Tech Support Forum banner
Status
Not open for further replies.

virus taken over explorer, plz help!!

2K views 23 replies 2 participants last post by  Aaflac 
#1 ·
i have a virus that keeps coming back and back. i am using mcafee virus scan and it keeps detecting and deleteing the same files over and over again. the names of the virus are: bitd9.tmp, edi.exe, ac8zt2.dat. the virus scan as i have said deletes these and they keep coming back every couple of minutes. also, even as i am typing this, the web page keeps wanting to change to something that coming up internet explorer cannot open this page. i am also getting boxes pop up that tell me that my computer is at risk and i need to download a program to get rid of the virus. this also opens a tab in the right bottom that flashes. this is really messed up and i hope someone can help me. i will also include the scan i did using your program.

Logfile of HijackThis v1.99.1
Scan saved at 3:17:00 PM, on 05/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\SCOTTS~1\LOCALS~1\Temp\Rar$EX00.781\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {CFF8726A-9262-441C-8163-C6371E9EDE47} - C:\WINDOWS\advrepnok.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: The sdrmod - {16A0662E-AC21-4AD9-89E8-7495AC5ACE93} - C:\WINDOWS\sdrmod.dll (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: bindmod - {9B15C141-53AC-48B4-8FC4-6AEE6F861285} - C:\WINDOWS\bindmod.dll
O21 - SSODL: hupsrv - {9AEEE108-915C-467E-879E-046FB658C08D} - C:\WINDOWS\hupsrv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

hope this is enough info to help.
 
See less See more
#2 ·
Apologies for the delay in responding.

The workload on this forum is intense, and sometimes it is not possible to respond to every inquiry.


Please download SmitfraudFix
Extract the files to the Desktop

Boot to Safe Mode as follows:
  • Restart the computer
  • Before the Windows appears, tap F8
  • The Windows XP Advanced Options menu appears
  • Select the option for Safe Mode using the arrow keys.
Open SmitfraudFix
  • Double-click smitfraudfix.cmd
  • Select Option 2 - Clean by typing 2 and press Enter (Deletes infected files)
  • You are prompted: Do you want to clean the registry? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool also checks if a relevant file, wininet.dll, is infected.
You may be prompted to replace the infected file (if found).
Replace infected file? Answer Y (yes) and hit Enter to restore a clean file.

~~~~
Restart the computer to complete the removal process.

~~~~
Now, download ComboFix
Save it to the Desktop

Double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please post the SmitFraudFix report located at C:\rapport.txt , the ComboFix.txt, and a new HijackThis log in your reply.
 
#5 ·
here is a copy of the scan of combofix:

ComboFix 07-11-08.3 - scott sr 2007-11-10 23:01:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.366 [GMT -5:00]
Running from: D:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\scott sr\Favorites\Error Cleaner.url
C:\Documents and Settings\scott sr\Favorites\Privacy Protector.url
C:\Documents and Settings\scott sr\Favorites\Spyware&Malware Protection.url
C:\Program Files\VideoAccessCodec
C:\WINDOWS\dat.txt
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\search_res.txt

.
((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-10 23:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 19:22 <DIR> d-------- C:\Program Files\PartyGaming.Net
2007-11-10 16:38 <DIR> d-------- C:\Program Files\PokerStars
2007-11-05 23:07 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-11-05 22:49 <DIR> d-------- C:\Documents and Settings\scott sr\Application Data\AVG7
2007-11-05 22:48 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-05 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-05 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-26 09:42 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-26 09:42 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-23 17:09 <DIR> d-------- C:\movies
2007-10-23 17:05 <DIR> d-------- C:\Program Files\DVD Shrink
2007-10-23 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-16 21:44 <DIR> d-------- C:\Program Files\Microsoft Works
2007-10-16 21:41 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-10-16 21:36 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-16 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-16 21:34 <DIR> dr-h----- C:\MSOCache
2007-10-12 10:18 <DIR> d-------- C:\Program Files\WinZip Self-Extractor
2007-10-12 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZipSE
2007-10-11 11:27 96,832 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 05:50 --------- d-----w C:\Program Files\LogMeIn
2007-11-01 22:06 --------- d-----w C:\Program Files\IncrediMail
2007-10-08 17:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-08 17:31 --------- d-----w C:\Program Files\Electronic Arts
2007-10-08 17:30 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-08 17:21 --------- d-----w C:\Program Files\EA SPORTS
2007-10-08 00:20 --------- d-----w C:\Program Files\Java
2007-09-29 10:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 08:21 9,854,976 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-09-29 08:07 356,352 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 08:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 08:06 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 07:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-09-29 07:58 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 07:58 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-09-29 07:58 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-09-29 07:57 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-09-29 07:56 483,328 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-09-29 07:55 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 07:49 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-09-29 07:47 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-09-29 07:47 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-09-29 07:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 07:23 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-09-29 07:22 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-09-29 07:20 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-09-29 07:19 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-09-29 07:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-09-20 05:02 --------- d-----w C:\Program Files\DivX
2007-09-20 00:23 --------- d-----w C:\Program Files\Common Files\Java
2007-09-19 23:00 --------- d-----w C:\Documents and Settings\scott sr\Application Data\Leadertech
2007-09-19 15:33 --------- d-----w C:\Documents and Settings\scott sr\Application Data\ACD Systems
2007-09-19 15:29 9,856 ----a-w C:\WINDOWS\system32\drivers\pfc.sys
2007-09-19 15:29 --------- d-----w C:\Program Files\Common Files\ACD Systems
2007-09-19 15:29 --------- d-----w C:\Program Files\ACD Systems
2007-09-19 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-09-19 15:23 --------- d-----w C:\Program Files\Optio E10 Digital Camera
2007-09-19 14:21 --------- d-----w C:\Documents and Settings\scott sr\Application Data\DivX
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-14 11:46 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 00:26 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-08-15 22:33 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-08-15 22:33 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 22:33 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-08-15 22:33 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-08-15 22:33 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-08-15 22:33 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-08-15 22:33 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-08-15 22:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 22:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-08-15 22:31 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 22:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-08-15 22:30 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{16A0662E-AC21-4AD9-89E8-7495AC5ACE93}"= C:\WINDOWS\sdrmod.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{16A0662E-AC21-4AD9-89E8-7495AC5ACE93}]
[HKEY_CLASSES_ROOT\sdrmod.ToolBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{861A084D-C8F1-47F8-90F1-6494C0645FF2}]
[HKEY_CLASSES_ROOT\sdrmod.ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 07:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 12:39]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-09 20:43]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-05 22:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 14:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Program Files\IncrediMail\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
"C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;C:\WINDOWS\system32\DRIVERS\DLKRTS.SYS
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
R3 mfeapfk;McAfee Inc.;C:\WINDOWS\system32\drivers\mfeapfk.sys
S3 PentaxUsb;PENTAX Optio E10 on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys
S3 PentaxVc;PENTAX Optio E10 Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 23:56:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1189292069.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 23:04:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-10 23:05:22
.
--- E O F ---
 
#6 ·
There are some entries in the ComboFix log that need attention, however, I am getting ready to close out for tonight.

Please do the following, though...
Since you are running an outdated version of HijackThis, please remove it, and download the HijackThis Installer
Save to the Desktop.
Double-click on HJTInstall.exe to install the program.
By default, it installs to C:\Program Files\Trend Micro\HijackThis
Click: Install

At the main screen of the program, click on: Do a system scan and save a log file

Please post the new HijackThis log in your reply.
 
#7 ·
here is the new scan log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:18 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: The sdrmod - {16A0662E-AC21-4AD9-89E8-7495AC5ACE93} - C:\WINDOWS\sdrmod.dll (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 7741 bytes
hope this helps
 
#8 ·
Please go to Start > Control Panel, and double click: Display
In the Desktop tab, select: Customize Desktop
Next, select the Web tab

In the Web pages area, uncheck and delete all the entries there, except for:
My current home page

In particular, you want to get rid of:
C:\WINDOWS\privacy_danger\index.htm

~~~~
Next, please open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/ paste the blue text below to Notepad:

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{16A0662E-AC21-4AD9-89E8-7495AC5ACE93}"=-
[-HKEY_CLASSES_ROOT\CLSID\{16A0662E-AC21-4AD9-89E8-7495AC5ACE93}]
[-HKEY_CLASSES_ROOT\sdrmod.ToolBar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{861A084D-C8F1-47F8-90F1-6494C0645FF2}]
[-HKEY_CLASSES_ROOT\sdrmod.ToolBar]



Save as CFScript.txt <-Important!!
Change the Save as type to: All Files
Save it to the Desktop.



Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe
ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~
Restart the computer.

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please provide the contents of the new ComboFix log , and the new HijackThis log in your reply.
 
#9 · (Edited)
here is the info:

first combofix:ComboFix 07-11-08.3 - scott sr 2007-11-10 23:01:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.366 [GMT -5:00]
Running from: D:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\scott sr\Favorites\Error Cleaner.url
C:\Documents and Settings\scott sr\Favorites\Privacy Protector.url
C:\Documents and Settings\scott sr\Favorites\Spyware&Malware Protection.url
C:\Program Files\VideoAccessCodec
C:\WINDOWS\dat.txt
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\search_res.txt

.
((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-10 23:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 19:22 <DIR> d-------- C:\Program Files\PartyGaming.Net
2007-11-10 16:38 <DIR> d-------- C:\Program Files\PokerStars
2007-11-05 23:07 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-11-05 22:49 <DIR> d-------- C:\Documents and Settings\scott sr\Application Data\AVG7
2007-11-05 22:48 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-05 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-05 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-26 09:42 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-26 09:42 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-23 17:09 <DIR> d-------- C:\movies
2007-10-23 17:05 <DIR> d-------- C:\Program Files\DVD Shrink
2007-10-23 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-16 21:44 <DIR> d-------- C:\Program Files\Microsoft Works
2007-10-16 21:41 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-10-16 21:36 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-16 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-16 21:34 <DIR> dr-h----- C:\MSOCache
2007-10-12 10:18 <DIR> d-------- C:\Program Files\WinZip Self-Extractor
2007-10-12 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZipSE
2007-10-11 11:27 96,832 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 05:50 --------- d-----w C:\Program Files\LogMeIn
2007-11-01 22:06 --------- d-----w C:\Program Files\IncrediMail
2007-10-08 17:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-08 17:31 --------- d-----w C:\Program Files\Electronic Arts
2007-10-08 17:30 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-08 17:21 --------- d-----w C:\Program Files\EA SPORTS
2007-10-08 00:20 --------- d-----w C:\Program Files\Java
2007-09-29 10:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 08:21 9,854,976 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-09-29 08:07 356,352 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 08:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 08:06 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 07:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-09-29 07:58 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 07:58 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-09-29 07:58 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-09-29 07:57 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-09-29 07:56 483,328 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-09-29 07:55 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 07:49 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-09-29 07:47 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-09-29 07:47 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-09-29 07:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 07:23 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-09-29 07:22 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-09-29 07:20 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-09-29 07:19 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-09-29 07:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-09-20 05:02 --------- d-----w C:\Program Files\DivX
2007-09-20 00:23 --------- d-----w C:\Program Files\Common Files\Java
2007-09-19 23:00 --------- d-----w C:\Documents and Settings\scott sr\Application Data\Leadertech
2007-09-19 15:33 --------- d-----w C:\Documents and Settings\scott sr\Application Data\ACD Systems
2007-09-19 15:29 9,856 ----a-w C:\WINDOWS\system32\drivers\pfc.sys
2007-09-19 15:29 --------- d-----w C:\Program Files\Common Files\ACD Systems
2007-09-19 15:29 --------- d-----w C:\Program Files\ACD Systems
2007-09-19 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-09-19 15:23 --------- d-----w C:\Program Files\Optio E10 Digital Camera
2007-09-19 14:21 --------- d-----w C:\Documents and Settings\scott sr\Application Data\DivX
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-14 11:46 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 00:26 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-08-15 22:33 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-08-15 22:33 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 22:33 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-08-15 22:33 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-08-15 22:33 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-08-15 22:33 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-08-15 22:33 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-08-15 22:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 22:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-08-15 22:31 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 22:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-08-15 22:30 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{16A0662E-AC21-4AD9-89E8-7495AC5ACE93}"= C:\WINDOWS\sdrmod.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{16A0662E-AC21-4AD9-89E8-7495AC5ACE93}]
[HKEY_CLASSES_ROOT\sdrmod.ToolBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{861A084D-C8F1-47F8-90F1-6494C0645FF2}]
[HKEY_CLASSES_ROOT\sdrmod.ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 07:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 12:39]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-09 20:43]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-05 22:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 14:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Program Files\IncrediMail\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
"C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;C:\WINDOWS\system32\DRIVERS\DLKRTS.SYS
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
R3 mfeapfk;McAfee Inc.;C:\WINDOWS\system32\drivers\mfeapfk.sys
S3 PentaxUsb;PENTAX Optio E10 on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys
S3 PentaxVc;PENTAX Optio E10 Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 23:56:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1189292069.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 23:04:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-10 23:05:22
.
--- E O F ---


now highjackthis:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:53 PM, on 13/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7433 bytes
 
#10 ·
Are you are running more than one AntiVirus program, McAfee and AVG7? If so, it is not a good idea. Having more than one antivirus program active in memory opens the door to potential conflicts between the programs, uses additional resources, may result in diminished detection capabilities, or cause false virus alerts. Please remove one of the ant-virus programs.

Next, please download to the Desktop:
SmitfraudFix
Right-click and select: Extract all
A folder named SmitfraudFix is created.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Only select option #1 - Search by typing 1 and press Enter
This program scans large amounts of files on your computer, so please be patient while it works.
When it is done, a log named rapport.txt is created, listing infected files (if present).

Please post the rapport.txt in your reply.
 
#12 ·
i just tried to download the smitfraudfix and while it was downloading i got two virus detections from mcafee. also, the smitfraudfix program said it could not download. says,"cannot copy smitfraudfix [1]:access is denied." is there anything else i can do?
 
#13 ·
Try disabling McAfee temporarily.
Right-click on the McAfee icon by the system clock.
Click VirusScan, and then click Disable.
If a dialog box appears, click Yes to disable.

~~~~
Then, download AVG Anti Spyware


Install the program
Double-click the icon on Desktop to launch AVG AS
  • On the main screen, under Your Computer's Security, click Resident Shield
  • Click the word active, and change it to inactive
  • On the main screen select Update.
  • Then click on Start Update. (The update starts and a progress bar shows the updates installed)
  • Once the update completes select Scanner (top of the screen)
  • Select the Settings tab.
  • Once in the Settings screen click on Recommended actions
  • Select Quarantine
  • Under Reports, select:
    • Automatically generate report after every scan

Now close all windows and run AVG Anti-Spyware
  • Click Scanner
  • Click the Scan tab
  • Click Complete System Scan to begin scanning. (This may take a while. Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!!)

Once the scan is complete, if any infection is found, you are prompted
  • Select Apply all actions
Once finished, select: Reports (at the top)
  • Click the Save report button
  • Click Save Report As and save it to the Desktop.
~~~~
Restart the computer.

~~~~
Next, please download SmitfraudFix to the Desktop
Right-click and select: Extract all.

Now, open the SmitfraudFix folder and double-click smitfraudfix.cmd
Only select option #1 - Search by typing 1 and press Enter
This program scans large amounts of files on your computer, so please be patient while it works.
When it is done, a log named rapport.txt is created, listing infected files (if present).

~~~~
Please post the AVG AS report, and the Smitfraud rapport.txt in your reply.
 
#17 ·
Please do the following exactly as instructed, otherwise, this will not work:

Remove the version of ComboFix that you have on D:\ComboFix.exe, and download this version of ComboFix >>>to the Desktop.<<<Very important!!

Now, go to Start > Run, and copy/paste the following command in the Open box:

"%userprofile%\desktop\combofix.exe" /killall

Example:


Click:OK

Follow the prompts to install.
Then type 1 and press Enter to begin the scan.

Do not mouse-click the ComboFix window while it runs. It may cause it to stall.

When done, please post the newComboFix.txt in your reply.
 
#18 ·
ok here is the new log:

ComboFix 07-11-08.1 - scott sr 2007-11-15 22:20:00.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.548 [GMT -5:00]
Running from: C:\Documents and Settings\scott sr\desktop\combofix.exe
Command switches used :: /killall
.

((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-15 17:20 <DIR> d-------- C:\Program Files\PartyGaming
2007-11-14 22:38 <DIR> d-------- C:\Documents and Settings\scott sr\Application Data\Grisoft
2007-11-14 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-14 22:37 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-12 23:18 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-10 23:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 19:22 <DIR> d-------- C:\Program Files\PartyGaming.Net
2007-11-10 16:38 <DIR> d-------- C:\Program Files\PokerStars
2007-11-05 23:07 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-11-05 22:49 <DIR> d-------- C:\Documents and Settings\scott sr\Application Data\AVG7
2007-11-05 22:48 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-05 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-28 12:16 96,832 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-10-26 09:42 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-26 09:42 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-23 17:09 <DIR> d-------- C:\movies
2007-10-23 17:05 <DIR> d-------- C:\Program Files\DVD Shrink
2007-10-23 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-16 21:44 <DIR> d-------- C:\Program Files\Microsoft Works
2007-10-16 21:41 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-10-16 21:36 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-16 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-16 21:34 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 06:37 --------- d-----w C:\Program Files\LogMeIn
2007-11-01 22:06 --------- d-----w C:\Program Files\IncrediMail
2007-10-12 15:18 --------- d-----w C:\Program Files\WinZip Self-Extractor
2007-10-12 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZipSE
2007-10-08 17:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-08 17:31 --------- d-----w C:\Program Files\Electronic Arts
2007-10-08 17:30 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-08 17:21 --------- d-----w C:\Program Files\EA SPORTS
2007-10-08 00:20 --------- d-----w C:\Program Files\Java
2007-09-29 10:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 08:21 9,854,976 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-09-29 08:07 356,352 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 08:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 08:06 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 07:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-09-29 07:58 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 07:58 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-09-29 07:58 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-09-29 07:57 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-09-29 07:56 483,328 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-09-29 07:55 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 07:49 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-09-29 07:47 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-09-29 07:47 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-09-29 07:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 07:23 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-09-29 07:22 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-09-29 07:20 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-09-29 07:19 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-09-29 07:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-09-20 05:02 --------- d-----w C:\Program Files\DivX
2007-09-20 00:23 --------- d-----w C:\Program Files\Common Files\Java
2007-09-19 23:00 --------- d-----w C:\Documents and Settings\scott sr\Application Data\Leadertech
2007-09-19 15:33 --------- d-----w C:\Documents and Settings\scott sr\Application Data\ACD Systems
2007-09-19 15:29 9,856 ----a-w C:\WINDOWS\system32\drivers\pfc.sys
2007-09-19 15:29 --------- d-----w C:\Program Files\Common Files\ACD Systems
2007-09-19 15:29 --------- d-----w C:\Program Files\ACD Systems
2007-09-19 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-09-19 15:23 --------- d-----w C:\Program Files\Optio E10 Digital Camera
2007-09-19 14:21 --------- d-----w C:\Documents and Settings\scott sr\Application Data\DivX
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 00:26 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-13_22.44.42.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 21:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 07:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 12:39]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-09 20:43]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 14:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Program Files\IncrediMail\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
"C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;C:\WINDOWS\system32\DRIVERS\DLKRTS.SYS
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
R3 mfeapfk;McAfee Inc.;C:\WINDOWS\system32\drivers\mfeapfk.sys
S3 PentaxUsb;PENTAX Optio E10 on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys
S3 PentaxVc;PENTAX Optio E10 Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 23:56:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1189292069.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 22:22:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 22:23:16
C:\ComboFix2.txt ... 2007-11-13 22:46
C:\ComboFix3.txt ... 2007-11-10 23:05
.
--- E O F ---
 
#20 ·
here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:38 PM, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7214 bytes

no i havent had any during the last bit. last time was when i was on msn messenger and a buddy wanted to send me some photos. it got to the end of the transfer and then it cancelled like smitfraud and a couple of viruses were detected and deleted by mcafee. this was earlier this evening.
 
#22 ·
There are PartyGaming and PokerStars entries showing on the log. If you installed these programs, and use them, then let them be.

However, if these programs were installed without your consent, it is suggested you uninstall them. They may be supported by adware, and may lead to sites where malware lurks.

To uninstall, go to: Start > Run, type: control
Press OK
Double-click on: Add/Remove Programs

On the list of Currently Installed Programs, look for and, if found, uninstall the following by selecting the entry and clicking on Remove:
PartyGaming
PokerStars

Next, search for and delete the following folders (bold):
C:\Program Files\PartyGaming
C:\Program Files\PokerStars

~~~~
Run HijackThis, Scan
Check box for:

If you decided to uninstall:
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

Select: Fix checked

Restart the computer.

~~~~
If you are not having malware problems, you are good to go!

Please do the following to wrap up:
  • Go to Start, then select: Run
  • Type Combofix /u in the Open box, and click OK. (Notice the space before /u)
  • This command uninstalls ComboFix, implements some cleanup procedures, and resets System Restore points.



Some of the best suggestions and programs to remain malware free are contained in Tony Klein’s article:
How Did I Get Infected In The First Place

It is also a very good practice to perform an online virus scan on a regular basis.
Scanners do not have identical malware definitions, and what one misses, another one can catch.
Some of the scanners are:
BitDefender Online Scanner
ESET NOD32 Online Scanner
F-Secure Online Scanner
Panda ActiveScan
TrendMicro HouseCall

~~~~
If you have any questions or comments, post back. Otherwise...

Good luck, and safe journey through the Internet!!
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top