Automatic updates disabled, popups, slow running system

woody413 · 12-06-2008, 08:29 PM

My Problems are Automatic updates disabled, popups, and a slow running system, please help! Thanks!

DDS (Version 1.0) - NTFSx86
Run by Tim at 21:45:21.60 on Sat 12/06/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.154 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\flexnet\i486_nt\obj\ptc_d.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Tim\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.meadvilletribune.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: {053F9267-DC04-4294-A72C-58F732D338C0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: {73259091-9574-4ED8-A40F-7F65AFC28634} -
BHO: {7ae5e186-b754-4f99-a53d-dacf47a13702} - c:\windows\system32\ezpttu.dll
BHO: {B566723F-7A2F-4CC8-A70C-4AEE3E7A20A3} - c:\windows\system32\ssqNEUoO.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Trend Micro AntiVirus 2007] c:\program files\trend micro\antivirus 2007\tavui.exe -1 --delay 15
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Motive SmartBridge] c:\progra~1\alltel~1\smartb~1\MotiveSB.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [DACSMiniApp] c:\program files\fisher-price\dacs\miniapp\DACSMiniApp.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [44dcf141] rundll32.exe "c:\windows\system32\xxmohqge.dll",b
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\windst~1.lnk - c:\program files\alltel dsl check-up center\bin\matcli.exe
IE: Add to AMV Converter... - c:\program files\mp3 player utilities 4.18\amvconverter\grab.html
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: ljJYSkJA -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {73259091-9574-4ED8-A40F-7F65AFC28634} -
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssqNEUoO

============= SERVICES / DRIVERS ===============

R2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys [2008-11-19 49680]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-7-30 36368]
R2 TmProxy;Trend Micro Proxy Service;"c:\program files\trend micro\internet security\TmProxy.exe" [2008-11-19 677128]
R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [2007-8-20 68480]

=============== Created Last 30 ================

2008-12-06 19:37 1,479,822 ---sh--- c:\windows\system32\egqhomxx.ini
2008-12-06 19:37 72,704 a------- c:\windows\system32\xxmohqge.dll
2008-12-06 19:34 129,024 a------- c:\windows\system32\idblbm.dll
2008-12-06 19:34 129,024 a------- c:\windows\system32\yybqkeji.dll
2008-12-06 18:44 747,873 a------- c:\program files\gmer.zip
2008-12-06 08:00 129,024 a------- c:\windows\system32\gyysaw.dll
2008-12-06 08:00 129,024 a------- c:\windows\system32\bmdfoeib.dll
2008-12-06 07:57 1,481,727 ---sh--- c:\windows\system32\eeiqmutf.ini
2008-12-06 07:57 72,704 a------- c:\windows\system32\ftumqiee.dll
2008-12-05 07:58 129,024 a------- c:\windows\system32\hmrsxk.dll
2008-12-05 07:58 129,024 a------- c:\windows\system32\gbmqwcpl.dll
2008-12-05 07:58 1,481,727 ---sh--- c:\windows\system32\nqpjsnsr.ini
2008-12-04 21:13 <DIR> --d----- c:\program files\backups
2008-12-04 08:01 120 ---sh--- c:\windows\system32\icypkkgv.ini
2008-12-04 07:57 129,024 a------- c:\windows\system32\oezrax.dll
2008-12-04 07:57 129,024 a------- c:\windows\system32\jhdblkqm.dll
2008-12-03 07:56 1,481,727 ---sh--- c:\windows\system32\cdwnpkbm.ini
2008-12-03 07:55 129,024 a------- c:\windows\system32\ezpttu.dll
2008-12-03 07:55 129,024 a------- c:\windows\system32\rqosbdla.dll
2008-12-02 15:00 1,404,399 ---sh--- c:\windows\system32\kjtphjeg.ini
2008-12-02 11:48 1,404,391 ---sh--- c:\windows\system32\cyqtaffj.ini
2008-12-01 11:46 1,374,414 ---sh--- c:\windows\system32\xaqiaaje.ini
2008-11-30 10:40 1,342,962 ---sh--- c:\windows\system32\dtgtufpb.ini
2008-11-29 10:26 1,342,962 ---sh--- c:\windows\system32\dcvwrwag.ini
2008-11-28 21:52 101,823 a------- c:\program files\autorunsc.zip
2008-11-28 21:41 <DIR> --d----- c:\program files\log
2008-11-28 21:41 981,274 a------- c:\program files\RootkitBuster2.2.1014.zip
2008-11-27 10:21 143 a------- c:\windows\system32\mcrh.tmp
2008-11-26 22:07 1,648,820 ---sh--- c:\windows\system32\ojfsmcof.ini
2008-11-25 19:44 1,648,820 ---sh--- c:\windows\system32\qkeknobn.ini
2008-11-24 19:56 318,369 a------- c:\program files\HiJackThis.zip
2008-11-24 19:42 1,648,820 ---sh--- c:\windows\system32\uvfiymxt.ini
2008-11-23 11:46 <DIR> --d----- c:\windows\pss
2008-11-23 11:16 1,643,227 ---sh--- c:\windows\system32\siyxuydu.ini
2008-11-23 11:13 129,024 a------- c:\windows\system32\huweut.dll
2008-11-22 21:15 <DIR> --d----- C:\sysclean
2008-11-21 07:28 <DIR> --d----- c:\windows\system32\Service
2008-11-20 08:03 1,643,227 ---sh--- c:\windows\system32\dvkbevku.ini
2008-11-20 01:20 16,384 a------- c:\windows\DCEBoot.exe
2008-11-19 21:18 144,912 a------- c:\windows\system32\drivers\tmcomm.sys
2008-11-19 21:18 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2008-11-19 21:18 49,680 a------- c:\windows\system32\drivers\tmevtmgr.sys
2008-11-19 21:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2008-11-19 21:07 <DIR> --d----- c:\program files\Trend Micro(TM) AntiVirus
2008-11-19 19:52 75,025,296 a------- c:\program files\TrendMicro_Installer_TAV17x32.exe
2008-11-19 08:13 23,804,784 a------- c:\program files\aaw2008.exe
2008-11-18 21:31 869,683 a--sh--- c:\windows\system32\OoUENqss.ini2
2008-11-18 21:31 869,683 a--sh--- c:\windows\system32\OoUENqss.ini
2008-11-18 21:31 313,856 a------- c:\windows\system32\ssqNEUoO.dll
2008-11-16 09:57 <DIR> --d----- c:\windows\system32\scripting
2008-11-16 09:57 <DIR> --d----- c:\windows\l2schemas
2008-11-16 09:57 <DIR> --d----- c:\windows\system32\en
2008-11-12 00:01 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys

==================== Find3M ====================

2008-12-04 21:14 7,321 a------- c:\program files\hijackthis.log
2008-11-24 21:20 8,369 a------- c:\program files\startuplist.txt
2008-11-16 10:00 82,763 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 20:14 1,307,648 a------- c:\windows\system32\msxml6.dll
2008-03-03 08:01 1,206,366 a------- c:\program files\wrar371.exe
2007-08-23 12:33 9,479,520 a------- c:\program files\winzip111.exe
2007-06-28 14:36 401,720 a------- c:\program files\HijackThis.exe

============= FINISH: 21:47:04.50 ===============

sUBs · 12-06-2008, 08:41 PM

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

woody413 · 12-06-2008, 10:55 PM

ComboFix 08-12-06.06 - Tim 2008-12-07 0:28:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.133 [GMT -5:00]
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf
c:\windows\system32\bmdfoeib.dll
c:\windows\system32\cdwnpkbm.ini
c:\windows\system32\cyqtaffj.ini
c:\windows\system32\dcvwrwag.ini
c:\windows\system32\dtgtufpb.ini
c:\windows\system32\dvkbevku.ini
c:\windows\system32\eeiqmutf.ini
c:\windows\system32\egqhomxx.ini
c:\windows\system32\ezpttu.dll
c:\windows\system32\ftumqiee.dll
c:\windows\system32\gbmqwcpl.dll
c:\windows\system32\gyysaw.dll
c:\windows\system32\hmrsxk.dll
c:\windows\system32\huweut.dll
c:\windows\system32\icypkkgv.ini
c:\windows\system32\idblbm.dll
c:\windows\system32\jhdblkqm.dll
c:\windows\system32\kjtphjeg.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\nqpjsnsr.ini
c:\windows\system32\oezrax.dll
c:\windows\system32\ojfsmcof.ini
c:\windows\system32\OoUENqss.ini
c:\windows\system32\OoUENqss.ini2
c:\windows\system32\qkeknobn.ini
c:\windows\system32\rqosbdla.dll
c:\windows\system32\siyxuydu.ini
c:\windows\system32\ssqNEUoO.dll
c:\windows\system32\uvfiymxt.ini
c:\windows\system32\xaqiaaje.ini
c:\windows\system32\xxmohqge.dll
c:\windows\system32\yybqkeji.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 21:48 . 2008-12-06 22:04 250 --a------ c:\windows\gmer.ini
2008-12-06 18:44 . 2008-12-06 18:44 747,873 --a------ c:\program files\gmer.zip
2008-12-04 21:13 . 2008-12-04 21:13 <DIR> d-------- c:\program files\backups
2008-11-28 21:52 . 2008-11-28 21:53 101,823 --a------ c:\program files\autorunsc.zip
2008-11-28 21:41 . 2008-11-28 21:41 <DIR> d-------- c:\program files\log
2008-11-28 21:41 . 2008-11-28 21:41 981,274 --a------ c:\program files\RootkitBuster2.2.1014.zip
2008-11-24 19:56 . 2008-11-24 19:56 318,369 --a------ c:\program files\HiJackThis.zip
2008-11-22 21:15 . 2008-12-05 08:03 <DIR> d-------- C:\sysclean
2008-11-21 20:47 . 2008-11-21 20:47 <DIR> d-------- c:\documents and settings\Administrator
2008-11-21 07:28 . 2008-11-30 10:52 <DIR> d-------- c:\windows\system32\Service
2008-11-20 01:20 . 2008-12-03 03:06 16,384 --a------ c:\windows\DCEBoot.exe
2008-11-19 21:18 . 2008-07-30 10:59 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-19 21:18 . 2008-07-30 10:59 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2008-11-19 21:18 . 2008-07-30 10:59 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2008-11-19 21:12 . 2008-11-19 21:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2008-11-19 21:07 . 2008-11-19 21:07 <DIR> d-------- c:\program files\Trend Micro(TM) AntiVirus
2008-11-19 19:52 . 2008-11-19 21:07 75,025,296 --a------ c:\program files\TrendMicro_Installer_TAV17x32.exe
2008-11-19 08:14 . 2008-11-19 21:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-19 08:13 . 2008-11-19 08:13 23,804,784 --a------ c:\program files\aaw2008.exe
2008-11-16 09:57 . 2008-11-16 09:57 <DIR> d-------- c:\windows\system32\scripting
2008-11-16 09:57 . 2008-11-16 09:57 <DIR> d-------- c:\windows\system32\en
2008-11-16 09:57 . 2008-11-16 09:57 <DIR> d-------- c:\windows\l2schemas
2008-11-12 00:01 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 23:40 --------- d-----w c:\program files\Azureus
2008-12-05 02:14 7,321 ----a-w c:\program files\hijackthis.log
2008-11-25 02:20 8,369 ----a-w c:\program files\startuplist.txt
2008-11-23 01:59 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-11-20 02:18 --------- d-----w c:\program files\Trend Micro
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-03-03 13:01 1,206,366 ----a-w c:\program files\wrar371.exe
2007-08-23 17:33 9,479,520 ----a-w c:\program files\winzip111.exe
2007-06-28 19:36 401,720 ----a-w c:\program files\HijackThis.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-30 970808]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 610304]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 868352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512]
"Motive SmartBridge"="c:\progra~1\ALLTEL~1\SMARTB~1\MotiveSB.exe" [2004-11-09 393216]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-04 267048]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2003-07-07 274432]
"DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2007-07-24 197888]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-06-03 180316]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"nwiz"="nwiz.exe" [2003-06-24 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]
Windstream Broadband Check-up Center.lnk - c:\program files\ALLTEL DSL Check-up Center\bin\matcli.exe [2007-08-20 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\proeWildfire 3.0\\i486_nt\\nms\\nmsd.exe"=
"c:\\Program Files\\proeWildfire 3.0\\i486_nt\\obj\\pro_comm_msg.exe"=
"c:\\Program Files\\proeWildfire 3.0\\i486_nt\\obj\\xtop.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys [2008-11-19 49680]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-07-30 36368]
R2 TmProxy;Trend Micro Proxy Service;"c:\program files\Trend Micro\Internet Security\TmProxy.exe" [2008-11-19 677128]
R3 EMCR;EMCR;c:\windows\system32\DRIVERS\EMCR7SK.sys [2007-08-20 68480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bd9ca66-c1ec-11dc-a6d6-00904b450159}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

BHO-{5246FC60-22C2-4FA6-A253-7DAFEE2E6351} - c:\windows\system32\ssqNEUoO.dll
BHO-{7ae5e186-b754-4f99-a53d-dacf47a13702} - c:\windows\system32\ezpttu.dll
HKLM-Run-Trend Micro AntiVirus 2007 - c:\program files\Trend Micro\AntiVirus 2007\tavui.exe
HKLM-Run-srmclean - c:\cpqs\Scom\srmclean.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
Notify-ljJYSkJA - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.meadvilletribune.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.18\AMVConverter\grab.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 00:45:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????8?4?4?0??????? ??TB???????????????B? ??????

scanning hidden files ...

c:\docume~1\Tim\LOCALS~1\Temp\Acrobat Distiller 8\000008C8
c:\docume~1\Tim\LOCALS~1\Temp\Acrobat Distiller 8\000008C8\dirlock.tmp 0 bytes
c:\docume~1\Tim\LOCALS~1\Temp\Acrobat Distiller 8\000008C8\Temp.msg 100 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\flexnet\i486_nt\obj\lmgrd.exe
c:\program files\flexnet\i486_nt\obj\lmgrd.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\flexnet\i486_nt\obj\ptc_d.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-12-07 0:50:07 - machine was rebooted [Tim]
ComboFix-quarantined-files.txt 2008-12-07 05:50:00

Pre-Run: 88,815,841,280 bytes free
Post-Run: 89,375,436,800 bytes free

211 --- E O F --- 2008-11-17 08:01:28

sUBs · 12-06-2008, 11:12 PM

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

woody413 · 12-07-2008, 07:29 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 7, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 07, 2008 03:56:00
Records in database: 1441542
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 110503
Threat name: 10
Infected objects: 21
Suspicious objects: 0
Duration of the scan: 06:24:34

File name / Threat name / Threats count
C:\Program Files\Trend Micro\Internet Security\Quarantine\19.tmp Infected: Trojan.Win32.Monder.aaun 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\195.tmp Infected: Trojan.Win32.Monder.zrv 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\196.tmp Infected: Trojan.Win32.Monder.zrv 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\197.tmp Infected: Trojan-Downloader.Win32.Agent.akwa 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\199.tmp Infected: Trojan.Win32.Monder.zrv 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1A.tmp Infected: Trojan.Win32.Monder.aaun 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1A8.tmp Infected: Trojan.Win32.Agent.anyk 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\2C.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.ewk 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\2D.tmp Infected: Trojan.Win32.Agent.arvp 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\2E.tmp Infected: Trojan.Win32.Monder.zzo 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\2F.tmp Infected: Trojan.Win32.Agent.arvq 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\30.tmp Infected: Trojan.Win32.Agent.arvq 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\SOSQLU.DLL Infected: not-a-virus:AdWare.Win32.SuperJuan.ewk 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\tumoxz.dll Infected: Trojan.Win32.Monder.aaun 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\waxyrwca.dll Infected: Trojan.Win32.Monder.aaun 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\XLWUSI.DLL Infected: Trojan.Win32.Monder.zzo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bmdfoeib.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.exh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gyysaw.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.exh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\huweut.dll.vir Infected: Trojan.Win32.Monder.zzq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\idblbm.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.exh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yybqkeji.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.exh 1

The selected area was scanned.

sUBs · 12-07-2008, 08:34 AM

Found some infected files in Trend Micro's quarantine folder. Best get rid of them.

Of the other stuff Kaspersky found, C:\QooBox\ is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix

----------------------

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

Uninstall ComboFix ... do not skip this step
This process will perform some post cleanup measures.
Do this by going to to Start > Run & typing in ComboFix /u
ANTIVIRUS SOFTWARE
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Microsoft Windows Update → http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

woody413 · 12-07-2008, 04:00 PM

I uninstalled combofix, and deleted all quaratined files from my Trend Micro quarantine folder. Automatic updates is ON!
Thank you very much!

12-06-2008, 08:41 PM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,445 OS: N/A	Re: Automatic updates disabled, popups, slow running system Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Post the log from ComboFix when you've accomplished that.

12-06-2008, 10:55 PM	#3 (permalink)
woody413 Registered User Join Date: Dec 2008 Posts: 4 OS: xp sp3	Re: Automatic updates disabled, popups, slow running system ComboFix 08-12-06.06 - Tim 2008-12-07 0:28:46.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.133 [GMT -5:00] Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\AutoRun.inf c:\windows\system32\bmdfoeib.dll c:\windows\system32\cdwnpkbm.ini c:\windows\system32\cyqtaffj.ini c:\windows\system32\dcvwrwag.ini c:\windows\system32\dtgtufpb.ini c:\windows\system32\dvkbevku.ini c:\windows\system32\eeiqmutf.ini c:\windows\system32\egqhomxx.ini c:\windows\system32\ezpttu.dll c:\windows\system32\ftumqiee.dll c:\windows\system32\gbmqwcpl.dll c:\windows\system32\gyysaw.dll c:\windows\system32\hmrsxk.dll c:\windows\system32\huweut.dll c:\windows\system32\icypkkgv.ini c:\windows\system32\idblbm.dll c:\windows\system32\jhdblkqm.dll c:\windows\system32\kjtphjeg.ini c:\windows\system32\mcrh.tmp c:\windows\system32\nqpjsnsr.ini c:\windows\system32\oezrax.dll c:\windows\system32\ojfsmcof.ini c:\windows\system32\OoUENqss.ini c:\windows\system32\OoUENqss.ini2 c:\windows\system32\qkeknobn.ini c:\windows\system32\rqosbdla.dll c:\windows\system32\siyxuydu.ini c:\windows\system32\ssqNEUoO.dll c:\windows\system32\uvfiymxt.ini c:\windows\system32\xaqiaaje.ini c:\windows\system32\xxmohqge.dll c:\windows\system32\yybqkeji.dll . ((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 ))))))))))))))))))))))))))))))) . 2008-12-06 21:48 . 2008-12-06 22:04 250 --a------ c:\windows\gmer.ini 2008-12-06 18:44 . 2008-12-06 18:44 747,873 --a------ c:\program files\gmer.zip 2008-12-04 21:13 . 2008-12-04 21:13 <DIR> d-------- c:\program files\backups 2008-11-28 21:52 . 2008-11-28 21:53 101,823 --a------ c:\program files\autorunsc.zip 2008-11-28 21:41 . 2008-11-28 21:41 <DIR> d-------- c:\program files\log 2008-11-28 21:41 . 2008-11-28 21:41 981,274 --a------ c:\program files\RootkitBuster2.2.1014.zip 2008-11-24 19:56 . 2008-11-24 19:56 318,369 --a------ c:\program files\HiJackThis.zip 2008-11-22 21:15 . 2008-12-05 08:03 <DIR> d-------- C:\sysclean 2008-11-21 20:47 . 2008-11-21 20:47 <DIR> d-------- c:\documents and settings\Administrator 2008-11-21 07:28 . 2008-11-30 10:52 <DIR> d-------- c:\windows\system32\Service 2008-11-20 01:20 . 2008-12-03 03:06 16,384 --a------ c:\windows\DCEBoot.exe 2008-11-19 21:18 . 2008-07-30 10:59 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys 2008-11-19 21:18 . 2008-07-30 10:59 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys 2008-11-19 21:18 . 2008-07-30 10:59 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys 2008-11-19 21:12 . 2008-11-19 21:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro 2008-11-19 21:07 . 2008-11-19 21:07 <DIR> d-------- c:\program files\Trend Micro(TM) AntiVirus 2008-11-19 19:52 . 2008-11-19 21:07 75,025,296 --a------ c:\program files\TrendMicro_Installer_TAV17x32.exe 2008-11-19 08:14 . 2008-11-19 21:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-11-19 08:13 . 2008-11-19 08:13 23,804,784 --a------ c:\program files\aaw2008.exe 2008-11-16 09:57 . 2008-11-16 09:57 <DIR> d-------- c:\windows\system32\scripting 2008-11-16 09:57 . 2008-11-16 09:57 <DIR> d-------- c:\windows\system32\en 2008-11-16 09:57 . 2008-11-16 09:57 <DIR> d-------- c:\windows\l2schemas 2008-11-12 00:01 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-06 23:40 --------- d-----w c:\program files\Azureus 2008-12-05 02:14 7,321 ----a-w c:\program files\hijackthis.log 2008-11-25 02:20 8,369 ----a-w c:\program files\startuplist.txt 2008-11-23 01:59 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip 2008-11-20 02:18 --------- d-----w c:\program files\Trend Micro 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:12 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll 2008-03-03 13:01 1,206,366 ----a-w c:\program files\wrar371.exe 2007-08-23 17:33 9,479,520 ----a-w c:\program files\winzip111.exe 2007-06-28 19:36 401,720 ----a-w c:\program files\HijackThis.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-30 970808] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 110592] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 610304] "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536] "RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 868352] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512] "Motive SmartBridge"="c:\progra~1\ALLTEL~1\SMARTB~1\MotiveSB.exe" [2004-11-09 393216] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-04 267048] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2003-07-07 274432] "DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2007-07-24 197888] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-06-03 180316] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992] "nwiz"="nwiz.exe" [2003-06-24 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520] Windstream Broadband Check-up Center.lnk - c:\program files\ALLTEL DSL Check-up Center\bin\matcli.exe [2007-08-20 217088] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax "msacm.ac3filter"= ac3filter.acm [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\proeWildfire 3.0\\i486_nt\\nms\\nmsd.exe"= "c:\\Program Files\\proeWildfire 3.0\\i486_nt\\obj\\pro_comm_msg.exe"= "c:\\Program Files\\proeWildfire 3.0\\i486_nt\\obj\\xtop.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys [2008-11-19 49680] R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-07-30 36368] R2 TmProxy;Trend Micro Proxy Service;"c:\program files\Trend Micro\Internet Security\TmProxy.exe" [2008-11-19 677128] R3 EMCR;EMCR;c:\windows\system32\DRIVERS\EMCR7SK.sys [2007-08-20 68480] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bd9ca66-c1ec-11dc-a6d6-00904b450159}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . - - - - ORPHANS REMOVED - - - - BHO-{5246FC60-22C2-4FA6-A253-7DAFEE2E6351} - c:\windows\system32\ssqNEUoO.dll BHO-{7ae5e186-b754-4f99-a53d-dacf47a13702} - c:\windows\system32\ezpttu.dll HKLM-Run-Trend Micro AntiVirus 2007 - c:\program files\Trend Micro\AntiVirus 2007\tavui.exe HKLM-Run-srmclean - c:\cpqs\Scom\srmclean.exe HKLM-Run-prunnet - c:\windows\system32\prunnet.exe Notify-ljJYSkJA - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.meadvilletribune.com/ uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/ uInternet Settings,ProxyOverride = 127.0.0.1 IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.18\AMVConverter\grab.html IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-07 00:45:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????8?4?4?0??????? ??TB???????????????B? ?????? scanning hidden files ... c:\docume~1\Tim\LOCALS~1\Temp\Acrobat Distiller 8\000008C8 c:\docume~1\Tim\LOCALS~1\Temp\Acrobat Distiller 8\000008C8\dirlock.tmp 0 bytes c:\docume~1\Tim\LOCALS~1\Temp\Acrobat Distiller 8\000008C8\Temp.msg 100 bytes scan completed successfully hidden files: 3 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Trend Micro\BM\TMBMSRV.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\flexnet\i486_nt\obj\lmgrd.exe c:\program files\flexnet\i486_nt\obj\lmgrd.exe c:\windows\system32\nvsvc32.exe c:\program files\Trend Micro\Internet Security\SfCtlCom.exe c:\program files\flexnet\i486_nt\obj\ptc_d.exe c:\windows\system32\MsPMSPSv.exe c:\windows\system32\wscntfy.exe c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\program files\ALLTEL DSL Check-up Center\bin\mpbtn.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wbem\wmiapsrv.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe . ************************************************************************ . Completion time: 2008-12-07 0:50:07 - machine was rebooted [Tim] ComboFix-quarantined-files.txt 2008-12-07 05:50:00 Pre-Run: 88,815,841,280 bytes free Post-Run: 89,375,436,800 bytes free 211 --- E O F --- 2008-11-17 08:01:28

12-06-2008, 11:12 PM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,445 OS: N/A	Re: Automatic updates disabled, popups, slow running system Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400 Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator. Note To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

12-07-2008, 07:29 AM	#5 (permalink)
woody413 Registered User Join Date: Dec 2008 Posts: 4 OS: xp sp3	Re: Automatic updates disabled, popups, slow running system -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Sunday, December 7, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Sunday, December 07, 2008 03:56:00 Records in database: 1441542 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 110503 Threat name: 10 Infected objects: 21 Suspicious objects: 0 Duration of the scan: 06:24:34 File name / Threat name / Threats count C:\Program Files\Trend Micro\Internet Security\Quarantine\19.tmp Infected: Trojan.Win32.Monder.aaun 1 C:\Program Files\Trend Micro\Internet Security\Quarantine\195.tmp Infected: Trojan.Win32.Monder.zrv 1 C:\Program Files\Trend Micro\Internet Security\Quarantine\196.tmp Infected: Trojan.Win32.Monder.zrv 1 C:\Program Files\Trend Micro\Internet Security\Quarantine\197.tmp Infected: Trojan-Downloader.Win32.Agent.akwa 1 C:\Program Files\Trend Micro\Internet Security\Quarantine\199.tmp Infected: Trojan.Win32.Monder.zrv 1 C:\Program Files\Trend Micro\Internet Security\Quarantine\1A.tmp Infected: Trojan.Win32.Monder.aaun 1 C:\Program Files\Trend Micro\Internet Security\Quarantine\1A8.tmp Infected: Trojan.Win32.Agent.anyk 1 C:\Program Files\Trend Micro\Internet Security\Quarantine\2C.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.ewk 1 C:\Program Files\Trend Micro\Internet Security\Quarantine\2D.tmp Infected: Trojan.Win32.Agent.arvp 1 C:\Program Files\Trend Micro\Internet Security\Quarantine\2E.tmp Infected: Trojan.Win32.Monder.zzo 1 C:\Program Files\Trend Micro\Internet Security\Quarantine\2F.tmp Infected: Trojan.Win32.Agent.arvq 1 C:\Program Files\Trend Micro\Internet Security\Quarantine\30.tmp Infected: Trojan.Win32.Agent.arvq 1 C:\Program Files\Trend Micro\Internet Security\Quarantine\SOSQLU.DLL Infected: not-a-virus:AdWare.Win32.SuperJuan.ewk 1 C:\Program Files\Trend Micro\Internet Security\Quarantine\tumoxz.dll Infected: Trojan.Win32.Monder.aaun 1 C:\Program Files\Trend Micro\Internet Security\Quarantine\waxyrwca.dll Infected: Trojan.Win32.Monder.aaun 1 C:\Program Files\Trend Micro\Internet Security\Quarantine\XLWUSI.DLL Infected: Trojan.Win32.Monder.zzo 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\bmdfoeib.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.exh 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\gyysaw.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.exh 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\huweut.dll.vir Infected: Trojan.Win32.Monder.zzq 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\idblbm.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.exh 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\yybqkeji.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.exh 1 The selected area was scanned.

12-07-2008, 08:34 AM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,445 OS: N/A	Re: Automatic updates disabled, popups, slow running system Found some infected files in Trend Micro's quarantine folder. Best get rid of them. Of the other stuff Kaspersky found, C:\QooBox\ is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix ---------------------- Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure: Uninstall ComboFix ... do not skip this step This process will perform some post cleanup measures. Do this by going to to Start > Run & typing in ComboFix /u ANTIVIRUS SOFTWARE It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Microsoft Windows Update → http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYWAREBLASTER SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites. Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Kindly respond to this thread once more so we can mark this thread as resolved.

12-07-2008, 04:00 PM	#7 (permalink)
woody413 Registered User Join Date: Dec 2008 Posts: 4 OS: xp sp3	Re: Automatic updates disabled, popups, slow running system I uninstalled combofix, and deleted all quaratined files from my Trend Micro quarantine folder. Automatic updates is ON! Thank you very much!