{00000002-00000000-00000008-00001102-00000004-10031102}.rfx C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000008-00001102-00000004-10031102}.rfx . ((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 ))))))))))))))))))))))))))))))) . 2008-10-08 19:07 . 2008-10-08 19:08 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\vlc 2008-10-08 19:04 . 2008-10-08 19:04 <DIR> d-------- C:\Program Files\VideoLAN 2008-10-08 18:47 . 2008-10-08 18:51 <DIR> d-------- C:\Program Files\SatelliteTVforPC 2008-10-08 18:46 . 2008-10-08 18:51 <DIR> d-------- C:\WINDOWS\uninstall 2008-10-08 17:27 . 2008-10-08 17:27 <DIR> d-------- C:\WINDOWS\Solcache 2008-10-08 17:27 . 1997-07-24 09:18 621,568 --a------ C:\WINDOWS\system32\SIERRANW.DLL 2008-10-08 17:27 . 1997-07-24 10:06 228,352 --a------ C:\WINDOWS\system32\SNWVALID.DLL 2008-10-08 17:27 . 1997-04-16 09:33 18,798 --a------ C:\WINDOWS\system32\SIGS.DIB 2008-10-08 17:27 . 1997-04-15 15:54 10,700 --a------ C:\WINDOWS\system32\SNWVALID.HLP 2008-10-08 17:22 . 2008-10-08 17:22 <DIR> d-------- C:\SIERRA 2008-10-08 17:22 . 2008-10-08 17:45 <DIR> d-------- C:\Program Files\Sierra On-Line 2008-10-08 17:21 . 2008-10-08 17:21 <DIR> d-------- C:\Documents and Settings\Mike\WINDOWS 2008-10-08 17:21 . 1997-07-14 17:42 314,880 --a------ C:\WINDOWS\IsUninst.exe 2008-10-08 17:21 . 2008-10-08 17:45 710 --a------ C:\WINDOWS\SIERRA.INI 2008-10-08 16:52 . 2008-10-08 16:52 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-06 20:14 . 2008-10-06 20:16 18,073 --a------ C:\WINDOWS\CSTBox.INI 2008-10-06 20:11 . 2008-10-06 20:16 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Canon 2008-10-05 20:14 . 2008-10-05 20:15 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-10-05 20:14 . 2008-10-05 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-05 20:14 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2008-10-05 11:49 . 2008-10-05 11:49 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll 2008-10-05 11:47 . 2008-10-05 11:47 <DIR> d-------- C:\WINDOWS\ERUNT 2008-10-05 11:41 . 2008-10-08 21:00 <DIR> d-------- C:\SDFix 2008-10-05 02:20 . 2008-04-13 14:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2008-10-05 02:20 . 2008-04-13 14:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys 2008-10-05 02:05 . 2008-10-05 02:06 <DIR> d--h----- C:\CanoScan 2008-10-05 02:05 . 2002-05-24 03:04 389,180 --a------ C:\WINDOWS\system32\UCS32P.DLL 2008-10-05 02:05 . 2003-09-17 17:35 339,968 --a------ C:\WINDOWS\system32\N067UFW.DLL 2008-10-05 02:05 . 2002-09-12 01:07 36,864 --a------ C:\WINDOWS\system32\CNQU70.DLL 2008-10-04 23:09 . 2008-10-04 23:09 <DIR> d--h----- C:\Program Files\Zenographics 2008-10-04 23:09 . 2005-05-31 17:46 282,624 -ra------ C:\WINDOWS\system32\zshp2600.exe 2008-10-04 23:09 . 2005-05-31 17:46 155,648 -ra------ C:\WINDOWS\system32\HP2600IR.dll 2008-10-04 23:09 . 2005-05-31 17:46 114,688 -ra------ C:\WINDOWS\system32\vshp2600.dll 2008-10-04 23:09 . 2005-05-31 17:46 86,016 -ra------ C:\WINDOWS\system32\ZSPOOL.DLL 2008-10-04 23:09 . 2005-05-31 17:46 86,016 -ra------ C:\WINDOWS\system32\zlhp2600.dll 2008-10-04 23:09 . 2005-05-31 17:46 28,672 -ra------ C:\WINDOWS\system32\zlm.dll 2008-10-04 23:09 . 2005-05-31 17:46 24,576 -ra------ C:\WINDOWS\system32\ZTAG32.DLL 2008-10-04 23:09 . 2005-05-31 17:46 7,294 -ra------ C:\WINDOWS\system32\ZSHP2600.HLP 2008-10-04 23:08 . 2008-10-04 23:09 628 --a------ C:\WINDOWS\hpntwksetup.ini 2008-10-04 23:04 . 2008-10-04 23:09 <DIR> d-------- C:\Program Files\Hewlett-Packard 2008-10-04 22:22 . 2008-10-04 22:22 <DIR> d-------- C:\Program Files\Canon 2008-10-04 18:15 . 2008-10-04 19:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-04 18:15 . 2008-10-04 18:15 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes 2008-10-04 18:15 . 2008-10-04 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-10-04 18:15 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-04 18:15 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-03 23:31 . 2008-10-03 23:31 <DIR> d-------- C:\Program Files\MSXML 4.0 2008-10-03 23:31 . 2008-10-03 23:31 <DIR> d-------- C:\Documents and Settings\Mike\Incomplete 2008-10-03 20:24 . 2008-10-03 23:22 <DIR> d-------- C:\Program Files\Windows Defender 2008-10-02 21:22 . 2008-10-02 21:22 <DIR> d-------- C:\Program Files\GameHouse 2008-10-02 12:16 . 2008-10-02 12:16 <DIR> d-------- C:\WINDOWS\Samsung 2008-10-02 12:16 . 2006-03-24 01:18 454,656 --a------ C:\WINDOWS\ssndii.exe 2008-10-02 12:16 . 2003-04-18 16:29 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll 2008-10-02 12:16 . 2000-08-04 01:52 21,776 --a------ C:\WINDOWS\system32\msxml2a.dll 2008-10-02 12:15 . 2008-10-02 12:15 <DIR> d-------- C:\WINDOWS\system32\drivers\Samsung 2008-10-02 12:15 . 2008-10-03 23:23 <DIR> d-------- C:\WINDOWS\ML-2510_GDI 2008-10-02 12:15 . 2008-10-02 12:15 <DIR> d-------- C:\Program Files\Samsung 2008-10-02 12:15 . 2005-03-03 13:32 151,552 --a------ C:\WINDOWS\system32\SUGO3CI.exe 2008-10-02 12:15 . 2005-03-03 19:09 57,344 --a------ C:\WINDOWS\system32\SUGO3CI.dll 2008-10-02 12:15 . 2004-08-11 15:39 41,984 --------- C:\WINDOWS\system32\drivers\DGIVECP.SYS 2008-10-02 12:15 . 2008-04-13 14:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2008-10-02 12:15 . 2008-04-13 14:47 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys 2008-10-02 12:15 . 2006-01-02 15:42 22,663 --a------ C:\WINDOWS\system32\sugo3LMK.DLL 2008-10-02 12:15 . 2005-07-09 05:54 11,502 --------- C:\WINDOWS\Dr. Printer Icon.ico 2008-10-02 12:15 . 2005-12-13 16:03 555 --a------ C:\WINDOWS\system32\sugo3LMK.SMT 2008-10-01 23:47 . 2008-10-03 23:23 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\DivX 2008-10-01 23:46 . 2008-10-03 23:23 <DIR> d-------- C:\Program Files\DivX 2008-10-01 21:40 . 2008-10-01 21:40 <DIR> d-------- C:\Program Files\HalloweenPack 2008-10-01 20:20 . 2008-10-01 20:20 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Thinstall 2008-10-01 20:07 . 2008-10-03 22:57 <DIR> d-------- C:\Documents and Settings\Mike\Shared 2008-10-01 20:06 . 2008-10-03 23:25 <DIR> d-------- C:\Program Files\LimeWire 2008-10-01 20:06 . 2008-10-03 23:25 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\LimeWire 2008-09-29 23:41 . 2008-10-08 18:55 69 --a------ C:\WINDOWS\NeroDigital.ini 2008-09-29 22:05 . 2008-09-29 22:05 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Nero 2008-09-29 22:03 . 2008-09-29 22:03 <DIR> d-------- C:\Program Files\Nero 2008-09-29 22:03 . 2008-10-03 23:26 <DIR> d-------- C:\Program Files\Common Files\Nero 2008-09-29 22:03 . 2008-10-03 23:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero 2008-09-28 18:06 . 2008-09-28 18:06 87,800 --a------ C:\WINDOWS\WinVerCheck.exe 2008-09-25 19:51 . 2008-09-25 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-09-25 09:43 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll 2008-09-25 09:43 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2008-09-24 23:38 . 2008-09-24 23:38 <DIR> d-------- C:\Program Files\Common Files\Control Panels 2008-09-24 23:35 . 2008-09-24 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM 2008-09-24 23:10 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll 2008-09-24 23:10 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe 2008-09-24 23:02 . 2008-09-24 23:02 <DIR> d-------- C:\Program Files\Bonjour 2008-09-24 22:57 . 2008-09-24 22:57 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared 2008-09-24 22:54 . 2008-09-24 23:42 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-09-24 22:52 . 2008-09-24 22:52 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\DAEMON Tools Pro 2008-09-24 22:51 . 2008-09-24 22:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro 2008-09-24 22:50 . 2008-09-24 22:54 <DIR> d-------- C:\Program Files\DAEMON Tools Pro 2008-09-24 19:34 . 2008-09-24 19:34 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2008-09-24 19:32 . 2008-10-09 12:59 <DIR> d-------- C:\QUARANTINE 2008-09-24 17:40 . 2008-09-24 17:40 <DIR> d-------- C:\Documents and Settings\Administrator 2008-09-24 17:32 . 2008-09-24 17:32 <DIR> d-------- C:\Program Files\APC 2008-09-24 17:32 . 2004-08-10 15:35 4,142,592 --a------ C:\WINDOWS\system32\qtintf.dll 2008-09-24 17:21 . 2008-04-13 14:36 10,240 --a------ C:\WINDOWS\system32\drivers\compbatt.sys 2008-09-24 17:21 . 2008-04-13 14:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\compbatt.sys 2008-09-24 17:20 . 2008-04-13 14:36 20,352 --a------ C:\WINDOWS\system32\drivers\hidbatt.sys 2008-09-24 17:20 . 2008-04-13 14:36 20,352 --a--c--- C:\WINDOWS\system32\dllcache\hidbatt.sys 2008-09-24 17:20 . 2008-04-13 14:36 14,208 --a------ C:\WINDOWS\system32\drivers\battc.sys 2008-09-24 17:20 . 2008-04-13 14:36 14,208 --a--c--- C:\WINDOWS\system32\dllcache\battc.sys 2008-09-24 16:54 . 2008-04-13 20:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-09-24 16:14 . 2003-01-20 09:46 140,288 --a------ C:\WINDOWS\system32\drivers\e100b325.sys 2008-09-24 16:14 . 2003-01-20 09:46 140,288 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys 2008-09-24 16:14 . 2001-06-22 10:25 53,248 --a------ C:\WINDOWS\system32\Prounstl.exe 2008-09-24 16:14 . 2001-07-20 06:40 23,040 --a------ C:\WINDOWS\system32\IntelNic.dll 2008-09-24 16:14 . 2001-06-29 17:53 2,983 --a------ C:\WINDOWS\system32\net82557.din 2008-09-24 16:10 . 2008-09-24 16:10 <DIR> d-------- C:\WINDOWS\Sun 2008-09-24 16:09 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-09-24 16:08 . 2008-09-24 16:09 <DIR> d-------- C:\Program Files\Java 2008-09-24 16:08 . 2008-09-24 16:08 <DIR> d-------- C:\Program Files\Common Files\Java 2008-09-24 16:01 . 2008-09-24 16:01 <DIR> d-------- C:\Program Files\uTorrent 2008-09-24 16:01 . 2008-10-08 20:43 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\uTorrent 2008-09-24 15:57 . 2008-10-01 17:58 <DIR> d-------- C:\Documents and Settings\Mike\Contacts 2008-09-24 15:52 . 2008-10-04 23:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE 2008-09-24 15:49 . 2008-09-24 15:52 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2008-09-24 15:48 . 2008-10-03 23:19 <DIR> d-------- C:\Program Files\Windows Live 2008-09-24 15:48 . 2008-09-24 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-09-24 15:36 . 2008-09-24 15:36 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2008-09-24 15:36 . 2008-09-24 15:36 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF 2008-09-24 15:26 . 2008-10-09 13:20 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm 2008-09-24 15:26 . 2008-10-09 13:20 1,080 --a------ C:\WINDOWS\system32\settings.sfm 2008-09-24 15:26 . 2008-10-09 13:20 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000008-00001102-00000004-10031102}.dat 2008-09-24 15:26 . 2008-10-09 13:20 288 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000008-00001102-00000004-10031102}.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-24 17:58 --------- d-----w C:\Program Files\microsoft frontpage 2008-07-19 02:10 94,920 ----a-w C:\windows\system32\cdm.dll 2008-07-19 02:10 53,448 ----a-w C:\windows\system32\wuauclt.exe 2008-07-19 02:10 45,768 ----a-w C:\windows\system32\wups2.dll 2008-07-19 02:10 36,552 ----a-w C:\windows\system32\wups.dll 2008-07-19 02:09 563,912 ----a-w C:\windows\system32\wuapi.dll 2008-07-19 02:09 325,832 ----a-w C:\windows\system32\wucltui.dll 2008-07-19 02:09 205,000 ----a-w C:\windows\system32\wuweb.dll 2008-07-19 02:09 1,811,656 ----a-w C:\windows\system32\wuaueng.dll 2008-07-19 02:07 210,976 ----a-w C:\windows\system32\muweb.dll . ((((((((((((((((((((((((((((( snapshot@2008-10-08_21.17.18.95 ))))))))))))))))))))))))))))))))))))))))) . + 1998-06-24 17:43:54 1,409,024 ----a-w C:\windows\system32\MSVBVM60.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "cdloader"="C:\Documents and Settings\Mike\Application Data\mjusbsp\cdloader2.exe" [2008-08-22 50520] "ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136] "Google Update"="C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-25 133104] "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-09-11 53248] "CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112] "ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952] "McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248] "Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160] "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664] "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352] "Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904] "CTHelper"="CTHELPER.EXE" [2002-09-03 C:\WINDOWS\system32\CTHELPER.EXE] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2008-09-24 221247] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"= "C:\\Documents and Settings\\Mike\\Application Data\\mjusbsp\\magicJack.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\windows\system32\DRIVERS\A3AB.sys [2003-10-22 344800] . Contents of the 'Scheduled Tasks' folder 2008-10-09 C:\windows\Tasks\GoogleUpdateTaskUser.job - C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-25 21:39] 2008-10-09 C:\windows\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-09 13:22:12 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\Program Files\McAfee\Common Framework\naPrdMgr.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\IoctlSvc.exe C:\Program Files\McAfee\Common Framework\Mctray.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Documents and Settings\Mike\Application Data\mjusbsp\st00000\mjsetup.exe C:\Documents and Settings\Mike\Application Data\mjusbsp\magicJack.exe . ************************************************************************ . Completion time: 2008-10-09 13:27:31 - machine was rebooted ComboFix-quarantined-files.txt 2008-10-09 17:27:02 ComboFix2.txt 2008-10-09 17:05:52 ComboFix3.txt 2008-10-09 01:17:54 Pre-Run: 68,064,317,440 bytes free Post-Run: 67,984,941,056 bytes free 256 --- E O F --- 2008-09-30 22:59:32 µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL Add or Remove Adobe Creative Suite 3 Master Collection --> C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Setup.exe Adobe After Effects CS3 --> MsiExec.exe /I{EB0202F7-016A-410C-ADE4-40F848CCC661} Adobe After Effects CS3 Presets --> MsiExec.exe /I{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285} Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95} Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61} Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394} Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23} Adobe BridgeTalk Plugin CS3 --> MsiExec.exe /I{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E} Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C} Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C} Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E} Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9} Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8} Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029} Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5} Adobe Contribute CS3 --> MsiExec.exe /I{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7} Adobe Creative Suite 3 Master Collection --> MsiExec.exe /I{8718DC03-D066-4957-94E5-50C3C5042E8E} Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D} Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD} Adobe Dreamweaver CS3 --> MsiExec.exe /I{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25} Adobe Encore CS3 --> MsiExec.exe /I{54B2EAD9-A110-43F7-B010-2859A1BD2AFE} Adobe Encore CS3 Codecs --> MsiExec.exe /I{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931} Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2} Adobe Extension Manager CS3 --> MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3} Adobe Fireworks CS3 --> MsiExec.exe /I{7DFC1012-D346-46CE-B03E-FF79125AE029} Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589} Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C} Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2} Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B} Adobe Help Viewer CS3 --> MsiExec.exe /I{7ACFB90E-8FD0-4397-AD3A-5195412623A3} Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A} Adobe InDesign CS3 --> MsiExec.exe /I{CB3F8375-B600-4B9F-83C9-238ED1E583FD} Adobe InDesign CS3 Icon Handler --> MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E} Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078} Adobe MotionPicture Color Files --> MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77} Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C} Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05} Adobe Premiere Pro CS3 --> MsiExec.exe /I{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA} Adobe Premiere Pro CS3 Functional Content --> MsiExec.exe /I{50F102CA-4BE2-41A9-9810-5BB05EB91B9A} Adobe Premiere Pro CS3 Third Party Content --> MsiExec.exe /I{485ACF57-F364-440A-8496-E1E81C8FA1AA} Adobe Setup --> MsiExec.exe /I{4458C442-7376-4CF9-AF58-E8CEA6722363} Adobe SING CS3 --> MsiExec.exe /I{B671CBFD-4109-4D35-9252-3062D3CCB7B2} Adobe Soundbooth CS3 --> MsiExec.exe /I{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9} Adobe Soundbooth CS3 Codecs --> MsiExec.exe /I{0327FA9D-975C-448C-A086-577D57BB25B8} Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183} Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312} Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8} Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5} Adobe Version Cue CS3 Server --> MsiExec.exe /I{1D58229F-C505-45CA-8223-F35F3A34B963} Adobe Video Profiles --> MsiExec.exe /I{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC} Adobe WAS CS3 --> MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE} Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6} Adobe XMP DVA Panels CS3 --> MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F} Adobe XMP Panels CS3 --> MsiExec.exe /I{D5A31AB1-345D-47C7-A87B-036A669F6DF1} AHV content for Acrobat and Flash --> MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD} APC PowerChute Personal Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5A0C892E-FD1C-4203-941E-0956AED20A6A}\Setup.exe" -l0x9 Canon CanoScan Toolbox 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BCE46757-7674-4416-BEDB-68205A60409E}\Setup.exe" -l0x9 anything Color LaserJet 2600n --> C:\Program Files\Zenographics\{6B342E7A-6F3E-4A7E-8C6F-72A5E225E475}\setup.exe -u "HPCLJKCInstaller.dll=CLJ2600.INF" Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe" DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN Google Chrome --> "C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\Application\0.2.149.30\Installer\setup.exe" --uninstall Google Gears --> MsiExec.exe /I{552171BC-30F8-3B29-9C4F-E3FE590B7CAC} HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" Hotfix for Windows Media Player 11 (KB939683) --> "C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe" Hotfix for Windows XP (KB952287) --> "C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe" Intel(R) PRO Ethernet Adapter and Software --> Prounstl.exe Intel(R) PROSet II --> MsiExec.exe /I{01A4AEDE-F219-49A2-B855-16A016EAF9A4} Java(TM) 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} Lords of the Realm2 --> C:\windows\IsUninst.exe -fC:\SIERRA\Lords2\Uninst.isu Lords2 Siege Pack --> C:\windows\IsUninst.exe -fC:\SIERRA\Lords2\Uninst.isu Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65} Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Internationalized Domain Names Mitigation APIs --> "C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe" Microsoft National Language Support Downlevel APIs --> "C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe" Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Mozilla Firefox (3.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF} Nero 8 --> MsiExec.exe /X{3C5F1B30-B10B-4579-86DD-D00F662E1033} neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B} PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5} Samsung ML-2510 Series --> C:\Program Files\Samsung\Samsung ML-2510 Series\Install\Setup.exe /R Security Update for Windows Internet Explorer 7 (KB938127-v2) --> "C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB953838) --> "C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB936782) --> "C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB954154) --> "C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe" Security Update for Windows XP (KB923789) --> C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf Security Update for Windows XP (KB938464) --> "C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe" Security Update for Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe" Security Update for Windows XP (KB946648) --> "C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe" Security Update for Windows XP (KB950762) --> "C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe" Security Update for Windows XP (KB950974) --> "C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe" Security Update for Windows XP (KB951066) --> "C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376-v2) --> "C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB951698) --> "C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe" Security Update for Windows XP (KB951748) --> "C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe" Security Update for Windows XP (KB952954) --> "C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe" Security Update for Windows XP (KB953839) --> "C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe" Sound Blaster Audigy 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E82BF103-904F-49C0-B77F-6EC110B71E87}\SETUP.EXE" -l0x9 SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe" Super Mah Jong from GameHouse --> C:\PROGRA~1\GAMEHO~1\Mahjong\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\Mahjong\INSTALL.LOG Update for Windows XP (KB951072-v2) --> "C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe" Update for Windows XP (KB951978) --> "C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe" VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027} VLC media player 0.9.4 --> C:\Program Files\VideoLAN\VLC\uninstall.exe Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401} Windows Genuine Advantage Validation Tool (KB892130) --> Windows Internet Explorer 7 --> "C:\WINDOWS\ie7\spuninst\spuninst.exe" Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320} Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0} Windows Media Format 11 runtime --> "C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Media Player 11 --> "C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall Windows Media Player 11 --> "C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe" Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:04:44 PM, on 10/9/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\windows\System32\svchost.exe C:\windows\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\IoctlSvc.exe C:\windows\system32\svchost.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe C:\windows\system32\ctfmon.exe C:\Program Files\DAEMON Tools Pro\DTProAgent.exe C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Documents and Settings\Mike\Application Data\mjusbsp\magicJack.exe C:\windows\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\windows\system32\wscntfy.exe C:\Documents and Settings\Mike\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Mike\Application Data\mjusbsp\cdloader2.exe" MAGICJACK O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O4 - Global Startup: APC UPS Status.lnk = ? O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing) -- End of file - 8514 bytes

10-10-2008, 07:31 AM	#9 (permalink)
tolowmp5 Registered User Join Date: Oct 2008 Posts: 6 OS: xp sp3	Re: IE POP UPS still so here it is it found nothing but i haven't seen a pop up in about a day so hopefully everything is good thanks for your help is there any thing else you need me to do?? Thanks again Mike -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, October 10, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Thursday, October 09, 2008 18:02:59 Records in database: 1301411 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ Scan statistics: Files scanned: 309761 Threat name: 0 Infected objects: 0 Suspicious objects: 0 Duration of the scan: 19:36:59 No malware has been detected. The scan area is clean. The selected area was scanned.

10-10-2008, 07:36 AM	#10 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,463 OS: XP SP3	Re: IE POP UPS still Hi, If you have no further malware issues, you're all set to go. The logs are clean. Click Start then Run Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the / This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points. Please respond to this thread one more time so we can mark this thread as resolved. Happy Surfing and *Think Prevention! __________________ My services are free. However, you can donate to TSF* to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

10-10-2008, 07:50 AM	#11 (permalink)
tolowmp5 Registered User Join Date: Oct 2008 Posts: 6 OS: xp sp3	Re: IE POP UPS still Thanks its all done

10-10-2008, 07:54 AM	#12 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,463 OS: XP SP3	Re: IE POP UPS still You're welcome. We are glad to have helped. Stay safe! __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006