Help: Malware/Virus Popups

bigorange · 10-02-2009, 12:27 PM

I clicked on a link yesterday from a website. My computer warned me that it was an .exe file and was I sure I wanted to run it. I meant to click 'No', but clicked 'Yes' or 'Run' whichever the bad option was, and now my browser(s), I.E. and Firefox have been highjacked. My computer was restarting over and over. I was getting a popup that says something to the effect "are you sure you want to navigate away from this window..." If you click 'yes', it goes away, if you click 'cancel' a popup with multiple sites comes up with various shopping links. I went into task manager and found that a lot of my processes where changing their names. One program called ctfmon.exe would change its name to ctfmon .exe. The only difference being the space before the file extension. There where multiple programs doing this. when I would end the process, it would just resart itself. I know some programs are restarted by windows, but programs that shouldn't have been restarting themselves were.

I tried running Trend Micro's House call. After multiple attempts, I finally got it to work, but it doesn't seem to have fixed anything.

ARG antivirus found a virus packed.hidden. Still didn't help!

After running the utilities gmer and dds, my computer wouldn't connect to the internet. Not blaming you or the files/utilities, just saying that it isn't fixed. Luckily i put the files and resulting text files on my network drive, and am using my laptop to do this, beacuse i just, while typing this, restarted my desktop computer and know i am getting an error that says: "Windows could not start because the following file is missing or corrupt: windows\system32\config\system you can attempt to repair this file by starting Windows Setup using the original Setup CD-Rom. Select 'r' at the first screen to start repair.

Any help you can give will be greatly appreciated!

I may now have to format my C drive and start over.. please let me know soon what I need to do to make sure that all of the virus traces are gone before I put a fresh copy of the OS on my computer, if that is what i have to end up doing. thanks!
Rob (bigorange)

DDS.Txt:

DDS (Ver_09-09-29.01) - NTFSx86
Run by Owner at 13:32:47.82 on Fri 10/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.648 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\WINDOWS\system32\hkcmd .exe
C:\windows\system\hpsysdrv .exe
C:\Program Files\Multimedia Card Reader\shwicon2k .exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon .exe
C:\Program Files\DigitalPersona\Bin\DPAgnt .exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC .exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\ctv337.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jqsnotify.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.schedulesontheweb.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: WinTouch Bar: {b28bb341-2c37-4711-bf95-9ddb4ce55f4a} - %SystemRoot%\system32\shdocvw.dll
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [Active Desktop Calendar] c:\program files\xemicomputers\active desktop calendar\ADC .exe
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CamMonitor] c:\program files\hp\digital imaging\unload\hpqcmon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [LTMSG] LTMSG.exe 7
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [DPAgnt] c:\program files\digitalpersona\bin\DPAgnt.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [DMXLauncher] "c:\program files\roxio\cineplayer\DMXLauncher.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire\Corel Photo Downloader.exe
mRun: [wcmdmgr] c:\windows\wt\updater\wcmdmgrl.exe -launch
mRun: [WT GameChannel] c:\program files\wildtangent\apps\GameChannel.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [UVS11 Preload] c:\program files\ulead systems\ulead videostudio 11\uvPL.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\c3vputqvwo8n.dll
LSP: SpSubLSP.dll
Trusted Zone: turbotax.com
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswax70.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: DPWLN - c:\windows\system32\DPWLEvHd.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\osvhbmnz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://home.iwon.com/iwon-homepage/home.jhtml
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\ffwt.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\osvhbmnz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-2 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-2 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-2 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-2 297752]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;c:\windows\system32\drivers\dpK0Bx01.sys [2006-9-16 35584]
R3 usbdpfp;Fingerprint Reader Class Driver;c:\windows\system32\drivers\usbdpfp.sys [2006-9-16 47360]
S1 tdisp.sys;tdisp.sys;\??\c:\windows\system32\tdisp.sys --> c:\windows\system32\tdisp.sys [?]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
S2 SessionLauncher;SessionLauncher; [x]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]

=============== Created Last 30 ================

2009-10-02 12:09 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-10-02 12:02 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-10-02 12:02 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-10-02 12:02 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-10-02 12:02 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-10-02 11:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-10-01 23:45 <DIR> --d----- c:\documents and settings\owner\.housecall6.6
2009-10-01 17:41 <DIR> --d----- c:\program files\AVG
2009-10-01 17:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-10-01 17:30 <DIR> --d----- c:\docume~1\owner\applic~1\AVG8
2009-10-01 16:11 <DIR> --d----- c:\windows\pss
2009-10-01 15:57 <DIR> --d----- C:\AV
2009-10-01 14:31 27,136 a------- c:\windows\system32\alcxmntr.exe
2009-10-01 14:31 27,136 a------- c:\windows\system32\alcxmntr .exe
2009-10-01 14:31 27,136 a------- c:\windows\system32\ltmsg.exe 7
2009-10-01 14:31 27,136 a------- c:\windows\system32\ltmsg .exe
2009-10-01 14:31 27,136 a------- c:\windows\system32\rundll32.exe nview .exe
2009-10-01 13:47 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-10-01 13:30 27,136 a------- c:\documents and settings\owner\alcxmntr.exe
2009-10-01 13:30 27,136 a------- c:\documents and settings\owner\alcxmntr .exe
2009-10-01 13:30 27,136 a------- c:\documents and settings\owner\ltmsg .exe
2009-10-01 13:30 180 a------- c:\windows\system\hpsysdrv .DAT
2009-10-01 13:30 27,136 a------- c:\documents and settings\owner\rundll32.exe nview .exe
2009-10-01 13:27 290,816 a--shr-- c:\windows\system32\c3vputqvwo8n.dll
2009-10-01 13:26 135,680 a------- c:\windows\system32\lphcao6j0ete1.exe
2009-10-01 13:26 27,136 a------- c:\windows\system32\vlkldsf.exe
2009-10-01 13:26 336,896 ---shr-- c:\windows\system32\c3vputpvwoon.exe
2009-10-01 13:26 10 a------- c:\windows\system32\kr_done1
2009-10-01 13:22 3,532 a------- C:\drmHeader.bin
2009-09-25 12:59 <DIR> --d----- c:\program files\iPod
2009-09-25 12:59 <DIR> --d----- c:\program files\iTunes
2009-09-18 11:54 <DIR> --d----- c:\program files\iPhone Configuration Utility
2009-09-18 11:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-08 15:59 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-10-02 11:51 27,136 a------- c:\windows\system32\hkcmd.exe
2009-09-29 06:13 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-02-23 22:37 92,064 a------- c:\documents and settings\owner\mqdmmdm.sys
2009-02-23 22:37 79,328 a------- c:\documents and settings\owner\mqdmserd.sys
2009-02-23 22:37 5,936 a------- c:\documents and settings\owner\mqdmwhnt.sys
2009-02-23 22:37 66,656 a------- c:\documents and settings\owner\mqdmbus.sys
2009-02-23 22:37 25,600 a------- c:\documents and settings\owner\usbsermptxp.sys
2009-02-23 22:37 22,768 a------- c:\documents and settings\owner\usbsermpt.sys
2009-02-23 22:37 9,232 a------- c:\documents and settings\owner\mqdmmdfl.sys
2009-02-23 22:37 6,208 a------- c:\documents and settings\owner\mqdmcmnt.sys
2009-02-23 22:37 4,048 a------- c:\documents and settings\owner\mqdmcr.sys
2008-01-18 21:10 1,132,112 a------- c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
2007-12-18 00:35 10 a------- c:\program files\.autoreg
2004-06-01 20:49 0 a--sh--- c:\windows\sminst\HPCD.SYS
2008-01-18 21:21 88 ---shr-- c:\windows\system32\3A5E81B3A4.sys
2008-08-22 06:56 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 13:35:07.85 ===============

**amateur** · 10-06-2009, 05:27 AM

Hello and welcome to TSF.

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud?

============================

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

How to disable AVG

Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.

* Click on Tools.
* Select Advanced Settings.
* In the left hand pane, scroll down to "Resident Shield".
* In the main pane, deselect the option to "Enable Resident Shield."
* To re-enable AVG 8, please select "Enable Resident Shield" again.

For further help, click here.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done that.

bigorange · 10-06-2009, 04:48 PM

As I alluded to in my previous post, I ended up having to run a 'recovery' on Windows XP using my HP Recovering Disks. After having done so, I have run ComboFix, and the text file that the program created is attached below. Please let me know if this computer's infection has been removed completely. If I need to, I can use the 'Recovery' Disks and format the hard drive to remove all traces. Please let me know if this is necessary.

Thanks Again!
Rob
(bigorangerob)

ComboFix 09-10-05.01 - Owner 10/06/2009 18:20.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1527.799 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
ADS - WINDOWS: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\alcxmntr .exe
c:\documents and settings\Owner\Application Data\wiaservg.log
c:\documents and settings\Owner\ltmsg .exe
c:\documents and settings\Owner\rundll32.exe nview .exe
c:\recycler\S-1-5-21-3267321227-3951551914-3654124784-1003
c:\windows\Installer\1025417.msp
c:\windows\Installer\102542c.msp
c:\windows\Installer\1025441.msp
c:\windows\Installer\1025457.msp
c:\windows\Installer\1025463.msi
c:\windows\Installer\1025477.msp
c:\windows\Installer\102548d.msp
c:\windows\Installer\10254a2.msp
c:\windows\Installer\10254ac.msi
c:\windows\Installer\10254c0.msp
c:\windows\Installer\102bdc.msi
c:\windows\Installer\102be7.msi
c:\windows\Installer\102bf3.msi
c:\windows\Installer\102bfc.msi
c:\windows\Installer\102c05.msi
c:\windows\Installer\102c0e.msi
c:\windows\Installer\1047765e.msi
c:\windows\Installer\1047766a.msi
c:\windows\Installer\10477674.msi
c:\windows\Installer\1047767e.msi
c:\windows\Installer\1047768e.msi
c:\windows\Installer\10477698.msi
c:\windows\Installer\104776a2.msi
c:\windows\Installer\104776ae.msi
c:\windows\Installer\104776c0.msi
c:\windows\Installer\104776ca.msi
c:\windows\Installer\104776d4.msi
c:\windows\Installer\104776ee.msi
c:\windows\Installer\10477701.msi
c:\windows\Installer\10477715.msi
c:\windows\Installer\1047771f.msi
c:\windows\Installer\10c44581.msp
c:\windows\Installer\10c445a0.msp
c:\windows\Installer\1144ed44.msp
c:\windows\Installer\11a6c5d6.msp
c:\windows\Installer\11bf5e0e.msp
c:\windows\Installer\123ee.msi
c:\windows\Installer\12419ee8.msp
c:\windows\Installer\129967.msp
c:\windows\Installer\129968.msp
c:\windows\Installer\12998b.msp
c:\windows\Installer\129b31.msp
c:\windows\Installer\129be9.msp
c:\windows\Installer\129bf6.msp
c:\windows\Installer\129c01.msp
c:\windows\Installer\12cdef45.msi
c:\windows\Installer\133b6f7e.msi
c:\windows\Installer\133b6f7f.msp
c:\windows\Installer\133b6f80.msp
c:\windows\Installer\133b6f81.msp
c:\windows\Installer\133b6f82.msp
c:\windows\Installer\133b6f83.msp
c:\windows\Installer\133b6f84.msp
c:\windows\Installer\133b6f85.msp
c:\windows\Installer\133b6f86.msp
c:\windows\Installer\133b6f87.msp
c:\windows\Installer\1340f819.msi
c:\windows\Installer\1340f81a.msp
c:\windows\Installer\1340f81b.msp
c:\windows\Installer\1340f81c.msp
c:\windows\Installer\1340f81d.msp
c:\windows\Installer\1340f81e.msp
c:\windows\Installer\1340f81f.msp
c:\windows\Installer\1340f820.msp
c:\windows\Installer\1340f821.msp
c:\windows\Installer\1340f822.msp
c:\windows\Installer\1340f823.msp
c:\windows\Installer\13422cd7.msi
c:\windows\Installer\13422cea.msp
c:\windows\Installer\13422cf9.msp
c:\windows\Installer\13422d09.msp
c:\windows\Installer\14083013.msi
c:\windows\Installer\14083025.msi
c:\windows\Installer\140832ba.msi
c:\windows\Installer\1408330c.msi
c:\windows\Installer\1408366e.msi
c:\windows\Installer\1425abf6.msi
c:\windows\Installer\167b5dba.msi
c:\windows\Installer\17b1295.msi
c:\windows\Installer\18a1d.msi
c:\windows\Installer\195ea.msi
c:\windows\Installer\19fbcb8d.msp
c:\windows\Installer\1b01d62c.msi
c:\windows\Installer\1c3a5701.msp
c:\windows\Installer\1c3a5715.msp
c:\windows\Installer\1ccedc.msi
c:\windows\Installer\1ccee5.msi
c:\windows\Installer\1cceee.msi
c:\windows\Installer\1fb60f56.msp
c:\windows\Installer\1fb60f74.msp
c:\windows\Installer\1fb60fdd.msp
c:\windows\Installer\1fb60ff2.msp
c:\windows\Installer\1fb6100d.msp
c:\windows\Installer\1fb61017.msp
c:\windows\Installer\20ccd7.msp
c:\windows\Installer\20ccd8.msp
c:\windows\Installer\20ccd9.msp
c:\windows\Installer\20ccda.msp
c:\windows\Installer\20ccdb.msp
c:\windows\Installer\20ccdc.msp
c:\windows\Installer\20ccdd.msp
c:\windows\Installer\20ccde.msp
c:\windows\Installer\20ccdf.msp
c:\windows\Installer\217ae063.msp
c:\windows\Installer\217ae06d.msp
c:\windows\Installer\217ae078.msp
c:\windows\Installer\217ae0e4.msp
c:\windows\Installer\217ae27f.msp
c:\windows\Installer\217ae374.msp
c:\windows\Installer\21d64bdd.msi
c:\windows\Installer\22258503.msi
c:\windows\Installer\22b6b7d5.msp
c:\windows\Installer\22b6b7ea.msp
c:\windows\Installer\237a44.msi
c:\windows\Installer\237a5b.msi
c:\windows\Installer\237a64.msi
c:\windows\Installer\237a6d.msi
c:\windows\Installer\237a92.msi
c:\windows\Installer\237aa2.msi
c:\windows\Installer\237aab.msi
c:\windows\Installer\237abe.msi
c:\windows\Installer\237abf.msp
c:\windows\Installer\23e9362.msi
c:\windows\Installer\23e936b.msi
c:\windows\Installer\23e9374.msi
c:\windows\Installer\23e937e.msi
c:\windows\Installer\24ec77.msp
c:\windows\Installer\24ec78.msp
c:\windows\Installer\24ec79.msp
c:\windows\Installer\24ec7a.msp
c:\windows\Installer\24ec7b.msp
c:\windows\Installer\24ec7c.msp
c:\windows\Installer\24ec7d.msp
c:\windows\Installer\24ec7e.msp
c:\windows\Installer\24ec7f.msp
c:\windows\Installer\24ec80.msp
c:\windows\Installer\25fad1.msp
c:\windows\Installer\25fadf.msp
c:\windows\Installer\25faee.msp
c:\windows\Installer\2b82605.msp
c:\windows\Installer\2f589d8.msp
c:\windows\Installer\2f58a04.msp
c:\windows\Installer\2f58a22.msp
c:\windows\Installer\2f58a3e.msp
c:\windows\Installer\30792790.msp
c:\windows\Installer\307927bc.msp
c:\windows\Installer\307927e8.msp
c:\windows\Installer\316e7.msi
c:\windows\Installer\3546dd4b.msp
c:\windows\Installer\363328ec.msp
c:\windows\Installer\3769b1.msi
c:\windows\Installer\381fbfbf.msi
c:\windows\Installer\381fbfc6.msi
c:\windows\Installer\381fbfca.msi
c:\windows\Installer\381fbfce.msi
c:\windows\Installer\381fbfd2.msi
c:\windows\Installer\381fbfd6.msi
c:\windows\Installer\381fbfda.msi
c:\windows\Installer\381fbfe6.msp
c:\windows\Installer\381fbff9.msp
c:\windows\Installer\381fc03e.msp
c:\windows\Installer\381fc106.msp
c:\windows\Installer\381fc24c.msp
c:\windows\Installer\3852b6d7.msi
c:\windows\Installer\3a23b92.msi
c:\windows\Installer\3a23b9c.msi
c:\windows\Installer\3c0d68b9.msi
c:\windows\Installer\3c0d68bd.msi
c:\windows\Installer\40a110a.msp
c:\windows\Installer\40a1124.msp
c:\windows\Installer\42047f90.msp
c:\windows\Installer\42b7e3d5.msp
c:\windows\Installer\42b7e3df.msp
c:\windows\Installer\42b7e3ee.msp
c:\windows\Installer\42b7e466.msp
c:\windows\Installer\42b7e47d.msp
c:\windows\Installer\42b7e50e.msp
c:\windows\Installer\42b7e517.msi
c:\windows\Installer\45ce718c.msp
c:\windows\Installer\45ce71b8.msp
c:\windows\Installer\45ce71e4.msp
c:\windows\Installer\45ce7210.msp
c:\windows\Installer\4619bc92.msp
c:\windows\Installer\4619bc9c.msp
c:\windows\Installer\4619bcaa.msp
c:\windows\Installer\4619bd4a.msp
c:\windows\Installer\4619bfa5.msp
c:\windows\Installer\4619c0b4.msp
c:\windows\Installer\4619c0df.msp
c:\windows\Installer\47292344.msi
c:\windows\Installer\478d1506.msp
c:\windows\Installer\47d2aea2.msp
c:\windows\Installer\47d2aebb.msp
c:\windows\Installer\4942c7c.msp
c:\windows\Installer\496e327.msi
c:\windows\Installer\4b68d3b.msp
c:\windows\Installer\4b68d48.msp
c:\windows\Installer\51e7014.msp
c:\windows\Installer\51fb093.msp
c:\windows\Installer\5201cfa.msp
c:\windows\Installer\5b950.msi
c:\windows\Installer\6065852b.msp
c:\windows\Installer\60658557.msp
c:\windows\Installer\60658583.msp
c:\windows\Installer\6065859f.msp
c:\windows\Installer\606585cc.msp
c:\windows\Installer\606585f9.msp
c:\windows\Installer\6257f.msi
c:\windows\Installer\62588.msi
c:\windows\Installer\62591.msi
c:\windows\Installer\6259a.msi
c:\windows\Installer\625a3.msi
c:\windows\Installer\625b0.msi
c:\windows\Installer\625b9.msi
c:\windows\Installer\625c3.msi
c:\windows\Installer\625cd.msi
c:\windows\Installer\625d6.msi
c:\windows\Installer\625df.msi
c:\windows\Installer\62603.msi
c:\windows\Installer\6ae95c.msi
c:\windows\Installer\77c172d.msi
c:\windows\Installer\833f0093.msp
c:\windows\Installer\833f00bf.msp
c:\windows\Installer\84167a03.msp
c:\windows\Installer\891cafe.msp
c:\windows\Installer\891cb2a.msp
c:\windows\Installer\891cb45.msp
c:\windows\Installer\891cb71.msp
c:\windows\Installer\891cb9d.msp
c:\windows\Installer\896c45.msi
c:\windows\Installer\8ec864b.msp
c:\windows\Installer\900e2a48.msp
c:\windows\Installer\9cf2904.msi
c:\windows\Installer\9fba3a1.msi
c:\windows\Installer\a0595.msi
c:\windows\Installer\a059f.msp
c:\windows\Installer\b23af87.msi
c:\windows\Installer\b23afa0.msp
c:\windows\Installer\b23afcc.msp
c:\windows\Installer\bca3941.msp
c:\windows\Installer\c01ef61d.msp
c:\windows\Installer\c6c54.msi
c:\windows\Installer\c6c7c.msi
c:\windows\Installer\c6cc8.msi
c:\windows\Installer\c6d60.msi
c:\windows\Installer\c6db6.msi
c:\windows\Installer\c6e8f.msi
c:\windows\Installer\c6ea2.msi
c:\windows\Installer\c6ebd.msi
c:\windows\Installer\c6eef.msi
c:\windows\Installer\c6f0c.msi
c:\windows\Installer\c6f1e.msi
c:\windows\Installer\c6f4d.msi
c:\windows\Installer\c789a.msi
c:\windows\Installer\c78fb.msi
c:\windows\Installer\c7904.msi
c:\windows\Installer\c7966.msi
c:\windows\Installer\c7a07.msi
c:\windows\Installer\c7adc.msi
c:\windows\Installer\c7d55.msi
c:\windows\Installer\c7d6f.msi
c:\windows\Installer\c7d81.msi
c:\windows\Installer\c7d8b.msi
c:\windows\Installer\c7de7.msi
c:\windows\Installer\c7e45.msi
c:\windows\Installer\d4ad723.msi
c:\windows\Installer\d4ad728.msi
c:\windows\Installer\d4ad731.msi
c:\windows\Installer\d5779.msi
c:\windows\Installer\dc9d703.msi
c:\windows\Installer\e04b968.msi
c:\windows\Installer\eff25b0.msp
c:\windows\Installer\eff25cc.msp
c:\windows\Installer\eff25f8.msp
c:\windows\Installer\eff2624.msp
c:\windows\Installer\f2cd.msp
c:\windows\Installer\f50d669.msi
c:\windows\Installer\ff6bd4.msi
c:\windows\system\hpsysdrv .DAT
c:\windows\system\hpsysdrv .exe
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\ps2.bat
c:\windows\viassary-hp.reg
P:\autorun.inf

c:\windows\system32\qmgr.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-10-05 22:35 . 2002-08-29 07:40 20480 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-10-05 22:35 . 2002-08-29 07:40 20480 ----a-w- c:\windows\system32\hidserv.dll
2009-10-05 22:16 . 2002-08-29 05:48 14208 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-10-05 22:16 . 2002-08-29 05:48 14208 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-10-05 22:14 . 2009-10-05 22:15 -------- d-----w- c:\windows\system32\NtmsData
2009-10-05 22:05 . 2002-12-12 07:34 208896 ----a-w- c:\windows\system32\wmpns.dll
2009-10-05 02:32 . 2003-10-11 03:06 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft
2009-10-05 02:32 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-10-05 02:32 . 2001-08-17 21:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-10-05 02:32 . 2002-08-29 08:50 24960 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-10-05 02:32 . 2002-08-29 08:32 28160 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-05 02:31 . 2002-08-29 08:32 5888 ----a-w- c:\windows\system32\drivers\splitter.sys
2009-10-05 02:31 . 2002-08-29 09:00 77440 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2009-10-05 02:31 . 2002-08-29 06:16 142208 ----a-w- c:\windows\system32\drivers\aec.sys
2009-10-05 02:31 . 2001-08-17 21:00 54272 ----a-w- c:\windows\system32\drivers\swmidi.sys
2009-10-05 02:31 . 2001-08-17 20:59 50048 ----a-w- c:\windows\system32\drivers\DMusic.sys
2009-10-05 02:31 . 2002-08-29 09:01 56832 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2009-10-05 02:31 . 2002-08-29 08:32 2816 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2009-10-05 02:31 . 2002-08-29 08:32 159360 ----a-w- c:\windows\system32\drivers\kmixer.sys
2009-10-05 02:31 . 2002-08-29 09:01 134272 ----a-w- c:\windows\system32\drivers\portcls.sys
2009-10-05 02:31 . 2002-08-29 08:32 57856 ----a-w- c:\windows\system32\drivers\drmk.sys
2009-10-05 02:31 . 2002-08-29 08:33 55680 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2009-10-05 02:31 . 2001-08-17 20:46 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2009-10-05 01:43 . 2009-10-06 22:30 -------- dcsh--r- c:\windows\system32\dllcache
2009-10-05 01:11 . 2003-04-07 14:05 155648 ----a-w- c:\windows\system32\igfxres.dll
2009-10-05 01:10 . 2003-08-25 22:06 182880 -c--a-w- c:\windows\system32\dllcache\iuengine.dll
2009-10-05 01:10 . 2003-08-25 22:06 182880 ----a-w- c:\windows\system32\iuengine.dll
2009-10-05 01:08 . 2003-10-11 05:31 128 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\fusioncache.dat
2009-10-05 01:08 . 2007-11-08 08:00 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft Help
2009-10-05 01:08 . 2003-10-11 05:31 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory
2009-10-05 01:08 . 2003-10-11 05:19 -------- d-----w- c:\windows\system32\config\systemprofile\WINDOWS
2009-10-05 01:08 . 2003-10-11 03:09 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142000}
2009-10-05 01:05 . 2002-08-29 05:32 135552 ----a-w- c:\windows\system32\drivers\usbport.sys
2009-10-05 01:05 . 2002-08-29 05:32 19328 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2009-10-05 01:05 . 2001-08-18 02:36 67072 ----a-w- c:\windows\system32\usbui.dll
2009-10-05 01:05 . 2002-08-29 05:32 51968 ----a-w- c:\windows\system32\drivers\usbhub.sys
2009-10-05 01:05 . 2002-10-24 19:59 87040 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-05 01:05 . 2002-08-29 05:27 23680 ----a-w- c:\windows\system32\drivers\pciidex.sys
2009-10-05 01:05 . 2001-08-17 17:51 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-10-05 01:05 . 2002-08-29 05:09 62976 ----a-w- c:\windows\system32\drivers\pci.sys
2009-10-05 01:05 . 2001-08-17 17:58 35840 ----a-w- c:\windows\system32\drivers\isapnp.sys
2009-10-05 01:04 . 2002-08-29 06:06 51072 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2009-10-05 01:04 . 2002-08-29 05:27 23424 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2009-10-02 16:09 . 2009-10-02 16:10 -------- d-----w- C:\$AVG8.VAULT$
2009-10-02 15:27 . 2009-10-02 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-02 03:45 . 2009-10-02 03:57 -------- d-----w- c:\documents and settings\Owner\.housecall6.6
2009-10-01 21:41 . 2009-10-02 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-01 21:41 . 2009-10-01 21:41 -------- d-----w- c:\program files\AVG
2009-10-01 21:30 . 2009-10-01 21:30 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8
2009-10-01 19:57 . 2009-10-02 01:16 -------- d-----w- C:\AV
2009-10-01 17:30 . 2009-10-02 17:26 27136 ----a-w- c:\documents and settings\Owner\alcxmntr.exe
2009-10-01 17:22 . 2009-10-01 17:23 3532 ----a-w- C:\drmHeader.bin
2009-09-25 16:59 . 2009-09-25 16:59 -------- d-----w- c:\program files\iPod
2009-09-25 16:59 . 2009-09-25 17:00 -------- d-----w- c:\program files\iTunes
2009-09-18 15:54 . 2009-09-18 15:54 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-18 15:51 . 2009-09-18 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 15:47 . 2009-09-18 15:48 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 22:06 . 2003-10-14 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-05 23:14 . 2007-11-09 11:10 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-10-05 22:40 . 2009-05-22 17:11 68978 ----a-w- c:\windows\hpoins05.dat
2009-10-05 19:48 . 2003-10-11 05:24 -------- d-----w- c:\program files\Easy Internet signup
2009-10-05 01:12 . 2007-11-07 22:20 33520 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-05 01:10 . 2009-10-05 01:10 4370 --sha-r- c:\windows\system32\drivers\HP_DT160A-ABA A465C_YW_Pavi_QMXK406_E41NAheBLU4_4_I P4SD-LA _SASUSTeK Computer INC._VRev 1.xx_B3.19_T031212_WXH1_L409_M1528_J164_7Intel_8Pentium 4_93_1104C8023_N10EC8139_P_Z11C1044C_K_A808624D5_U808624D2_G80862572_O_DIN-KCH-.MRK
2009-10-05 01:06 . 2007-11-07 17:18 -------- d-----w- c:\program files\Multimedia Card Reader
2009-10-02 18:07 . 2007-11-07 16:12 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-10-02 15:56 . 2009-07-24 13:30 -------- d-----w- c:\program files\dvd43
2009-10-01 18:19 . 2008-01-29 02:54 -------- d-----w- c:\program files\ErrorSmart
2009-09-29 10:14 . 2008-01-19 01:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Corel
2009-09-25 16:59 . 2008-01-25 18:15 -------- d-----w- c:\program files\Common Files\Apple
2009-09-10 17:45 . 2008-11-06 22:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 07:02 . 2007-11-07 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-22 02:57 . 2009-08-22 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-08-16 13:56 . 2009-08-16 13:56 -------- d-----w- c:\documents and settings\Owner\Application Data\EuroTalk
2009-08-16 13:56 . 2009-08-16 13:56 -------- d-----w- c:\program files\EuroTalk
2009-08-12 21:54 . 2009-08-12 21:54 -------- d-----w- c:\program files\Hyper Entertainment
2009-08-12 14:40 . 2009-08-12 14:40 -------- d-----w- c:\program files\Carbonite
2007-12-18 04:35 . 2007-12-18 04:35 10 ----a-w- c:\program files\.autoreg
2007-12-18 04:35 . 2007-12-18 04:35 69632 ----a-w- c:\program files\mozilla firefox\components\ffwt.dll
2004-06-02 00:49 . 2007-11-07 17:11 0 --sha-w- c:\windows\SMINST\HPCD.SYS
.

------- Sigcheck -------

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\xmlprov.dll
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\xmlprov.dll

[-] 2004-08-04 05:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2004-08-04 05:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\ServicePackFiles\i386\mspmsnsv.dll
[-] 2002-11-27 09:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll

c:\windows\system32\wscntfy.exe ... is missing !!
c:\windows\system32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2003-06-23 24576]
"NVIEW"="nview.dll" - c:\windows\system32\nview.dll [2003-08-19 852038]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-10-11 151597]
"AutoTKit"="c:\hp\bin\AUTOTKIT.EXE" [2003-06-19 53248]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-08-15 139264]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 53248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-15 40960]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2003-04-03 50176]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
AutoTBar.exe [2003-6-18 53248]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-6-18 53248]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-12-30 344064]
spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSub.exe [2003-10-14 557056]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-30 57344]
Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-11 16384]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

S2 mrtRate;mrtRate; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ALG
*NewlyCreated* - IPNAT
.
Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2009-10-05 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2003-08-16 05:37]

2009-10-06 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart\errorsmart .exe [2007-10-25 03:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us10.hpwis.com/
uDefault_Search_URL = hxxp://srch-us10.hpwis.com/
mStart Page = hxxp://us10.hpwis.com/
mSearch Bar = hxxp://srch-us10.hpwis.com/
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: SpSubLSP.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RecordNow! - (no file)
HKLM-Run-HPHUPD05 - c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HKLM-Run-VTTimer - VTTimer.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 18:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\SpSubLSP.dll
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(3300)
c:\windows\System32\msi.dll
c:\windows\System32\igfxpph.dll
c:\windows\System32\hccutils.DLL
c:\windows\System32\igfxres.dll
c:\windows\System32\igfxsrvc.dll
c:\windows\System32\igfxdev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\HP\HP Software Update\HPWUCli.exe
.
**************************************************************************
.
Completion time: 2009-10-06 18:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-06 22:39
ComboFix2.txt 2008-01-01 01:24

Pre-Run: 94,273,662,976 bytes free
Post-Run: 99,744,182,272 bytes free

497

**amateur** · 10-07-2009, 05:29 AM

Hi Rob,

The system was still infected. Also, some system files are either missing or failed the signature test. Do you have your XP installation CD, not the Recovery CD, if we need it? If you wish to reformat and reinstall, that's your choice; however, we can continue with the cleaning process.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:filefind
wscntfy.exe
qmgr.dll
xmlprov.dll
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

=======================

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following in BOLD:

c:\windows\ServicePackFiles\i386\wscntfy.exe
Then click the "Send File " button just below.
This will scan the file. Please be patient.
If the file is analyzed before click Reanalyse file now button.
Wait until the file is analyzed.
Once scanned, copy and paste the results in your next reply.
Please repeat the process for the following files:
- c:\windows\ServicePackFiles\i386\xmlprov.dll
- c:\windows\system32\mspmsnsv.dll

bigorange · 10-07-2009, 10:24 AM

Have done as asked. I have the entire 'Recovery' disk bundle that I burned when I originally purchased my HP. There are 8 DVD's in the bundle. Those are the only disks that I have for it as far as Operating Systems goes. I do have the knowledge and ability to format the HD and start over. Have done it many times over the years on various computers and Operating Systems. Would like to not format if possible, but am willing if needed.

Hear are the results for SystemLook:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 11:04 on 07/10/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "wscntfy.exe"
C:\WINDOWS\ServicePackFiles\i386\wscntfy.exe ------ 13824 bytes [22:12 07/11/2007] [00:12 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5
C:\WINDOWS\system32\wscntfy.exe ------ 13824 bytes [01:10 07/10/2009] [09:42 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5

Searching for "qmgr.dll"
C:\WINDOWS\$NtServicePackUninstall$\qmgr.dll -----c 221696 bytes [00:51 07/10/2009] [10:00 29/08/2002] 6A1CF14D0E7D0B2241F552223769C8A7
C:\WINDOWS\erdnt\cache\qmgr.dll --a--- 221696 bytes [22:38 06/10/2009] [10:00 29/08/2002] 6A1CF14D0E7D0B2241F552223769C8A7
C:\WINDOWS\ServicePackFiles\i386\qmgr.dll ------ 409088 bytes [22:12 07/11/2007] [00:12 14/04/2008] 574738F61FCA2935F5265DC4E5691314
C:\WINDOWS\SoftwareDistribution\Download\e9b0377463edd4b6480f6148a1f88bac\sp1qfe\qmgr.dll --a--- 361984 bytes [22:06 07/11/2007] [22:08 01/07/2004] 696AC82FB290A03F205901442E0E9589
C:\WINDOWS\system32\bits\qmgr.dll ------ 409088 bytes [01:10 07/10/2009] [09:42 14/04/2008] 574738F61FCA2935F5265DC4E5691314
C:\WINDOWS\system32\qmgr.dll ------ 409088 bytes [16:28 07/11/2007] [09:42 14/04/2008] 574738F61FCA2935F5265DC4E5691314

Searching for "xmlprov.dll"
C:\WINDOWS\ServicePackFiles\i386\xmlprov.dll ------ 129024 bytes [22:12 07/11/2007] [00:12 14/04/2008] 295D21F14C335B53CB8154E5B1F892B9
C:\WINDOWS\system32\xmlprov.dll ------ 129024 bytes [01:10 07/10/2009] [09:42 14/04/2008] 295D21F14C335B53CB8154E5B1F892B9

-=End Of File=-

Here are the results from the VirusTotal Scan of wscntfy.exe:

a-squared 4.5.0.41 2009.10.07 -
AhnLab-V3 5.0.0.2 2009.10.06 -
AntiVir 7.9.1.33 2009.10.07 -
Antiy-AVL 2.0.3.7 2009.10.05 -
Authentium 5.1.2.4 2009.10.07 -
Avast 4.8.1351.0 2009.10.07 -
AVG 8.5.0.420 2009.10.04 -
BitDefender 7.2 2009.10.07 -
CAT-QuickHeal 10.00 2009.10.07 -
ClamAV 0.94.1 2009.10.07 -
Comodo 2527 2009.10.07 -
DrWeb 5.0.0.12182 2009.10.07 -
eSafe 7.0.17.0 2009.10.06 -
eTrust-Vet 35.1.7055 2009.10.07 -
F-Prot 4.5.1.85 2009.10.07 -
F-Secure 8.0.14470.0 2009.10.07 -
Fortinet 3.120.0.0 2009.10.07 -
GData 19 2009.10.07 -
Ikarus T3.1.1.72.0 2009.10.07 -
Jiangmin 11.0.800 2009.10.07 -
K7AntiVirus 7.10.864 2009.10.07 -
Kaspersky 7.0.0.125 2009.10.07 -
McAfee 5763 2009.10.06 -
McAfee+Artemis 5763 2009.10.06 -
McAfee-GW-Edition 6.8.5 2009.10.07 -
Microsoft 1.5101 2009.10.07 -
NOD32 4487 2009.10.07 -
Norman 6.01.09 2009.10.07 -
nProtect 2009.1.8.0 2009.10.07 -
Panda 10.0.2.2 2009.10.06 -
PCTools 4.4.2.0 2009.10.07 -
Prevx 3.0 2009.10.07 -
Rising 21.49.22.00 2009.09.30 -
Sophos 4.45.0 2009.10.07 -
Sunbelt 3.2.1858.2 2009.10.07 -
Symantec 1.4.4.12 2009.10.07 -
TheHacker 6.5.0.2.032 2009.10.06 -
TrendMicro 8.950.0.1094 2009.10.07 -
VBA32 3.12.10.11 2009.10.07 -
ViRobot 2009.10.7.1974 2009.10.07 -
VirusBuster 4.6.5.0 2009.10.07 -
Additional information
File size: 13824 bytes
MD5...: f92e1076c42fcd6db3d72d8cfe9816d5
SHA1..: 549f0a01848375d03159fc74171ed97790fa9650
SHA256: 94135acf2d9426bb78e4522429120b03d94b541422c277b9aca31410874a464c
ssdeep: 192:JmvFvF8NbUW94QtMXREaELt2y1PT6zu7R3bolyk+gahQQMnvLAIguynlmsWT
1PWK:Wd8NQWzk5ELt7P/hkQqLde7WT1PWS
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x27f2
timedatestamp.....: 0x48025335 (Sun Apr 13 18:38:45 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x27e0 0x2800 6.16 6b938c455457f7d1b5c5a674b8ebf6f1
.data 0x4000 0x6c 0x200 0.62 a46ea3afddd245a4720f45eb859ddfbf
.rsrc 0x5000 0x6e0 0x800 3.99 98ba1bbfda46d37793d588959529ce08

( 5 imports )
> msvcrt.dll: __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _adjust_fdiv, __setusermatherr, _initterm, __wgetmainargs, _wcmdln, exit, _cexit, _XcptFilter, _exit, _c_exit
> KERNEL32.dll: GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetUserDefaultUILanguage, GetLocaleInfoW, CreateProcessW, GetProcessHeap, HeapFree, HeapAlloc, LoadLibraryExW, GetStartupInfoW, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetLastError, CreateMutexW, CloseHandle, FormatMessageW, CreateEventW, GetCurrentProcessId
> USER32.dll: PeekMessageW, DispatchMessageW, MsgWaitForMultipleObjects, RegisterWindowMessageW, LoadStringW, LoadImageW, PostQuitMessage, PostMessageW, DestroyMenu, TrackPopupMenu, SetMenuDefaultItem, SetMenuItemInfoW, AppendMenuW, CreatePopupMenu, SetForegroundWindow, GetCursorPos, DefWindowProcW, CreateWindowExW, LoadCursorW, LoadIconW, ShowWindow, RegisterClassExW
> SHELL32.dll: SHGetFolderPathW, ShellExecuteW, Shell_NotifyIconW
> RPCRT4.dll: RpcBindingFromStringBindingW, RpcStringBindingComposeW, RpcBindingFree, RpcSsDestroyClientContext, NdrClientCall2, RpcStringFreeW

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=f92e1076c42fcd6db3d72d8cfe9816d5' target='_blank'>http://www.threatexpert.com/report.a...d72d8cfe9816d5</a>
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows Security Center Notification App
original name: wscntfy.exe
internal name: wscntfy.exe
file version.: 5.1.2600.5512 (xpsp.080413-2108)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Here are the results from the VirusTotal Scan of xmlprov.dll:

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.07 -
AhnLab-V3 5.0.0.2 2009.10.06 -
AntiVir 7.9.1.33 2009.10.07 -
Antiy-AVL 2.0.3.7 2009.10.05 -
Authentium 5.1.2.4 2009.10.07 -
Avast 4.8.1351.0 2009.10.07 -
AVG 8.5.0.420 2009.10.04 -
BitDefender 7.2 2009.10.07 -
CAT-QuickHeal 10.00 2009.10.07 -
ClamAV 0.94.1 2009.10.07 -
Comodo 2527 2009.10.07 -
DrWeb 5.0.0.12182 2009.10.07 -
eSafe 7.0.17.0 2009.10.06 -
eTrust-Vet 35.1.7055 2009.10.07 -
F-Prot 4.5.1.85 2009.10.07 -
F-Secure 8.0.14470.0 2009.10.07 -
Fortinet 3.120.0.0 2009.10.07 -
GData 19 2009.10.07 -
Ikarus T3.1.1.72.0 2009.10.07 -
Jiangmin 11.0.800 2009.10.07 -
K7AntiVirus 7.10.864 2009.10.07 -
Kaspersky 7.0.0.125 2009.10.07 -
McAfee 5763 2009.10.06 -
McAfee+Artemis 5763 2009.10.06 -
McAfee-GW-Edition 6.8.5 2009.10.07 -
Microsoft 1.5101 2009.10.07 -
NOD32 4487 2009.10.07 -
Norman 6.01.09 2009.10.07 -
nProtect 2009.1.8.0 2009.10.07 -
Panda 10.0.2.2 2009.10.06 -
PCTools 4.4.2.0 2009.10.07 -
Prevx 3.0 2009.10.07 -
Rising 21.49.22.00 2009.09.30 -
Sophos 4.45.0 2009.10.07 -
Sunbelt 3.2.1858.2 2009.10.07 -
Symantec 1.4.4.12 2009.10.07 -
TheHacker 6.5.0.2.032 2009.10.06 -
TrendMicro 8.950.0.1094 2009.10.07 -
VBA32 3.12.10.11 2009.10.07 -
ViRobot 2009.10.7.1974 2009.10.07 -
VirusBuster 4.6.5.0 2009.10.07 -
Additional information
File size: 129024 bytes
MD5...: 295d21f14c335b53cb8154e5b1f892b9
SHA1..: 090e95953f71d654ea885af74d491ad1e6a0f8c7
SHA256: 9418477c2e3ea93e93d931a4edd4500da568fad6040204b5201d1080203b0bbc
ssdeep: 3072:K/IvBpoLMlwcXZznLt02SJW3gADcCAJud:t7oLM2mMlCd
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x16275
timedatestamp.....: 0x4802a12c (Mon Apr 14 00:11:24 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1c9e4 0x1ca00 6.47 747443081460292df346889068115d90
.data 0x1e000 0x1c8 0x200 1.80 b62cd350158fbbe46e93f101d823e152
.rsrc 0x1f000 0x718 0x800 3.95 c12db74733218834ea913973eeef7c1d
.reloc 0x20000 0x1e46 0x2000 5.66 721c28ab2d9a2d9c714d8a294ac146c0

( 13 imports )
> msvcrt.dll: memmove, _wtoi, _vsnwprintf, __0exception@@QAE@ABV0@@Z, _CxxThrowException, wcsrchr, _wfullpath, wcstoul, _wcsdup, wcslen, free, realloc, __CxxFrameHandler, _purecall, _vsnprintf, __2@YAPAXI@Z, malloc, _initterm, _adjust_fdiv, _terminate@@YAXXZ, _except_handler3, __1type_info@@UAE@XZ, __3@YAXPAX@Z
> MSVCP60.dll: __0bad_alloc@std@@QAE@PBD@Z, __1bad_alloc@std@@UAE@XZ, __0bad_alloc@std@@QAE@ABV01@@Z
> ATL.DLL: -, -, -, -, -, -, -, -, -
> ADVAPI32.dll: UnlockServiceDatabase, RegisterServiceCtrlHandlerExW, SetServiceStatus, OpenSCManagerW, OpenServiceW, CloseServiceHandle, LockServiceDatabase, ChangeServiceConfigW, QueryServiceConfigW, RegEnumKeyExW, RegisterEventSourceW, ReportEventW, DeregisterEventSource, RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, RegCreateKeyExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW
> KERNEL32.dll: GetDiskFreeSpaceExW, LocalFree, LocalAlloc, GetFileAttributesExW, HeapFree, GetProcessHeap, CreateTimerQueueTimer, RemoveDirectoryW, FileTimeToSystemTime, EnumUILanguagesW, InitializeCriticalSection, GetCurrentThreadId, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, DeleteFileW, FormatMessageW, DeleteTimerQueueTimer, InterlockedExchange, CopyFileW, Sleep, WaitForSingleObject, QueueUserWorkItem, WideCharToMultiByte, HeapAlloc, DisableThreadLibraryCalls, MultiByteToWideChar, lstrlenW, GetStringTypeExW, GetThreadLocale, lstrcmpW, InterlockedDecrement, InterlockedIncrement, EnterCriticalSection, LeaveCriticalSection, lstrlenA, GetLastError, CreateEventW, CloseHandle, SetEvent, InterlockedCompareExchange, DeleteCriticalSection, GetSystemTimeAsFileTime, lstrcmpiW, DebugBreak, OutputDebugStringW, FindNextFileW, FindClose, SetFileAttributesW, CreateDirectoryW, lstrcpyW, InitializeCriticalSectionAndSpinCount, SetLastError, FindFirstFileW, MoveFileExW
> ole32.dll: CoTaskMemFree, CLSIDFromString, CoTaskMemAlloc, CoCreateInstance, CoInitializeEx, StringFromCLSID, IIDFromString, CoUninitialize, CoSwitchCallContext
> OLEAUT32.dll: -, -, -, -, -, -, -
> rtutils.dll: TraceRegisterExW, TracePrintfA, TraceDeregisterW
> SHELL32.dll: SHGetFolderPathW
> SHLWAPI.dll: PathCanonicalizeW, PathIsRelativeW, PathRemoveExtensionW, PathFileExistsW, PathStripPathW, PathCreateFromUrlW, UrlIsW
> USER32.dll: LoadStringW, CharNextW, CharUpperW, CharLowerW, wvsprintfW
> WINHTTP.dll: WinHttpCrackUrl
> ntdll.dll: RtlReleaseResource, RtlAcquireResourceExclusive, RtlAcquireResourceShared, RtlDeleteResource, RtlInitializeResource

( 3 exports )
DllRegisterServer, DllUnregisterServer, ServiceMain
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Network Provisioning Service
original name: xmlprov.dll
internal name: xmlprov.dll
file version.: 5.1.2600.5512 (xpsp.080413-0852)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Here are the results from the VirusTotal Scan of mspmsnsv.dll :

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.07 -
AhnLab-V3 5.0.0.2 2009.10.06 -
AntiVir 7.9.1.33 2009.10.07 -
Antiy-AVL 2.0.3.7 2009.10.05 -
Authentium 5.1.2.4 2009.10.07 -
Avast 4.8.1351.0 2009.10.07 -
AVG 8.5.0.420 2009.10.04 -
BitDefender 7.2 2009.10.07 -
CAT-QuickHeal 10.00 2009.10.07 -
ClamAV 0.94.1 2009.10.07 -
Comodo 2527 2009.10.07 -
DrWeb 5.0.0.12182 2009.10.07 -
eSafe 7.0.17.0 2009.10.06 -
eTrust-Vet 35.1.7055 2009.10.07 -
F-Prot 4.5.1.85 2009.10.07 -
F-Secure 8.0.14470.0 2009.10.07 -
Fortinet 3.120.0.0 2009.10.07 -
GData 19 2009.10.07 -
Ikarus T3.1.1.72.0 2009.10.07 -
Jiangmin 11.0.800 2009.10.07 -
K7AntiVirus 7.10.864 2009.10.07 -
Kaspersky 7.0.0.125 2009.10.07 -
McAfee 5763 2009.10.06 -
McAfee+Artemis 5763 2009.10.06 -
McAfee-GW-Edition 6.8.5 2009.10.07 -
Microsoft 1.5101 2009.10.07 -
NOD32 4487 2009.10.07 -
Norman 6.01.09 2009.10.07 -
nProtect 2009.1.8.0 2009.10.07 -
Panda 10.0.2.2 2009.10.06 -
PCTools 4.4.2.0 2009.10.07 -
Prevx 3.0 2009.10.07 -
Rising 21.49.22.00 2009.09.30 -
Sophos 4.45.0 2009.10.07 -
Sunbelt 3.2.1858.2 2009.10.07 -
Symantec 1.4.4.12 2009.10.07 -
TheHacker 6.5.0.2.032 2009.10.06 -
TrendMicro 8.950.0.1094 2009.10.07 -
VBA32 3.12.10.11 2009.10.07 -
ViRobot 2009.10.7.1974 2009.10.07 -
VirusBuster 4.6.5.0 2009.10.07 -
Additional information
File size: 52224 bytes
MD5...: c7e39ea41233e9f5b86c8da3a9f1e4a8
SHA1..: 2eab0670664148c4acad10826579105f8001623c
SHA256: 98c21deeb7124426d749facdad06ebd7f500ae5c465a98d558919c2a51c08554
ssdeep: 1536:YIQrdsm86GEZrQsChFDVfWEVo1WT2hQgMLqB2k06iL:xeZrQHf3sQgMuB2k
06i
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3f57
timedatestamp.....: 0x4802a175 (Mon Apr 14 00:12:37 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xa5b7 0xa600 6.62 416269d36f886274c1ca653d9ce08206
.data 0xc000 0x6b8 0x600 4.51 6a7427292341dee0a8e89dab1ac3db60
.rsrc 0xd000 0x7b8 0x800 3.25 a733601634e8c3288964a4fc6c66eb5c
.reloc 0xe000 0x12e0 0x1400 4.92 94d2e71202ad9efc050244b7ef326e4d

( 4 imports )
> KERNEL32.dll: QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, FlushFileBuffers, GetFileAttributesA, SetFileAttributesA, GetVolumeInformationA, SetErrorMode, GetCurrentDirectoryA, GetModuleHandleA, QueryDosDeviceA, GetSystemDirectoryA, LoadLibraryA, WideCharToMultiByte, WaitNamedPipeW, CreateFileA, CreateFileW, DeviceIoControl, CompareStringA, GetDriveTypeA, GetCurrentProcess, TerminateProcess, GetModuleFileNameA, FormatMessageA, LoadLibraryExA, GetProcAddress, FormatMessageW, FreeLibrary, GetTickCount, Sleep, SetLastError, InitializeCriticalSection, DisableThreadLibraryCalls, LeaveCriticalSection, DeleteCriticalSection, LocalAlloc, CreateNamedPipeA, LocalFree, ResetEvent, GetOverlappedResult, WaitForMultipleObjects, WriteFile, ReadFile, ConnectNamedPipe, SetEvent, CloseHandle, CancelIo, WaitForSingleObject, DisconnectNamedPipe, CreateEventA, GetLastError, GetDriveTypeW, EnterCriticalSection, SetCurrentDirectoryA, GetVersionExA
> msvcrt.dll: malloc, _onexit, __dllonexit, _adjust_fdiv, _initterm, free, wcslen, wcscmp, wcscpy, __2@YAPAXI@Z, memmove, __3@YAXPAX@Z, _except_handler3, _purecall, __CxxFrameHandler, _CxxThrowException, strstr, strcpy, strncpy, memset, atoi, memcpy, isdigit, strcmp, strncmp, strlen, strcat, time, _memccpy, sscanf, sprintf, _strupr, _stricmp, _strnicmp, _ultoa, __1type_info@@UAE@XZ, _terminate@@YAXXZ
> ADVAPI32.dll: AllocateAndInitializeSid, RegOpenKeyA, RegEnumKeyA, RegOpenKeyExA, RegEnumKeyExA, RegQueryValueExA, StartServiceA, CreateServiceA, RegSetValueExA, QueryServiceStatus, ControlService, DeleteService, RegDeleteKeyA, RegCreateKeyA, RegQueryValueExW, RegSetValueExW, RegCloseKey, GetSecurityInfo, SetSecurityInfo, RegisterServiceCtrlHandlerA, SetEntriesInAclA, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, FreeSid, ImpersonateNamedPipeClient, RevertToSelf, SetServiceStatus, RegisterEventSourceA, ReportEventA, DeregisterEventSource, OpenSCManagerA, OpenServiceA, CloseServiceHandle
> USER32.dll: LoadImageA, LoadIconA, CharLowerA, CharUpperA, wsprintfA

( 4 exports )
DllMain, DllRegisterServer, DllUnregisterServer, ServiceMain
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: Copyright (C) Microsoft Corp.
product......: Windows Media Device Manager
description..: Microsoft Media Device Service Provider
original name: MsPMSNSv.dll
internal name: MsPMSNSv.dll
file version.: 9.0.1.56
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Patiently awaiting another assignment!

Rob
(bigorangerob)

**amateur** · 10-07-2009, 12:06 PM

Hi Rob,

Quote:

I ended up having to run a 'recovery' on Windows XP using my HP Recovering Disks.

That has set your Operating System back to SP1, as seen on your Combofix log, and I suspect that's why we see some file discrepencies. Have you updated windows since you ran Combofix? Looks like you did.

You have some old versions of Java. Uninstall the following via the Add/Remove Panel (Start->Control Panel->Add or Remove Programs):

Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7

These are outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Java(TM) 6 Update 15 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

====================================

I see some references to uTorrent which is a p2p file sharing program. This practice can make you vulnerable to data and identity theft. Please read this sticky:

Perils of P2P File Sharing

I would strongly urge you to remove it, if you still have it installed, via Add or Remove Programs in Control Panel as suggested in our
NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help page.

Quote:

p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues. See this link

===================================

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

===================================

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on Settings. Uncheck Mail databases.
Next, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

=============================

Please reply back with the MBAM and Kaspersky reports. Also, please post a fresh DDS.txt.

bigorange · 10-08-2009, 11:17 AM

OK, I dropped back and punted (Formatted HD and reinstalled system). Can you help me determine if there are any resident buggers on my system that were in the boot log or other parts of the HD that didn't get eliminated by the format and reinstall?

In the mean time, I have reinstalled SP3 for XP, my printer driver, and AVG's Free virus scan.

Thanks

Rob
(bigorange)

**amateur** · 10-08-2009, 12:41 PM

Ok, I can check the logs if you provide a set of fresh logs.

DDS:
====

Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs
1. DDS.txt
2. Attach.txt
Save both reports to your desktop.

=====
GMER:
=====

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

bigorange · 10-09-2009, 05:43 AM

Here are the Logs and attachments you requested.

DDS.txt:

DDS (Ver_09-09-29.01) - NTFSx86
Run by Owner at 6:18:10.92 on Fri 10/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.927 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://us10.hpwis.com/
uSearch Page = hxxp://srch-us10.hpwis.com/
uDefault_Page_URL = hxxp://us10.hpwis.com/
uDefault_Search_URL = hxxp://srch-us10.hpwis.com/
uSearch Bar = hxxp://srch-us10.hpwis.com/
mDefault_Page_URL = hxxp://us10.hpwis.com/
mDefault_Search_URL = hxxp://srch-us10.hpwis.com/
mSearch Page = hxxp://srch-us10.hpwis.com/
mStart Page = hxxp://us10.hpwis.com/
mSearch Bar = hxxp://srch-us10.hpwis.com/
uInternet Settings,ProxyOverride = localhost
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RecordNow!]
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CamMonitor] c:\program files\hp\digital imaging\unload\hpqcmon.exe
mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AutoTKit] c:\hp\bin\AUTOTKIT.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [LTMSG] LTMSG.exe 7
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [DPAgnt] c:\program files\digitalpersona\bin\DPAgnt.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: SpSubLSP.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: DPWLN - c:\windows\system32\DPWLEvHd.dll
Notify: igfxcui - igfxsrvc.dll
LSA: Notification Packages = scecli DPPWDFLT

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8086uabs.default\
FF - prefs.js: browser.startup.homepage - www.iwon.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-8 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-8 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-8 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-8 297752]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;c:\windows\system32\drivers\dpK0Bx01.sys [2006-9-16 35584]
R3 usbdpfp;Fingerprint Reader Class Driver;c:\windows\system32\drivers\usbdpfp.sys [2006-9-16 47360]

=============== Created Last 30 ================

2009-10-09 05:30 159,744 a------- c:\windows\system32\igfxres.dll
2009-10-09 05:25 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-10-09 05:25 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-10-09 05:24 21,504 a------- c:\windows\system32\drivers\hidserv.dll
2009-10-08 13:25 <DIR> --d----- c:\windows\system32\PreInstall
2009-10-08 13:25 <DIR> --d-h--- c:\windows\$hf_mig$
2009-10-08 13:21 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-10-08 13:21 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-08 13:21 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-08 13:21 73,728 a------- c:\windows\system32\javacpl.cpl
2009-10-08 13:21 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-08 13:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-08 13:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-08 13:09 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-10-08 13:09 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-10-08 13:09 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-10-08 13:09 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-10-08 13:09 <DIR> --d----- c:\program files\AVG
2009-10-08 13:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-10-08 13:05 179 a------- c:\windows\system\hpsysdrv.DAT
2009-10-08 13:04 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-10-08 13:04 21,504 a------- c:\windows\system32\hidserv.dll
2009-10-08 13:04 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-10-08 13:04 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-10-08 13:04 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-10-08 13:00 <DIR> --d----- c:\windows\system32\wbem\AutoRecover
2009-10-08 12:51 79,872 -c------ c:\windows\system32\dllcache\msxml6r.dll
2009-10-08 12:51 1,306,624 -c------ c:\windows\system32\dllcache\msxml6.dll
2009-10-08 12:51 1,306,624 -------- c:\windows\system32\msxml6.dll
2009-10-08 12:51 79,872 -------- c:\windows\system32\msxml6r.dll
2009-10-08 12:49 377,984 -------- c:\windows\system32\ati2dvaa.dll
2009-10-08 12:48 <DIR> --d----- c:\windows\provisioning
2009-10-08 12:48 <DIR> --d----- c:\windows\system32\scripting
2009-10-08 12:48 <DIR> --d----- c:\windows\l2schemas
2009-10-08 12:48 <DIR> --d----- c:\windows\system32\en
2009-10-08 12:48 <DIR> --d----- c:\windows\system32\bits
2009-10-08 12:48 <DIR> --d----- c:\windows\peernet
2009-10-08 12:40 <DIR> --d----- c:\windows\ServicePackFiles
2009-10-08 12:30 19,569 a------- c:\windows\002680_.tmp
2009-10-08 12:30 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-10-08 12:09 <DIR> --d----- c:\windows\EHome
2009-10-08 12:09 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-10-08 12:07 34,328 ac------ c:\windows\system32\dllcache\wups.dll
2009-10-08 12:07 183,296 a------- c:\windows\system32\wuaueng1.dll
2009-10-08 12:07 165,888 a------- c:\windows\system32\wuauclt1.exe
2009-10-08 12:07 162,304 a------- c:\windows\system32\wuaucpl.cpl
2009-10-08 11:50 <DIR> --d----- c:\docume~1\owner\applic~1\DigitalPersona
2009-10-08 11:40 <DIR> --ds---- c:\documents and settings\owner\UserData
2009-10-08 11:37 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-10-08 11:34 <DIR> --d----- c:\windows\system32\NtmsData
2009-10-08 11:32 68,978 a------- c:\windows\hpoins05.dat
2009-10-08 11:32 19,696 -------- c:\windows\hpomdl05.dat
2009-10-08 11:32 51,120 a------- c:\windows\system32\drivers\HPZid412.sys
2009-10-08 11:32 21,744 a------- c:\windows\system32\drivers\HPZius12.sys
2009-10-08 11:32 16,496 a------- c:\windows\system32\drivers\HPZipr12.sys
2009-10-08 11:30 581,632 a------- c:\windows\system32\hpotscl.dll
2009-10-08 11:30 278,528 a------- c:\windows\system32\hpgwiamd.dll
2009-10-08 11:30 274,432 a------- c:\windows\system32\HPZc3212.dll
2009-10-08 11:30 229,376 a------- c:\windows\system32\hpovst08.dll
2009-10-08 11:30 393,216 a------- c:\windows\system32\hpzcon12.dll
2009-10-08 11:30 196,608 a------- c:\windows\system32\hpzcoi12.dll
2009-10-08 11:30 139,345 a------- c:\windows\system32\hpzlnt12.dll
2009-10-08 11:28 <DIR> --d----- c:\windows\DPDrv
2009-10-08 11:28 <DIR> --d----- c:\program files\DigitalPersona
2009-10-08 11:28 <DIR> --d----- c:\temp\HP_WebRelease
2009-10-08 11:28 <DIR> --d----- C:\temp
2009-10-08 11:27 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-10-08 11:19 <DIR> --dshr-- C:\cmdcons
2009-10-08 11:19 <DIR> --d----- c:\windows\setup.pss
2009-10-08 11:19 <DIR> --d----- c:\windows\setupupd
2009-10-08 11:14 <DIR> --d----- C:\WUTemp
2009-10-08 11:14 191,488 a------- c:\windows\system32\iuengine.dll
2009-10-08 11:14 4,530 a--shr-- c:\windows\system32\drivers\HP_DT160A-ABA A465C_YW_Pavi_QMXK406_E41NAheBLU4_4_I P4SD-LA _SASUSTeK Computer INC._VRev 1.xx_B3.19_T031212_WXH1_L409_M1528_J164_7Intel_8Pentium 4_93_1104C8023_N10EC8139_P_Z11C1044C_K_A808624D5_U808624D2_G80862572_O_DIN-KCH-.MRK
2009-10-08 11:11 33,792 a------- c:\windows\system32\msgsvc.dll
2009-10-08 11:09 <DIR> --d----- c:\program files\Multimedia Card Reader
2009-10-08 11:09 <DIR> --d----- c:\windows\Downloaded Installations
2009-10-08 11:08 74,240 a------- c:\windows\system32\usbui.dll
2009-10-08 11:08 20,608 a------- c:\windows\system32\drivers\usbuhci.sys
2009-10-08 11:08 143,872 a------- c:\windows\system32\drivers\usbport.sys
2009-10-08 11:08 59,520 a------- c:\windows\system32\drivers\usbhub.sys
2009-10-08 11:07 96,512 a------- c:\windows\system32\drivers\atapi.sys
2009-10-08 11:07 24,960 a------- c:\windows\system32\drivers\pciidex.sys
2009-10-08 11:07 3,328 a------- c:\windows\system32\drivers\pciide.sys
2009-10-08 11:07 68,224 a------- c:\windows\system32\drivers\pci.sys
2009-10-08 11:06 37,248 a------- c:\windows\system32\drivers\isapnp.sys
2009-10-08 11:06 52,480 a------- c:\windows\system32\drivers\i8042prt.sys
2009-10-08 11:06 24,576 a------- c:\windows\system32\drivers\kbdclass.sys
2009-10-08 09:33 <DIR> --d--r-- C:\Program Files
2009-10-08 09:33 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-10-08 09:32 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-10-08 09:31 <DIR> -cdshr-- c:\windows\system32\dllcache
2009-10-08 09:02 59,904 ac------ c:\windows\system32\dllcache\trnsprov.dll
2009-10-08 09:01 146,432 ac------ c:\windows\system32\dllcache\msls31.dll
2009-10-08 09:00 113,222 ac------ c:\windows\system32\dllcache\zoneclim.dll
2009-10-08 08:59 42,809 ac------ c:\windows\system32\dllcache\key01.sys
2009-10-08 08:58 118,784 ac------ c:\windows\system32\dllcache\dmdskres.dll

==================== Find3M ====================

2009-10-08 12:53 74,999 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-10-08 12:53 36,864 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphnabp4en\plugin\bin\jsharpde\gnu.dll
2009-10-08 12:53 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphnabp4en\plugin\bin\jsharpde\util.dll
2009-10-08 12:53 3,072 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphnabp4en\plugin\bin\jsharpde\pchealthde.exe
2009-10-08 12:53 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphnabp4en\plugin\bin\jsharpde\pchapi.dll
2009-10-08 12:53 98,304 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphnabp4en\plugin\bin\PluginCtrl.dll
2009-10-08 12:53 114,688 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphnabp4en\plugin\bin\jsharpde\ZipLib.dll
2009-10-08 12:53 77,824 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphnabp4en\plugin\bin\WinVerifyTrust.dll
2004-06-01 20:49 0 a--sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 6:18:35.07 ===============

Thanks for all your help!

Rob
(bigorange)

**amateur** · 10-09-2009, 06:44 AM

Hi,

The logs are clean.

Your Adobe Reader needs to be updated. Uninstall the older version and download the latest, which is Adobe® Reader® 9.1.

Quote:

mRun: [AlcxMonitor] ALCXMNTR.EXE

belongs to Realtek AC97 Audio - Event Monitor.

Quote:

"Slyware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers.

Don't delete the file as it would affect your sound, but it doesn't need to run at startup. You can run the following fix to disable it from startup.

Open notepad. It must be notepad, not wordpad.
Copy and paste the text inside the code box below into notepad, including the blank line at the end. Make sure that wordwrap is turned off in notepad - click the format menu and uncheck wordwrap.
Choose file save as and set file type to all files.
Type fixreg.reg in the file name and save it to your desktop. It should look like this:

Code:

REGEDIT4

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"AlcxMonitor"=-

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Close notepad. Make sure that all windows are closed.

Find the fixreg.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer yes.

Reboot your computer.

=============================

Run an online scan to make sure nothing is hiding around.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on Settings. Uncheck Mail databases.
Next, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

===========================

Let me know how all that went and post the results from Kaspersky please.

**amateur** · 10-15-2009, 11:44 PM

Since this issue appears resolved, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/secu...oval-help.html

Surf Safely, and Think Prevention!

10-06-2009, 05:27 AM	#2 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,483 OS: XP SP3	Re: Help: Malware/Virus Popups Hello and welcome to TSF. One or more of the identified infections is a backdoor trojan. This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please read this: How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud? ============================ Please download ComboFix from one of these locations: Link 1 Link 2 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. How to disable AVG Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar. * Click on Tools. * Select Advanced Settings. * In the left hand pane, scroll down to "Resident Shield". * In the main pane, deselect the option to "Enable Resident Shield." * To re-enable AVG 8, please select "Enable Resident Shield" again. For further help, click here. Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. # Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done that. __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE** since 2006

10-07-2009, 05:29 AM	#4 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,483 OS: XP SP3	Re: Help: Malware/Virus Popups Hi Rob, The system was still infected. Also, some system files are either missing or failed the signature test. Do you have your XP installation CD, not the Recovery CD, if we need it? If you wish to reformat and reinstall, that's your choice; however, we can continue with the cleaning process. Please download SystemLook from one of the links below and save it to your Desktop. Download Mirror #1 Download Mirror #2 Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield: Code: :filefind wscntfy.exe qmgr.dll xmlprov.dll Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt ======================= Please go to: VirusTotal On the page you'll find a "Browse" button. Next to the browse button you'll see a box to enter text. Please copy/paste the following in BOLD: c:\windows\ServicePackFiles\i386\wscntfy.exe Then click the "Send File " button just below. This will scan the file. Please be patient. If the file is analyzed before click Reanalyse file now button. Wait until the file is analyzed. Once scanned, copy and paste the results in your next reply. Please repeat the process for the following files: c:\windows\ServicePackFiles\i386\xmlprov.dll c:\windows\system32\mspmsnsv.dll __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

10-07-2009, 10:24 AM	#5 (permalink)
bigorange Registered User Join Date: Dec 2007 Posts: 17 OS: Windows XP SP2	Re: Help: Malware/Virus Popups Have done as asked. I have the entire 'Recovery' disk bundle that I burned when I originally purchased my HP. There are 8 DVD's in the bundle. Those are the only disks that I have for it as far as Operating Systems goes. I do have the knowledge and ability to format the HD and start over. Have done it many times over the years on various computers and Operating Systems. Would like to not format if possible, but am willing if needed. Hear are the results for SystemLook: SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 11:04 on 07/10/2009 by Owner (Administrator - Elevation successful) ========== filefind ========== Searching for "wscntfy.exe" C:\WINDOWS\ServicePackFiles\i386\wscntfy.exe ------ 13824 bytes [22:12 07/11/2007] [00:12 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5 C:\WINDOWS\system32\wscntfy.exe ------ 13824 bytes [01:10 07/10/2009] [09:42 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5 Searching for "qmgr.dll" C:\WINDOWS\$NtServicePackUninstall$\qmgr.dll -----c 221696 bytes [00:51 07/10/2009] [10:00 29/08/2002] 6A1CF14D0E7D0B2241F552223769C8A7 C:\WINDOWS\erdnt\cache\qmgr.dll --a--- 221696 bytes [22:38 06/10/2009] [10:00 29/08/2002] 6A1CF14D0E7D0B2241F552223769C8A7 C:\WINDOWS\ServicePackFiles\i386\qmgr.dll ------ 409088 bytes [22:12 07/11/2007] [00:12 14/04/2008] 574738F61FCA2935F5265DC4E5691314 C:\WINDOWS\SoftwareDistribution\Download\e9b0377463edd4b6480f6148a1f88bac\sp1qfe\qmgr.dll --a--- 361984 bytes [22:06 07/11/2007] [22:08 01/07/2004] 696AC82FB290A03F205901442E0E9589 C:\WINDOWS\system32\bits\qmgr.dll ------ 409088 bytes [01:10 07/10/2009] [09:42 14/04/2008] 574738F61FCA2935F5265DC4E5691314 C:\WINDOWS\system32\qmgr.dll ------ 409088 bytes [16:28 07/11/2007] [09:42 14/04/2008] 574738F61FCA2935F5265DC4E5691314 Searching for "xmlprov.dll" C:\WINDOWS\ServicePackFiles\i386\xmlprov.dll ------ 129024 bytes [22:12 07/11/2007] [00:12 14/04/2008] 295D21F14C335B53CB8154E5B1F892B9 C:\WINDOWS\system32\xmlprov.dll ------ 129024 bytes [01:10 07/10/2009] [09:42 14/04/2008] 295D21F14C335B53CB8154E5B1F892B9 -=End Of File=- Here are the results from the VirusTotal Scan of wscntfy.exe: a-squared 4.5.0.41 2009.10.07 - AhnLab-V3 5.0.0.2 2009.10.06 - AntiVir 7.9.1.33 2009.10.07 - Antiy-AVL 2.0.3.7 2009.10.05 - Authentium 5.1.2.4 2009.10.07 - Avast 4.8.1351.0 2009.10.07 - AVG 8.5.0.420 2009.10.04 - BitDefender 7.2 2009.10.07 - CAT-QuickHeal 10.00 2009.10.07 - ClamAV 0.94.1 2009.10.07 - Comodo 2527 2009.10.07 - DrWeb 5.0.0.12182 2009.10.07 - eSafe 7.0.17.0 2009.10.06 - eTrust-Vet 35.1.7055 2009.10.07 - F-Prot 4.5.1.85 2009.10.07 - F-Secure 8.0.14470.0 2009.10.07 - Fortinet 3.120.0.0 2009.10.07 - GData 19 2009.10.07 - Ikarus T3.1.1.72.0 2009.10.07 - Jiangmin 11.0.800 2009.10.07 - K7AntiVirus 7.10.864 2009.10.07 - Kaspersky 7.0.0.125 2009.10.07 - McAfee 5763 2009.10.06 - McAfee+Artemis 5763 2009.10.06 - McAfee-GW-Edition 6.8.5 2009.10.07 - Microsoft 1.5101 2009.10.07 - NOD32 4487 2009.10.07 - Norman 6.01.09 2009.10.07 - nProtect 2009.1.8.0 2009.10.07 - Panda 10.0.2.2 2009.10.06 - PCTools 4.4.2.0 2009.10.07 - Prevx 3.0 2009.10.07 - Rising 21.49.22.00 2009.09.30 - Sophos 4.45.0 2009.10.07 - Sunbelt 3.2.1858.2 2009.10.07 - Symantec 1.4.4.12 2009.10.07 - TheHacker 6.5.0.2.032 2009.10.06 - TrendMicro 8.950.0.1094 2009.10.07 - VBA32 3.12.10.11 2009.10.07 - ViRobot 2009.10.7.1974 2009.10.07 - VirusBuster 4.6.5.0 2009.10.07 - Additional information File size: 13824 bytes MD5...: f92e1076c42fcd6db3d72d8cfe9816d5 SHA1..: 549f0a01848375d03159fc74171ed97790fa9650 SHA256: 94135acf2d9426bb78e4522429120b03d94b541422c277b9aca31410874a464c ssdeep: 192:JmvFvF8NbUW94QtMXREaELt2y1PT6zu7R3bolyk+gahQQMnvLAIguynlmsWT 1PWK:Wd8NQWzk5ELt7P/hkQqLde7WT1PWS PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x27f2 timedatestamp.....: 0x48025335 (Sun Apr 13 18:38:45 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x27e0 0x2800 6.16 6b938c455457f7d1b5c5a674b8ebf6f1 .data 0x4000 0x6c 0x200 0.62 a46ea3afddd245a4720f45eb859ddfbf .rsrc 0x5000 0x6e0 0x800 3.99 98ba1bbfda46d37793d588959529ce08 ( 5 imports ) > msvcrt.dll: __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _adjust_fdiv, __setusermatherr, _initterm, __wgetmainargs, _wcmdln, exit, _cexit, _XcptFilter, _exit, _c_exit > KERNEL32.dll: GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetUserDefaultUILanguage, GetLocaleInfoW, CreateProcessW, GetProcessHeap, HeapFree, HeapAlloc, LoadLibraryExW, GetStartupInfoW, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetLastError, CreateMutexW, CloseHandle, FormatMessageW, CreateEventW, GetCurrentProcessId > USER32.dll: PeekMessageW, DispatchMessageW, MsgWaitForMultipleObjects, RegisterWindowMessageW, LoadStringW, LoadImageW, PostQuitMessage, PostMessageW, DestroyMenu, TrackPopupMenu, SetMenuDefaultItem, SetMenuItemInfoW, AppendMenuW, CreatePopupMenu, SetForegroundWindow, GetCursorPos, DefWindowProcW, CreateWindowExW, LoadCursorW, LoadIconW, ShowWindow, RegisterClassExW > SHELL32.dll: SHGetFolderPathW, ShellExecuteW, Shell_NotifyIconW > RPCRT4.dll: RpcBindingFromStringBindingW, RpcStringBindingComposeW, RpcBindingFree, RpcSsDestroyClientContext, NdrClientCall2, RpcStringFreeW ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=f92e1076c42fcd6db3d72d8cfe9816d5' target='_blank'>http://www.threatexpert.com/report.a...d72d8cfe9816d5</a> sigcheck: publisher....: Microsoft Corporation copyright....: (c) Microsoft Corporation. All rights reserved. product......: Microsoft_ Windows_ Operating System description..: Windows Security Center Notification App original name: wscntfy.exe internal name: wscntfy.exe file version.: 5.1.2600.5512 (xpsp.080413-2108) comments.....: n/a signers......: - signing date.: - verified.....: Unsigned Here are the results from the VirusTotal Scan of xmlprov.dll: Antivirus Version Last Update Result a-squared 4.5.0.41 2009.10.07 - AhnLab-V3 5.0.0.2 2009.10.06 - AntiVir 7.9.1.33 2009.10.07 - Antiy-AVL 2.0.3.7 2009.10.05 - Authentium 5.1.2.4 2009.10.07 - Avast 4.8.1351.0 2009.10.07 - AVG 8.5.0.420 2009.10.04 - BitDefender 7.2 2009.10.07 - CAT-QuickHeal 10.00 2009.10.07 - ClamAV 0.94.1 2009.10.07 - Comodo 2527 2009.10.07 - DrWeb 5.0.0.12182 2009.10.07 - eSafe 7.0.17.0 2009.10.06 - eTrust-Vet 35.1.7055 2009.10.07 - F-Prot 4.5.1.85 2009.10.07 - F-Secure 8.0.14470.0 2009.10.07 - Fortinet 3.120.0.0 2009.10.07 - GData 19 2009.10.07 - Ikarus T3.1.1.72.0 2009.10.07 - Jiangmin 11.0.800 2009.10.07 - K7AntiVirus 7.10.864 2009.10.07 - Kaspersky 7.0.0.125 2009.10.07 - McAfee 5763 2009.10.06 - McAfee+Artemis 5763 2009.10.06 - McAfee-GW-Edition 6.8.5 2009.10.07 - Microsoft 1.5101 2009.10.07 - NOD32 4487 2009.10.07 - Norman 6.01.09 2009.10.07 - nProtect 2009.1.8.0 2009.10.07 - Panda 10.0.2.2 2009.10.06 - PCTools 4.4.2.0 2009.10.07 - Prevx 3.0 2009.10.07 - Rising 21.49.22.00 2009.09.30 - Sophos 4.45.0 2009.10.07 - Sunbelt 3.2.1858.2 2009.10.07 - Symantec 1.4.4.12 2009.10.07 - TheHacker 6.5.0.2.032 2009.10.06 - TrendMicro 8.950.0.1094 2009.10.07 - VBA32 3.12.10.11 2009.10.07 - ViRobot 2009.10.7.1974 2009.10.07 - VirusBuster 4.6.5.0 2009.10.07 - Additional information File size: 129024 bytes MD5...: 295d21f14c335b53cb8154e5b1f892b9 SHA1..: 090e95953f71d654ea885af74d491ad1e6a0f8c7 SHA256: 9418477c2e3ea93e93d931a4edd4500da568fad6040204b5201d1080203b0bbc ssdeep: 3072:K/IvBpoLMlwcXZznLt02SJW3gADcCAJud:t7oLM2mMlCd PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x16275 timedatestamp.....: 0x4802a12c (Mon Apr 14 00:11:24 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x1c9e4 0x1ca00 6.47 747443081460292df346889068115d90 .data 0x1e000 0x1c8 0x200 1.80 b62cd350158fbbe46e93f101d823e152 .rsrc 0x1f000 0x718 0x800 3.95 c12db74733218834ea913973eeef7c1d .reloc 0x20000 0x1e46 0x2000 5.66 721c28ab2d9a2d9c714d8a294ac146c0 ( 13 imports ) > msvcrt.dll: memmove, _wtoi, _vsnwprintf, __0exception@@QAE@ABV0@@Z, _CxxThrowException, wcsrchr, _wfullpath, wcstoul, _wcsdup, wcslen, free, realloc, __CxxFrameHandler, _purecall, _vsnprintf, __2@YAPAXI@Z, malloc, _initterm, _adjust_fdiv, _terminate@@YAXXZ, _except_handler3, __1type_info@@UAE@XZ, __3@YAXPAX@Z > MSVCP60.dll: __0bad_alloc@std@@QAE@PBD@Z, __1bad_alloc@std@@UAE@XZ, __0bad_alloc@std@@QAE@ABV01@@Z > ATL.DLL: -, -, -, -, -, -, -, -, - > ADVAPI32.dll: UnlockServiceDatabase, RegisterServiceCtrlHandlerExW, SetServiceStatus, OpenSCManagerW, OpenServiceW, CloseServiceHandle, LockServiceDatabase, ChangeServiceConfigW, QueryServiceConfigW, RegEnumKeyExW, RegisterEventSourceW, ReportEventW, DeregisterEventSource, RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, RegCreateKeyExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW > KERNEL32.dll: GetDiskFreeSpaceExW, LocalFree, LocalAlloc, GetFileAttributesExW, HeapFree, GetProcessHeap, CreateTimerQueueTimer, RemoveDirectoryW, FileTimeToSystemTime, EnumUILanguagesW, InitializeCriticalSection, GetCurrentThreadId, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, DeleteFileW, FormatMessageW, DeleteTimerQueueTimer, InterlockedExchange, CopyFileW, Sleep, WaitForSingleObject, QueueUserWorkItem, WideCharToMultiByte, HeapAlloc, DisableThreadLibraryCalls, MultiByteToWideChar, lstrlenW, GetStringTypeExW, GetThreadLocale, lstrcmpW, InterlockedDecrement, InterlockedIncrement, EnterCriticalSection, LeaveCriticalSection, lstrlenA, GetLastError, CreateEventW, CloseHandle, SetEvent, InterlockedCompareExchange, DeleteCriticalSection, GetSystemTimeAsFileTime, lstrcmpiW, DebugBreak, OutputDebugStringW, FindNextFileW, FindClose, SetFileAttributesW, CreateDirectoryW, lstrcpyW, InitializeCriticalSectionAndSpinCount, SetLastError, FindFirstFileW, MoveFileExW > ole32.dll: CoTaskMemFree, CLSIDFromString, CoTaskMemAlloc, CoCreateInstance, CoInitializeEx, StringFromCLSID, IIDFromString, CoUninitialize, CoSwitchCallContext > OLEAUT32.dll: -, -, -, -, -, -, - > rtutils.dll: TraceRegisterExW, TracePrintfA, TraceDeregisterW > SHELL32.dll: SHGetFolderPathW > SHLWAPI.dll: PathCanonicalizeW, PathIsRelativeW, PathRemoveExtensionW, PathFileExistsW, PathStripPathW, PathCreateFromUrlW, UrlIsW > USER32.dll: LoadStringW, CharNextW, CharUpperW, CharLowerW, wvsprintfW > WINHTTP.dll: WinHttpCrackUrl > ntdll.dll: RtlReleaseResource, RtlAcquireResourceExclusive, RtlAcquireResourceShared, RtlDeleteResource, RtlInitializeResource ( 3 exports ) DllRegisterServer, DllUnregisterServer, ServiceMain RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck: publisher....: Microsoft Corporation copyright....: (c) Microsoft Corporation. All rights reserved. product......: Microsoft_ Windows_ Operating System description..: Network Provisioning Service original name: xmlprov.dll internal name: xmlprov.dll file version.: 5.1.2600.5512 (xpsp.080413-0852) comments.....: n/a signers......: - signing date.: - verified.....: Unsigned Here are the results from the VirusTotal Scan of mspmsnsv.dll : Antivirus Version Last Update Result a-squared 4.5.0.41 2009.10.07 - AhnLab-V3 5.0.0.2 2009.10.06 - AntiVir 7.9.1.33 2009.10.07 - Antiy-AVL 2.0.3.7 2009.10.05 - Authentium 5.1.2.4 2009.10.07 - Avast 4.8.1351.0 2009.10.07 - AVG 8.5.0.420 2009.10.04 - BitDefender 7.2 2009.10.07 - CAT-QuickHeal 10.00 2009.10.07 - ClamAV 0.94.1 2009.10.07 - Comodo 2527 2009.10.07 - DrWeb 5.0.0.12182 2009.10.07 - eSafe 7.0.17.0 2009.10.06 - eTrust-Vet 35.1.7055 2009.10.07 - F-Prot 4.5.1.85 2009.10.07 - F-Secure 8.0.14470.0 2009.10.07 - Fortinet 3.120.0.0 2009.10.07 - GData 19 2009.10.07 - Ikarus T3.1.1.72.0 2009.10.07 - Jiangmin 11.0.800 2009.10.07 - K7AntiVirus 7.10.864 2009.10.07 - Kaspersky 7.0.0.125 2009.10.07 - McAfee 5763 2009.10.06 - McAfee+Artemis 5763 2009.10.06 - McAfee-GW-Edition 6.8.5 2009.10.07 - Microsoft 1.5101 2009.10.07 - NOD32 4487 2009.10.07 - Norman 6.01.09 2009.10.07 - nProtect 2009.1.8.0 2009.10.07 - Panda 10.0.2.2 2009.10.06 - PCTools 4.4.2.0 2009.10.07 - Prevx 3.0 2009.10.07 - Rising 21.49.22.00 2009.09.30 - Sophos 4.45.0 2009.10.07 - Sunbelt 3.2.1858.2 2009.10.07 - Symantec 1.4.4.12 2009.10.07 - TheHacker 6.5.0.2.032 2009.10.06 - TrendMicro 8.950.0.1094 2009.10.07 - VBA32 3.12.10.11 2009.10.07 - ViRobot 2009.10.7.1974 2009.10.07 - VirusBuster 4.6.5.0 2009.10.07 - Additional information File size: 52224 bytes MD5...: c7e39ea41233e9f5b86c8da3a9f1e4a8 SHA1..: 2eab0670664148c4acad10826579105f8001623c SHA256: 98c21deeb7124426d749facdad06ebd7f500ae5c465a98d558919c2a51c08554 ssdeep: 1536:YIQrdsm86GEZrQsChFDVfWEVo1WT2hQgMLqB2k06iL:xeZrQHf3sQgMuB2k 06i PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x3f57 timedatestamp.....: 0x4802a175 (Mon Apr 14 00:12:37 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xa5b7 0xa600 6.62 416269d36f886274c1ca653d9ce08206 .data 0xc000 0x6b8 0x600 4.51 6a7427292341dee0a8e89dab1ac3db60 .rsrc 0xd000 0x7b8 0x800 3.25 a733601634e8c3288964a4fc6c66eb5c .reloc 0xe000 0x12e0 0x1400 4.92 94d2e71202ad9efc050244b7ef326e4d ( 4 imports ) > KERNEL32.dll: QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, FlushFileBuffers, GetFileAttributesA, SetFileAttributesA, GetVolumeInformationA, SetErrorMode, GetCurrentDirectoryA, GetModuleHandleA, QueryDosDeviceA, GetSystemDirectoryA, LoadLibraryA, WideCharToMultiByte, WaitNamedPipeW, CreateFileA, CreateFileW, DeviceIoControl, CompareStringA, GetDriveTypeA, GetCurrentProcess, TerminateProcess, GetModuleFileNameA, FormatMessageA, LoadLibraryExA, GetProcAddress, FormatMessageW, FreeLibrary, GetTickCount, Sleep, SetLastError, InitializeCriticalSection, DisableThreadLibraryCalls, LeaveCriticalSection, DeleteCriticalSection, LocalAlloc, CreateNamedPipeA, LocalFree, ResetEvent, GetOverlappedResult, WaitForMultipleObjects, WriteFile, ReadFile, ConnectNamedPipe, SetEvent, CloseHandle, CancelIo, WaitForSingleObject, DisconnectNamedPipe, CreateEventA, GetLastError, GetDriveTypeW, EnterCriticalSection, SetCurrentDirectoryA, GetVersionExA > msvcrt.dll: malloc, _onexit, __dllonexit, _adjust_fdiv, _initterm, free, wcslen, wcscmp, wcscpy, __2@YAPAXI@Z, memmove, __3@YAXPAX@Z, _except_handler3, _purecall, __CxxFrameHandler, _CxxThrowException, strstr, strcpy, strncpy, memset, atoi, memcpy, isdigit, strcmp, strncmp, strlen, strcat, time, _memccpy, sscanf, sprintf, _strupr, _stricmp, _strnicmp, _ultoa, __1type_info@@UAE@XZ, _terminate@@YAXXZ > ADVAPI32.dll: AllocateAndInitializeSid, RegOpenKeyA, RegEnumKeyA, RegOpenKeyExA, RegEnumKeyExA, RegQueryValueExA, StartServiceA, CreateServiceA, RegSetValueExA, QueryServiceStatus, ControlService, DeleteService, RegDeleteKeyA, RegCreateKeyA, RegQueryValueExW, RegSetValueExW, RegCloseKey, GetSecurityInfo, SetSecurityInfo, RegisterServiceCtrlHandlerA, SetEntriesInAclA, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, FreeSid, ImpersonateNamedPipeClient, RevertToSelf, SetServiceStatus, RegisterEventSourceA, ReportEventA, DeregisterEventSource, OpenSCManagerA, OpenServiceA, CloseServiceHandle > USER32.dll: LoadImageA, LoadIconA, CharLowerA, CharUpperA, wsprintfA ( 4 exports ) DllMain, DllRegisterServer, DllUnregisterServer, ServiceMain RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%) sigcheck: publisher....: Microsoft Corporation copyright....: Copyright (C) Microsoft Corp. product......: Windows Media Device Manager description..: Microsoft Media Device Service Provider original name: MsPMSNSv.dll internal name: MsPMSNSv.dll file version.: 9.0.1.56 comments.....: n/a signers......: - signing date.: - verified.....: Unsigned Patiently awaiting another assignment! Rob (bigorangerob)

10-08-2009, 11:17 AM	#7 (permalink)
bigorange Registered User Join Date: Dec 2007 Posts: 17 OS: Windows XP SP2	Re: Help: Malware/Virus Popups OK, I dropped back and punted (Formatted HD and reinstalled system). Can you help me determine if there are any resident buggers on my system that were in the boot log or other parts of the HD that didn't get eliminated by the format and reinstall? In the mean time, I have reinstalled SP3 for XP, my printer driver, and AVG's Free virus scan. Thanks Rob (bigorange)

10-08-2009, 12:41 PM	#8 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,483 OS: XP SP3	Re: Help: Malware/Virus Popups Ok, I can check the logs if you provide a set of fresh logs. DDS: ==== Download DDS and save it to your desktop from here or here. Disable any script blocker, and then double click dds.scr to run the tool. When done, DDS will open two (2) logs DDS.txt Attach.txt Save both reports to your desktop. ===== GMER: ===== Download GMER Rootkit Scanner from here or here. Extract the contents of the zipped file to desktop. Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent . If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.. Click the image to enlarge it In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) Then click the Scan button & wait for it to finish. Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. Save it where you can easily find it, such as your desktop Caution Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

10-15-2009, 11:44 PM	#11 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,483 OS: XP SP3	Re: Help: Malware/Virus Popups Since this issue appears resolved, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here: http://www.techsupportforum.com/secu...oval-help.html Surf Safely, and Think Prevention! __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006