Docfxit Posted June 7, 2008 ID:19736 Share Posted June 7, 2008 My original information is in the General Malwarebytes forumIf I could copy and paste from Firefox I would put it here.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:30:00 AM, on 6/7/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\eTrust\CA Anti-Virus\ISafe.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\Explorer.EXEC:\Program Files\NCH Software\Eyeline\eyeline.exeC:\Program Files\Folder Watchdog Service 2\FwdSvc2.exeC:\Program Files\HP Web Jetadmin\hpwebjetd.exeC:\WINDOWS\system32\MNSFramework.exeC:\WINDOWS\System32\PSIService.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeC:\Program Files\HP Web Jetadmin\hpwebjetd.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\Program Files\Lenovo\System Update\SUService.exeC:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exeC:\WINDOWS\system32\TpKmpSVC.exeC:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exeC:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exeC:\Program Files\eTrust\CA Anti-Virus\VetMsg.exeC:\Program Files\NCH Swift Sound\VRS\vrs.exeC:\Program Files\ZoneAlarm\zlclient.exeC:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exeC:\WINDOWS\system32\tp4mon.exeC:\Program Files\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exeC:\Program Files\NCH Swift Sound\Talk\talk.exeC:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exeC:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exeC:\Program Files\Analog Devices\SoundMAX\Smax4.exeC:\WINDOWS\twain_32\Fjscan32\SOP\FtLnSOP.exeC:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exeC:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\eTrust\cctray\cctray.exeC:\Program Files\eTrust\CA Anti-Virus\CAVRID.exeC:\Program Files\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\IconSaver\IconSaver.exeC:\Program Files\Java\jre1.6.0_06\bin\jusched.exeC:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exeC:\Program Files\TweakMASTER\TMTray.exeC:\Program Files\DU Meter\DUMeter.exeC:\Program Files\NCH Software\Eyeline\eyeline.exeC:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exeC:\Program Files\Photo Album 6\MediaDetect.exeC:\Program Files\Vidalia\vidalia.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\Privoxy\privoxy.exeC:\Program Files\Trillian\trillian.exeC:\Program Files\Tor\tor.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\WebDrive\wdService.exeC:\Program Files\Proxomitron\Proxomitron.exeC:\WINDOWS\System32\hpnra.exeC:\Program Files\Unlocker\UnlockerAssistant.exeC:\Program Files\Spell Catcher Plus\Spell Catcher.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exeC:\WINDOWS\system32\taskmgr.exeC:\Program Files\Salamander 2.5\salamand.exeC:\Program Files\Firefox\firefox.exeC:\Program Files\HJT\WhatsRunning.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080O1 - Hosts: 208.127.208.174 atu1277.comO1 - Hosts: 64.32.143.214 theoffice.laO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dllO2 - BHO: (no name) - {9A9056CA-793D-47DC-8775-EF87334642F3} - (no file)O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt\SnagItIEAddin.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: UltraEdit Toolbar - {4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} - C:\PROGRA~1\UE_TOO~1\UE_TOO~1.DLLO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [TVT Scheduler Proxy] "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe"O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exeO4 - HKLM\..\Run: [TPKMAPHELPER] "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" -helperO4 - HKLM\..\Run: [TPHOTKEY] "C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe"O4 - HKLM\..\Run: [TP4EX] tp4ex.exeO4 - HKLM\..\Run: [Talk] "C:\Program Files\NCH Swift Sound\Talk\talk.exe" -logonO4 - HKLM\..\Run: [startupDelayer] "C:\Program Files\Startup Delayer\Startup Launcher GUI.exe"O4 - HKLM\..\Run: [soundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /trayO4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\twain_32\Fjscan32\SOP\FtLnSOP.exeO4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /StationO4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [cctray] "C:\Program Files\eTrust\cctray\cctray.exe"O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\eTrust\CA Anti-Virus\CAVRID.exe"O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [NSWosCheck] C:\Program Files\Norton SystemWorks Premier\osCheck.exeO4 - HKLM\..\Run: [iconSaver] "C:\Program Files\IconSaver\IconSaver.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -schedulerO4 - HKLM\..\Run: [sMSI Loader] "C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe /PRNDRV"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [TweakMASTER] "C:\Program Files\TweakMASTER\TMTray.exe"O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exeO4 - HKLM\..\Run: [EyelineRun] "C:\Program Files\NCH Software\Eyeline\eyeline.exe" -logonO4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Photo Album 6\MediaDetect.exeO4 - HKLM\..\RunOnce: [spybotDeletingA9087] command /c del "c:\smp.bat"O4 - HKLM\..\RunOnce: [spybotDeletingC3705] cmd /c del "c:\smp.bat"O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe"O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKCU\..\RunOnce: [spybotDeletingB623] command /c del "c:\smp.bat"O4 - HKCU\..\RunOnce: [spybotDeletingD8674] cmd /c del "c:\smp.bat"O4 - HKUS\S-1-5-21-2247778763-3604470327-847386435-1004\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe" (User '?')O4 - HKUS\S-1-5-21-2247778763-3604470327-847386435-1004\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')O4 - HKUS\S-1-5-21-2247778763-3604470327-847386435-1004\..\RunOnce: [spybotDeletingB623] command /c del "c:\smp.bat" (User '?')O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')O4 - S-1-5-21-2247778763-3604470327-847386435-1004 Startup: EruntRegistrySave.bat (User '?')O4 - S-1-5-21-2247778763-3604470327-847386435-1004 Startup: trillian.exe.lnk = C:\Program Files\Trillian\trillian.exe (User '?')O4 - Startup: EruntRegistrySave.batO4 - Startup: trillian.exe.lnk = C:\Program Files\Trillian\trillian.exeO4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exeO8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htmO8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TWEAKM~1\TweakBHO.dll/IESCRIPTO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www1.pcpitstop.com/pcpitstop/PCPitStop.CABO17 - HKLM\System\CCS\Services\Tcpip\..\{330DAAC8-65B7-4C1D-8E5B-F6904A60CAF2}: NameServer = 66.80.130.23,66.80.131.5O17 - HKLM\System\CCS\Services\Tcpip\..\{35ED5B21-7585-40AD-A6CB-A544896180CC}: NameServer = 66.51.205.100,66.51.206.100O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\QuickBooks 2008\HelpAsyncPluggableProtocol.dllO18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO20 - Winlogon Notify: efcDSLbA - efcDSLbA.dll (file missing)O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exeO23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\eTrust\ccprovsp.exeO23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\eTrust\CA Anti-Virus\ISafe.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXEO23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper\DkService.exeO23 - Service: Eyeline Service (EyelineService) - Unknown owner - C:\Program Files\NCH Software\Eyeline\eyeline.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Folder Watchdog Service 2 - Alexander Seleznyov http://www.seleznyov.com - C:\Program Files\Folder Watchdog Service 2\FwdSvc2.exeO23 - Service: Folder Watchdog Service 2 Controller - Alexander Seleznyov http://www.seleznyov.com - C:\Program Files\Folder Watchdog Service 2\FwdSvc2.exeO23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exeO23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: MNS Framework (MNSFramework) - Unknown owner - C:\WINDOWS\system32\MNSFramework.exeO23 - Service: MWAgent - Unknown owner - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE (file missing)O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXEO23 - Service: Port Reporter (PortReporter) - Unknown owner - C:\Program Files\PortReporter\portreporter.exeO23 - Service: PowerAlert Agent - Unknown owner - C:\Program Files\TrippLite\PowerAlert\engine/pa.exeO23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exeO23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeO23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exeO23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL Global VPN Client\RampartSvc.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: RPM Remote Print Manager (RPM) - Brooks Internet Software, Inc - C:\Program Files\RPMElite\RPMSrvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXEO23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exeO23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exeO23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exeO23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exeO23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\eTrust\CA Anti-Virus\VetMsg.exeO23 - Service: VRS Recording System (VRSService) - NCH Software - C:\Program Files\NCH Swift Sound\VRS\vrs.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeO23 - Service: WebDrive Service (WebDriveService) - South River Technologies, LLC - C:\Program Files\WebDrive\wdService.exe--End of file - 17015 bytesThank you for looking at it for me,Docfxit Link to post Share on other sites More sharing options...
JeanInMontana Posted June 7, 2008 ID:19763 Share Posted June 7, 2008 Please follow the instructions for Pre-HighJack This! posting and reply in this thread. Also a link to what ever your referring to in the other forum would be helpful. Link to post Share on other sites More sharing options...
Docfxit Posted June 10, 2008 Author ID:19985 Share Posted June 10, 2008 XP Pro SP2I found a number of services that won't start.I am currently running CA Antivirus (fully updated)Next I will run SpyBot 1.52I have tried to run Panda with IE and FireFox with Administrative privileges . With FireFox I did get further. When you are running FireFox you download a plugin called ActiveScan. I launched the plugin while FireFox was not running. I ran FireFox and it said it had a problem downloading the plugin. I cleared the cache and ran FireFox again. It had the same error.I tried going to http://www.pandasecurity.com/usa/ on a different computer and it doesn't work there either. It seems like they have an error on their web site.I tried running IE in Safe Mode. I can't get it to go to any web site. I can ping yahoo.com successfully. I tried with and without "Automatically detect settings".Firefox failed just as bad in Safe Mode.I tried ESET. I accepted the terms. I clicked on start and nothing happened.Ad-Aware won't run.I ran Spybot 1.52I ran CA Antivirus.I can't get Kaspersky Online Scan to run in IE. Nothing happens when I click on the link.Thank you,Docfxit Link to post Share on other sites More sharing options...
JeanInMontana Posted June 13, 2008 ID:20156 Share Posted June 13, 2008 Sorry I didn't get a notice of reply. I need you to either stay in this topic and only do what I instruct or you stick with what's going on in the other forum. Please put HJT in a folder of it's own on your hard drive. O4 - Startup: EruntRegistrySave.bat <======== What do you know about this? I can't find it in Google except here.Uninstall this program C:\Program Files\Tor\tor.exe delete any files associated. Run HJT again in scan only and put a check next to the following and then click fix. O4 - HKCU\..\RunOnce: [spybotDeletingB623] command /c del "c:\smp.bat"O4 - HKCU\..\RunOnce: [spybotDeletingD8674] cmd /c del "c:\smp.bat"O4 - HKCU\..\RunOnce: [spybotDeletingB623] command /c del "c:\smp.bat"O4 - HKCU\..\RunOnce: [spybotDeletingD8674] cmd /c del "c:\smp.bat"O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)O20 - Winlogon Notify: efcDSLbA - efcDSLbA.dll (file missing)Now reboot and please get this.1. Download this file :http://download.bleepingcomputer.com/sUBs/ComboFix.exe2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.Post that log and a HiJack log in your next replyNote:Do not mouseclick combofix's window while its running. That may cause it to stall. Link to post Share on other sites More sharing options...
JeanInMontana Posted June 14, 2008 ID:20308 Share Posted June 14, 2008 So are we going to do this? Link to post Share on other sites More sharing options...
Docfxit Posted June 16, 2008 Author ID:20460 Share Posted June 16, 2008 So are we going to do this?Yes. Definitely.Thank you very much for working on this with me. Unfortunately I had some business to take care of that wouldn't wait. I need this computer desperately but I need to take care of work first.I will start working on this right now.Thank you,Docfxit Link to post Share on other sites More sharing options...
JeanInMontana Posted June 16, 2008 ID:20467 Share Posted June 16, 2008 Ok Link to post Share on other sites More sharing options...
Docfxit Posted June 16, 2008 Author ID:20476 Share Posted June 16, 2008 Sorry I didn't get a notice of reply. I need you to either stay in this topic and only do what I instruct or you stick with what's going on in the other forum. I will only follow your instructions. I need to get this computer working again. While it would be nice to get Malwarebytes functional in a desperate situation like this I don't have any more time to dedicate to resolving the issue of why it won't run.Please put HJT in a folder of it's own on your hard drive. HJT is in a folder of it's own on the last post. It's in C:\Program Files\HJT I renamed the file to WhatsRunning.exe That's probably why you didn't recognize it.O4 - Startup: EruntRegistrySave.bat <======== What do you know about this? I can't find it in Google except here.That is a file I created to start the autobackup of saving the registry.This is what is in it:call "C:\Program Files\ERUNT\AUTOBACK.EXE" %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /days:7Uninstall this program C:\Program Files\Tor\tor.exe delete any files associated. DoneRun HJT again in scan only and put a check next to the following and then click fix. O4 - HKCU\..\RunOnce: [spybotDeletingB623] command /c del "c:\smp.bat"O4 - HKCU\..\RunOnce: [spybotDeletingD8674] cmd /c del "c:\smp.bat"O4 - HKCU\..\RunOnce: [spybotDeletingB623] command /c del "c:\smp.bat"O4 - HKCU\..\RunOnce: [spybotDeletingD8674] cmd /c del "c:\smp.bat"O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)O20 - Winlogon Notify: efcDSLbA - efcDSLbA.dll (file missing)DoneNow reboot and please get this.1. Download this file :http://download.bleepingcomputer.com/sUBs/ComboFix.exe2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.Post that log and a HiJack log in your next replyNote:Do not mouseclick combofix's window while its running. That may cause it to stall.ConboFix Log:ComboFix 08-06-15.4 - GaryT 2008-06-16 14:04:15.2 - NTFSx86Running from: E:\Spyware Remover-Preventers\ComboFix.exeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\system32\CacheC:\WINDOWS\system32\fefhk.iniC:\WINDOWS\system32\MoqWFfhk.iniC:\WINDOWS\system32\MoqWFfhk.ini2C:\WINDOWS\system32\MSINET.ocaC:\WINDOWS\system32\PYcJRqss.iniC:\WINDOWS\system32\PYcJRqss.ini2C:\WINDOWS\system32\Ultra.dll.((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 ))))))))))))))))))))))))))))))).2008-06-15 19:31 . 2008-05-22 15:22 129,784 --------- C:\WINDOWS\system32\pxafs.dll2008-06-15 19:31 . 2008-05-22 15:22 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe2008-06-15 19:31 . 2008-05-22 15:22 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe2008-06-15 19:31 . 2008-05-22 15:22 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys2008-06-15 19:31 . 2008-05-22 15:22 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys2008-06-14 13:02 . 2008-06-14 13:02 <DIR> d-------- C:\Program Files\SIW2008-06-10 17:04 . 2008-06-10 17:06 <DIR> d-------- C:\Program Files\ScanSpyware v3.82008-06-06 20:37 . 2008-06-06 20:37 <DIR> d-------- C:\Program Files\Panda Security2008-06-06 13:30 . 2008-06-11 08:39 <DIR> d-------- C:\Program Files\Malwarebytes2008-06-06 13:30 . 2008-06-06 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-06-06 13:30 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys2008-06-06 13:30 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys2008-06-06 10:15 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl2008-06-06 09:34 . 2008-06-06 09:34 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Acronis2008-06-06 09:09 . 2008-06-06 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis2008-06-06 09:09 . 2008-06-06 09:09 441,760 --a------ C:\WINDOWS\system32\drivers\timntr.sys2008-06-06 09:09 . 2008-06-06 09:09 129,248 --a------ C:\WINDOWS\system32\drivers\snapman.sys2008-06-06 09:09 . 2008-06-06 09:09 44,384 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys2008-06-06 09:08 . 2008-06-06 09:08 368,544 --a------ C:\WINDOWS\system32\drivers\tdrpman.sys2008-06-06 09:02 . 2008-06-06 09:07 <DIR> d-------- C:\Program Files\Common Files\Acronis2008-06-05 17:01 . 2008-06-05 17:01 <DIR> d-------- C:\Documents and Settings\GaryT\.JB52008-06-04 14:59 . 2008-06-04 14:59 880,560 --a------ C:\WINDOWS\system32\drivers\vetefile.sys2008-06-04 14:59 . 2008-06-04 14:59 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys2008-06-04 10:32 . 2008-06-04 10:32 <DIR> d-------- C:\Documents and Settings\GaryT\.JB42008-05-30 12:24 . 2008-06-03 15:13 <DIR> d-------- C:\Program Files\Folder Watchdog Service 22008-05-29 20:58 . 2008-05-29 20:58 5,760,998 --a------ C:\WINDOWS\Cambria.bmp2008-05-27 22:42 . 2008-05-27 22:42 29 --a------ C:\WINDOWS\Atw.INI2008-05-27 18:43 . 2008-05-27 18:43 <DIR> d-------- C:\Program Files\Common Files\Apple2008-05-24 14:09 . 2008-05-24 14:09 <DIR> d-------- C:\Program Files\File Audit2008-05-24 09:59 . 2008-05-29 14:34 <DIR> d-------- C:\Program Files\Driver Detective2008-05-23 09:29 . 2008-05-24 09:18 <DIR> d-------- C:\Program Files\TweakMASTER2008-05-23 09:29 . 2008-05-23 09:29 <DIR> d-------- C:\Program Files\DU Meter2008-05-23 09:29 . 2008-05-23 09:29 <DIR> d-------- C:\Documents and Settings\GaryT\Application Data\Hagel Technologies2008-05-23 09:29 . 2008-05-23 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hagel Technologies2008-05-22 19:00 . 2008-05-22 19:01 <DIR> d-------- C:\Program Files\Apple Software Update2008-05-22 19:00 . 2008-05-22 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple2008-05-22 15:22 . 2008-05-22 15:22 3,596,288 --a--c--- C:\WINDOWS\system32\qt-dx331.dll2008-05-22 15:22 . 2008-05-22 15:22 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe2008-05-22 15:22 . 2008-05-22 15:22 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb2008-05-22 15:20 . 2008-05-22 15:20 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll2008-05-22 15:20 . 2008-05-22 15:20 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll2008-05-22 15:19 . 2008-05-22 15:19 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax2008-05-22 15:19 . 2008-05-22 15:19 196,608 --a------ C:\WINDOWS\system32\dtu100.dll2008-05-22 15:19 . 2008-05-22 15:19 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe2008-05-22 15:19 . 2008-05-22 15:19 81,920 --a------ C:\WINDOWS\system32\dpl100.dll2008-05-22 15:19 . 2008-05-22 15:19 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest2008-05-22 15:19 . 2008-05-22 15:19 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest2008-05-22 15:18 . 2008-05-22 15:18 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll2008-05-22 14:23 . 2008-05-22 19:06 <DIR> d-------- C:\Program Files\QuickTime Alternative2008-05-22 14:23 . 2008-05-22 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer2008-05-22 14:23 . 2008-03-28 21:07 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx2008-05-22 14:23 . 2008-03-28 21:07 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts2008-05-22 10:57 . 2008-05-22 10:57 <DIR> d-------- C:\Documents and Settings\GaryT\Application Data\Malwarebytes2008-05-21 18:00 . 2008-05-21 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers Headquarters2008-05-19 20:08 . 2008-06-16 13:44 2,206 --a------ C:\WINDOWS\system32\wpa.dbl2008-05-19 16:12 . 2008-05-20 18:45 <DIR> d-------- C:\Program Files\Uninstall Plus2008-05-19 12:22 . 2008-05-19 12:22 <DIR> d-------- C:\Program Files\AviSynth 2.52008-05-19 12:20 . 2008-05-19 12:20 <DIR> d-------- C:\Program Files\DVD2SVCD2008-05-19 12:05 . 1999-09-10 04:06 4,672 --a------ C:\WINDOWS\system\wowpost.exe2008-05-19 12:04 . 1999-09-10 04:06 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll2008-05-19 12:04 . 1999-09-10 04:06 25,244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys2008-05-19 12:04 . 1997-12-22 22:02 23,936 --a------ C:\WINDOWS\system\aspi32.sys2008-05-19 12:04 . 1999-09-10 04:06 5,600 --a------ C:\WINDOWS\system\winaspi.dll2008-05-19 11:49 . 2008-05-21 17:41 <DIR> d-------- C:\Documents and Settings\GaryT\Application Data\ImgBurn2008-05-19 11:38 . 2008-05-21 12:44 <DIR> d-------- C:\Program Files\ImgBurn2008-05-18 16:33 . 2008-05-18 16:33 <DIR> d-------- C:\Documents and Settings\GaryT\Application Data\LEAPS2008-05-18 16:22 . 2008-05-19 16:39 <DIR> d-------- C:\Program Files\TMPGEnc 4.0 XPress2008-05-18 11:17 . 2008-06-10 14:04 <DIR> d-------- C:\Program Files\HDiskDefrag2008-05-16 09:27 . 2008-05-16 09:27 <DIR> d-------- C:\Program Files\PortReporter2008-05-16 09:19 . 2008-05-16 09:24 <DIR> d-------- C:\Program Files\PortRptr.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-06-16 20:55 --------- d-----w C:\Program Files\Firefox2008-06-16 20:51 --------- d-----w C:\Program Files\eTrust2008-06-16 20:48 --------- d-----w C:\Program Files\HJT2008-06-16 20:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP2008-06-16 19:32 --------- d-----w C:\Documents and Settings\GaryT\Application Data\ue_toolbar2008-06-16 02:32 --------- d-----w C:\Program Files\DivX2008-06-15 20:32 --------- d-----w C:\Program Files\ZipCentral2008-06-14 21:54 --------- d-----w C:\Documents and Settings\GaryT\Application Data\Vidalia2008-06-13 00:39 --------- d-----w C:\Program Files\Trillian2008-06-13 00:29 --------- d-----w C:\Program Files\CCleaner2008-06-12 20:47 --------- d-----w C:\Program Files\Uninstaller 20082008-06-12 20:41 --------- d-----w C:\Program Files\JkDefrag2008-06-03 16:52 --------- d-----w C:\Program Files\NCH Software2008-06-03 16:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Software2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll2008-05-29 18:34 --------- d-----w C:\Program Files\Photo Album 62008-05-28 02:54 --------- d-----w C:\Program Files\QuickTime2008-05-28 01:25 --------- d-----w C:\Program Files\Savings Bond Wizard2008-05-28 00:03 --------- d-----w C:\Program Files\UltraVNC2008-05-24 17:02 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-05-23 23:32 --------- d-----w C:\Program Files\Salamander 2.52008-05-23 16:55 --------- d-----w C:\Program Files\SUPERAntiSpyware2008-05-23 16:26 --------- d-----w C:\Program Files\CommView2008-05-22 22:22 43,528 -c----w C:\WINDOWS\system32\drivers\pxhelp20.sys2008-05-21 19:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard2008-05-19 20:53 --------- d-----w C:\Program Files\MSECACHE2008-05-17 04:45 --------- d-----w C:\Program Files\AutoIt32008-05-15 20:37 --------- d-----w C:\Program Files\HotFax MessageCenter2008-05-15 20:33 --------- d-----w C:\Program Files\Common Files\Smith Micro Shared2008-05-14 22:27 --------- d-----w C:\Program Files\BartPebuilder3110a2008-05-14 19:31 --------- d-----w C:\Documents and Settings\GaryT\Application Data\SonicWALL2008-05-14 19:22 --------- d-----w C:\Program Files\SonicWALL Global VPN Client2008-05-13 21:50 18,192 -c--a-w C:\WINDOWS\system32\pgdfgsvc.exe2008-05-12 16:00 --------- d-----w C:\Program Files\RunAsspc2008-05-07 17:51 --------- d-----w C:\Program Files\FlashGet2008-05-05 15:15 --------- d-----w C:\Program Files\Defrag Contig2008-05-05 14:59 --------- d-----w C:\Program Files\PageDfrg2008-05-05 03:57 --------- d-----w C:\Documents and Settings\GaryT\Application Data\Skype2008-05-04 23:00 --------- d-----w C:\Documents and Settings\GaryT\Application Data\skypePM2008-05-04 16:37 --------- d-----w C:\Program Files\Skype2008-05-04 16:37 --------- d-----w C:\Program Files\Common Files\Skype2008-05-04 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype2008-05-04 16:26 --------- d-----w C:\Program Files\SpeedFan2008-05-03 23:43 --------- d-----w C:\Program Files\Three Rings Design2008-05-03 23:42 --------- d-----w C:\Program Files\Java2008-05-03 20:07 --------- d-----w C:\Program Files\Update CheckerFilehippo.com2008-05-02 21:02 --------- d-----w C:\Program Files\Digital Media Converter2008-05-02 20:51 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll2008-05-02 19:00 --------- d-----w C:\Program Files\Common Files\DeskShare Shared2008-05-02 16:31 --------- d-----w C:\Program Files\Codec WMV9_VCM2008-05-01 18:25 16,450,560 --sh--r C:\SYSCMNDR.SYS2008-05-01 18:08 --------- d-----w C:\Program Files\testdisk-6.92008-05-01 00:19 --------- d-----w C:\Program Files\WinSnap2008-04-30 14:27 --------- d-----w C:\Program Files\IconSaver2008-04-29 21:17 --------- d-----w C:\Documents and Settings\GaryT\Application Data\GetRightToGo2008-04-29 19:01 --------- d-----w C:\Program Files\Ad-Aware 20072008-04-28 19:00 --------- d-----w C:\Program Files\Norton SystemWorks Premier2008-04-28 19:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared2008-04-28 17:50 --------- d-----w C:\Program Files\MediaInfo2008-04-28 17:37 --------- d-----w C:\Program Files\AVIcodec2008-04-28 17:17 --------- d-----w C:\Program Files\FileAlyzer2008-04-28 16:28 --------- d-----w C:\Program Files\FileType TrIDNet2008-04-28 16:18 --------- d-----w C:\Program Files\Globe72008-04-28 16:09 --------- d-----w C:\Documents and Settings\GaryT\Application Data\Globe72008-04-28 15:21 --------- d-----w C:\Program Files\Startup Delayer2008-04-28 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec2008-04-28 14:05 805 -c--a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF2008-04-28 14:05 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL2008-04-28 14:05 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS2008-04-28 14:05 10,740 -c--a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT2008-04-28 14:05 --------- d-----w C:\Program Files\Symantec2008-04-25 16:32 --------- d-----w C:\Program Files\Privoxy2008-04-22 16:41 --------- d-----w C:\Documents and Settings\GaryT\Application Data\DivX2008-04-22 16:19 --------- d-----w C:\Program Files\K-Lite Codec Pack2008-04-22 01:23 --------- d-----w C:\Program Files\LsGrab2008-04-18 16:31 --------- d-----w C:\Documents and Settings\GaryT\Application Data\Convivea2008-04-18 15:33 --------- d-----w C:\Program Files\Unziplify2008-04-18 14:05 --------- d-----w C:\Documents and Settings\GaryT\Application Data\Zeon2008-04-18 14:05 --------- d-----w C:\Documents and Settings\GaryT\Application Data\ScanSoft2008-04-18 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft2008-04-18 05:22 --------- d-----w C:\Program Files\ScanSoft2008-04-18 04:32 --------- d-----w C:\Program Files\Nero2008-04-18 01:14 --------- d-----w C:\Program Files\QuickBooks 20082008-04-16 01:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft2008-04-16 01:22 --------- d-----w C:\Program Files\Add Remove Pro2008-04-10 04:04 99,904 ----a-w C:\WINDOWS\system32\isafeif.dll2008-04-10 04:04 79,424 ----a-w C:\WINDOWS\system32\vetredir.dll2008-03-07 19:18 1,004 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys.<pre>-c--a-w 655,272 2006-06-16 03:58:01 C:\Dnload\ivmsetup ver. 3.07 .exe-c--a-w 3,609,847 2006-03-01 01:32:58 C:\Dnload\JPGWIZ ver.2.4.0.6 .EXE----a-w 22,300,968 2008-04-29 22:09:33 C:\Dnload\SkypeSetup 3.8.0.115 .exe----a-w 1,697,344 2008-04-17 04:46:44 C:\Program Files\UltraVNC\vncviewer ver.1.0.4.914 .exe</pre>------- Sigcheck -------2004-08-03 16:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe2007-09-19 21:35 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\system32\user32.dll2004-08-03 16:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll2008-02-16 02:32 666112 bb1eacd6ab47e78ebca02eb781550d55 C:\WINDOWS\system32\wininet.dll2007-10-30 09:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\system32\drivers\tcpip.sys2004-08-03 16:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe2004-08-03 15:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys2004-08-03 15:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys2007-09-19 21:55 2062336 5cf9911d32a07860dab935adf265b8a9 C:\WINDOWS\system32\ntkrnlpa.exe2007-09-19 21:49 2185472 9a8f4f15f3a85f2b67525425f24df7f6 C:\WINDOWS\system32\ntoskrnl.exe2007-09-19 21:48 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\explorer.exe2004-08-03 16:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe2004-08-03 16:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe2004-08-03 16:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Vidalia"="C:\Program Files\Vidalia\vidalia.exe" [2007-02-07 18:38 11891712]"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-22 18:21 1510640][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 10:34 487424]"TrackPointSrv"="tp4mon.exe" [2004-08-04 01:56 82432 C:\WINDOWS\system32\tp4mon.exe]"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 20:04 864256]"TPHOTKEY"="C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 11:19 94208]"TP4EX"="tp4ex.exe" [2005-10-17 02:11 65536 C:\WINDOWS\system32\TP4EX.exe]"Talk"="C:\Program Files\NCH Swift Sound\Talk\talk.exe" [2008-02-21 10:21 647172]"StartupDelayer"="C:\Program Files\Startup Delayer\Startup Launcher GUI.exe" [2007-12-14 02:11 44032]"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 10:52 1368064]"FtLnSOP_setup"="C:\WINDOWS\twain_32\Fjscan32\SOP\FtLnSOP.exe" [2005-01-06 01:16 212992]"FJTWAIN Setup"="C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe" [2006-06-14 15:03 126976]"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 02:33 243248]"atr.exe"="" []"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 21:00 344064]"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 09:53 88363 C:\WINDOWS\AGRSMMSG.exe]"cctray"="C:\Program Files\eTrust\cctray\cctray.exe" [2008-04-09 21:04 177416]"CAVRID"="C:\Program Files\eTrust\CA Anti-Virus\CAVRID.exe" [2008-04-09 21:04 230928]"Acrobat Assistant 8.0"="C:\Program Files\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-27 17:38 107112]"NSWosCheck"="C:\Program Files\Norton SystemWorks Premier\osCheck.exe" [2007-12-03 01:41 25472]"IconSaver"="C:\Program Files\IconSaver\IconSaver.exe" [2004-01-12 05:59 110592]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-27 10:07 208896]"SMSI Loader"="C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe" [2004-10-12 13:01 32768]"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]"TweakMASTER"="C:\Program Files\TweakMASTER\TMTray.exe" [2006-11-27 15:26 284712]"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2006-11-27 15:19 1582616]"EyelineRun"="C:\Program Files\NCH Software\Eyeline\eyeline.exe" [2008-06-03 09:52 425988]"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 20:07 140568]"Corel Photo Downloader"="C:\Program Files\Photo Album 6\MediaDetect.exe" [2007-02-21 01:15 112208][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 14:59 44544]"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []"IE7-10"="advpack.dll" [2004-08-03 16:56 99840 C:\WINDOWS\system32\advpack.dll][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"SynchronousMachineGroupPolicy"= 0 (0x0)"SynchronousUserGroupPolicy"= 0 (0x0)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoBandCustomize"= 0 (0x0)"NoMovingBands"= 0 (0x0)"NoCloseDragDropBands"= 0 (0x0)[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]notifyf2.dll 2005-07-06 00:45 28672 C:\WINDOWS\system32\notifyf2.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]tphklock.dll 2006-02-01 16:09 24576 C:\WINDOWS\system32\tphklock.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=apitrap.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"VIDC.HFYU"= huffyuv.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Authentication Packages REG_MULTI_SZ relog_ap[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IconSaver.exe.lnk]backup=C:\WINDOWS\pss\IconSaver.exe.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^GaryT^Start Menu^Programs^Startup^4t Tray Minimizer.lnk]backup=C:\WINDOWS\pss\4t Tray Minimizer.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^GaryT^Start Menu^Programs^Startup^Bluetooth.lnk]backup=C:\WINDOWS\pss\Bluetooth.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^GaryT^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]backup=C:\WINDOWS\pss\ERUNT AutoBackup.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^GaryT^Start Menu^Programs^Startup^FileBox eXtender.lnk]backup=C:\WINDOWS\pss\FileBox eXtender.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cctray][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"btwdins"=2 (0x2)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]"ctfmon.exe"=C:\WINDOWS\System32\ctfmon.exe"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized"OpAgent"="OpAgent.exe" /agent[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"SMSI Loader"="C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe" /PRNDRV"pdfFactory Dispatcher v2"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"frymxins"="C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl""HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper"IPSend.exe"=C:\Dnload\9xAddons\Autoit V3 Script\ipsend.exe"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler"VRS"="C:\Program Files\NCH Swift Sound\VRS\vrs.exe" -logon"IMSRun"="C:\Program Files\NCH Swift Sound\IMS\ims.exe" -logon"ScanSoft OmniPage 16-reminder"="C:\Program Files\ScanSoft\OmniPage16\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPage 16\Ereg\Ereg.ini""Globe7"="C:\Program Files\Globe7\Globe7.exe"[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\SonicWALL Global VPN Client\\SWGVpnClient.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="C:\\Program Files\\QuickBooks 2008\\QBDBMgrN.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\UltraVNC\\vncviewer.exe"="C:\\WINDOWS\\cwbrxd.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)"8010:UDP"= 8010:UDP:Express Talk RTP Incoming Audio (UDP)"8011:UDP"= 8011:UDP:Express Talk RTP Incoming Audio (UDP)"5060:UDP"= 5060:UDP:Express Talk Sip Incoming Calls (UDP)"512:TCP"= 512:TCP:exec server (rexecd, port 512)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12HPService REG_MULTI_SZ HPSLPSVC[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]\Shell\AutoRun\command - H:\LaunchU3.exe -a[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b55c9a1-bcda-11dc-9381-00d059ca1246}]\Shell\AutoRun\command - H:\LaunchU3.exe -a.Contents of the 'Scheduled Tasks' folder"2008-06-04 01:31:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"- C:\Program Files\Apple Software Update\SoftwareUpdate.exe"2008-06-03 15:32:28 C:\WINDOWS\Tasks\CleanTemp.job"- C:\Batch\CleanTemp2.bat.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-06-16 14:23:21Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PowerAlert Agent]"ImagePath"="C:\Program Files\TrippLite\PowerAlert\engine/pa.exe -service".--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\WINDOWS\system32\winlogon.exe-> C:\WINDOWS\system32\tphklock.dllPROCESS: C:\WINDOWS\explorer.exe-> C:\Program Files\Unlocker\UnlockerHook.dll.Completion time: 2008-06-16 14:32:01ComboFix-quarantined-files.txt 2008-06-16 21:31:22ComboFix2.txt 2007-11-05 21:29:13Pre-Run: 2,151,518,208 bytes freePost-Run: 1,960,763,392 bytes free389 --- E O F --- 2008-05-17 10:03:17HJT.log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:02:28 PM, on 6/16/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\eTrust\CA Anti-Virus\ISafe.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\NCH Software\Eyeline\eyeline.exeC:\Program Files\Folder Watchdog Service 2\FwdSvc2.exeC:\Program Files\HP Web Jetadmin\hpwebjetd.exeC:\WINDOWS\system32\MNSFramework.exeC:\WINDOWS\System32\PSIService.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeC:\Program Files\HP Web Jetadmin\hpwebjetd.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\Program Files\Lenovo\System Update\SUService.exeC:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exeC:\WINDOWS\system32\TpKmpSVC.exeC:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exeC:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exeC:\Program Files\eTrust\CA Anti-Virus\VetMsg.exeC:\Program Files\NCH Swift Sound\VRS\vrs.exeC:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exeC:\WINDOWS\system32\tp4mon.exeC:\Program Files\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exeC:\Program Files\NCH Swift Sound\Talk\talk.exeC:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exeC:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exeC:\WINDOWS\twain_32\Fjscan32\SOP\FtLnSOP.exeC:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exeC:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\eTrust\cctray\cctray.exeC:\Program Files\eTrust\CA Anti-Virus\CAVRID.exeC:\Program Files\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\IconSaver\IconSaver.exeC:\Program Files\Java\jre1.6.0_06\bin\jusched.exeC:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exeC:\Program Files\TweakMASTER\TMTray.exeC:\Program Files\DU Meter\DUMeter.exeC:\Program Files\NCH Software\Eyeline\eyeline.exeC:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exeC:\Program Files\Photo Album 6\MediaDetect.exeC:\Program Files\Vidalia\vidalia.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\Privoxy\privoxy.exeC:\Program Files\WebDrive\wdService.exeC:\Program Files\Trillian\trillian.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\Proxomitron\Proxomitron.exeC:\WINDOWS\System32\hpnra.exeC:\Program Files\Unlocker\UnlockerAssistant.exeC:\WINDOWS\explorer.exeC:\Program Files\Spell Catcher Plus\Spell Catcher.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exeC:\WINDOWS\system32\taskmgr.exeC:\Program Files\Salamander 2.5\salamand.exeC:\Program Files\VNCControl\VNCControl.exeC:\Program Files\HJT\WhatsRunning.exeC:\Program Files\Internet Explorer\IEXPLORE.EXER1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt\SnagItIEAddin.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: UltraEdit Toolbar - {4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} - C:\PROGRA~1\UE_TOO~1\UE_TOO~1.DLLO4 - HKLM\..\Run: [TVT Scheduler Proxy] "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe"O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exeO4 - HKLM\..\Run: [TPKMAPHELPER] "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" -helperO4 - HKLM\..\Run: [TPHOTKEY] "C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe"O4 - HKLM\..\Run: [TP4EX] tp4ex.exeO4 - HKLM\..\Run: [Talk] "C:\Program Files\NCH Swift Sound\Talk\talk.exe" -logonO4 - HKLM\..\Run: [startupDelayer] "C:\Program Files\Startup Delayer\Startup Launcher GUI.exe"O4 - HKLM\..\Run: [soundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\twain_32\Fjscan32\SOP\FtLnSOP.exeO4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /StationO4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [cctray] "C:\Program Files\eTrust\cctray\cctray.exe"O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\eTrust\CA Anti-Virus\CAVRID.exe"O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [NSWosCheck] C:\Program Files\Norton SystemWorks Premier\osCheck.exeO4 - HKLM\..\Run: [iconSaver] "C:\Program Files\IconSaver\IconSaver.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -schedulerO4 - HKLM\..\Run: [sMSI Loader] "C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe /PRNDRV"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [TweakMASTER] "C:\Program Files\TweakMASTER\TMTray.exe"O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exeO4 - HKLM\..\Run: [EyelineRun] "C:\Program Files\NCH Software\Eyeline\eyeline.exe" -logonO4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Photo Album 6\MediaDetect.exeO4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe"O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-21-2247778763-3604470327-847386435-1004\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe" (User '?')O4 - HKUS\S-1-5-21-2247778763-3604470327-847386435-1004\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')O4 - S-1-5-21-2247778763-3604470327-847386435-1004 Startup: EruntRegistrySave.bat (User '?')O4 - S-1-5-21-2247778763-3604470327-847386435-1004 Startup: trillian.exe.lnk = C:\Program Files\Trillian\trillian.exe (User '?')O4 - Startup: EruntRegistrySave.batO4 - Startup: trillian.exe.lnk = C:\Program Files\Trillian\trillian.exeO4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exeO8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htmO8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TWEAKM~1\TweakBHO.dll/IESCRIPTO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www1.pcpitstop.com/pcpitstop/PCPitStop.CABO17 - HKLM\System\CCS\Services\Tcpip\..\{330DAAC8-65B7-4C1D-8E5B-F6904A60CAF2}: NameServer = 66.80.130.23,66.80.131.5O17 - HKLM\System\CCS\Services\Tcpip\..\{35ED5B21-7585-40AD-A6CB-A544896180CC}: NameServer = 66.51.205.100,66.51.206.100O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\QuickBooks 2008\HelpAsyncPluggableProtocol.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exeO23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\eTrust\ccprovsp.exeO23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\eTrust\CA Anti-Virus\ISafe.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXEO23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper\DkService.exeO23 - Service: Eyeline Service (EyelineService) - Unknown owner - C:\Program Files\NCH Software\Eyeline\eyeline.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Folder Watchdog Service 2 - Alexander Seleznyov http://www.seleznyov.com - C:\Program Files\Folder Watchdog Service 2\FwdSvc2.exeO23 - Service: Folder Watchdog Service 2 Controller - Alexander Seleznyov http://www.seleznyov.com - C:\Program Files\Folder Watchdog Service 2\FwdSvc2.exeO23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exeO23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: MNS Framework (MNSFramework) - Unknown owner - C:\WINDOWS\system32\MNSFramework.exeO23 - Service: MWAgent - Unknown owner - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE (file missing)O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXEO23 - Service: Port Reporter (PortReporter) - Unknown owner - C:\Program Files\PortReporter\portreporter.exeO23 - Service: PowerAlert Agent - Unknown owner - C:\Program Files\TrippLite\PowerAlert\engine/pa.exeO23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exeO23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeO23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exeO23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL Global VPN Client\RampartSvc.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: RPM Remote Print Manager (RPM) - Brooks Internet Software, Inc - C:\Program Files\RPMElite\RPMSrvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXEO23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exeO23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exeO23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exeO23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exeO23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\eTrust\CA Anti-Virus\VetMsg.exeO23 - Service: VRS Recording System (VRSService) - NCH Software - C:\Program Files\NCH Swift Sound\VRS\vrs.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeO23 - Service: WebDrive Service (WebDriveService) - South River Technologies, LLC - C:\Program Files\WebDrive\wdService.exe--End of file - 16367 bytesThank you for working on this for me.Docfxit Link to post Share on other sites More sharing options...
JeanInMontana Posted June 16, 2008 ID:20478 Share Posted June 16, 2008 Running from: E:\Spyware Remover-Preventers\ComboFix.exe <===== NO ComboFix needs to run from the desktop. It did take out stuff as I suspected. Please rename HJT to what it is. I should have updated my instructions about CF. Let's try this over, do you see any improvements since it did remove several items?Review this article here how to use ComboFix Be sure you cover the section on How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important shoudl anything go wrong and we need to recover your PC and not lose all the data.1. Download this file :http://download.bleepingcomputer.com/sUBs/ComboFix.exe save it to your desktop.2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.Post that log and a HiJack log in your next replyNote:Do not mouseclick combofix's window while its running. That may cause it to stall. Link to post Share on other sites More sharing options...
Docfxit Posted June 17, 2008 Author ID:20495 Share Posted June 17, 2008 Running from: E:\Spyware Remover-Preventers\ComboFix.exe <===== NO ComboFix needs to run from the desktop. It did take out stuff as I suspected. Please rename HJT to what it is. DoneI should have updated my instructions about CF. Let's try this over, do you see any improvements since it did remove several items?I haven't seen any improvements. Review this article here how to use ComboFix Be sure you cover the section on How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important shoudl anything go wrong and we need to recover your PC and not lose all the data.I don't have a Windows CD with me at the moment. I'll pick one up tomorrow. I tried downloading the Startup Disks from the crippled PC. It won't go to a web site. I can ping yahoo.com but neither IE or FireFox will connect to any web site. I can't see any Network Connections because I can't start any services. I downloaded the Startup Disks on a different PC and copied it to the desktop of the crippled PC. I can't copy the file Startup Disks onto the ComboFix.exe because the services are stopped. (and I can't start them) I found and ran winnt32.exe /cmdconsIt can't connect to the MS Windows Update Web site. So I couldn't install it.1. Download this file :http://download.bleepingcomputer.com/sUBs/ComboFix.exe save it to your desktop.2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.Post that log and a HiJack log in your next replyNote:Do not mouseclick combofix's window while its running. That may cause it to stall.ComboFix Log:ComboFix 08-06-15.4 - GaryT 2008-06-16 19:10:39.4 - NTFSx86Running from: C:\Documents and Settings\GaryT\Desktop\ComboFix.exeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 ))))))))))))))))))))))))))))))).2008-06-15 19:31 . 2008-05-22 15:22 129,784 --------- C:\WINDOWS\system32\pxafs.dll2008-06-15 19:31 . 2008-05-22 15:22 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe2008-06-15 19:31 . 2008-05-22 15:22 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe2008-06-15 19:31 . 2008-05-22 15:22 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys2008-06-15 19:31 . 2008-05-22 15:22 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys2008-06-14 13:02 . 2008-06-14 13:02 <DIR> d-------- C:\Program Files\SIW2008-06-10 17:04 . 2008-06-10 17:06 <DIR> d-------- C:\Program Files\ScanSpyware v3.82008-06-06 20:37 . 2008-06-06 20:37 <DIR> d-------- C:\Program Files\Panda Security2008-06-06 13:30 . 2008-06-11 08:39 <DIR> d-------- C:\Program Files\Malwarebytes2008-06-06 13:30 . 2008-06-06 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-06-06 13:30 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys2008-06-06 13:30 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys2008-06-06 10:15 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl2008-06-06 09:34 . 2008-06-06 09:34 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Acronis2008-06-06 09:09 . 2008-06-06 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis2008-06-06 09:09 . 2008-06-06 09:09 441,760 --a------ C:\WINDOWS\system32\drivers\timntr.sys2008-06-06 09:09 . 2008-06-06 09:09 129,248 --a------ C:\WINDOWS\system32\drivers\snapman.sys2008-06-06 09:09 . 2008-06-06 09:09 44,384 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys2008-06-06 09:08 . 2008-06-06 09:08 368,544 --a------ C:\WINDOWS\system32\drivers\tdrpman.sys2008-06-06 09:02 . 2008-06-06 09:07 <DIR> d-------- C:\Program Files\Common Files\Acronis2008-06-05 17:01 . 2008-06-05 17:01 <DIR> d-------- C:\Documents and Settings\GaryT\.JB52008-06-04 14:59 . 2008-06-04 14:59 880,560 --a------ C:\WINDOWS\system32\drivers\vetefile.sys2008-06-04 14:59 . 2008-06-04 14:59 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys2008-06-04 10:32 . 2008-06-04 10:32 <DIR> d-------- C:\Documents and Settings\GaryT\.JB42008-05-30 12:24 . 2008-06-03 15:13 <DIR> d-------- C:\Program Files\Folder Watchdog Service 22008-05-29 20:58 . 2008-05-29 20:58 5,760,998 --a------ C:\WINDOWS\Cambria.bmp2008-05-27 22:42 . 2008-05-27 22:42 29 --a------ C:\WINDOWS\Atw.INI2008-05-27 18:43 . 2008-05-27 18:43 <DIR> d-------- C:\Program Files\Common Files\Apple2008-05-24 14:09 . 2008-05-24 14:09 <DIR> d-------- C:\Program Files\File Audit2008-05-24 09:59 . 2008-05-29 14:34 <DIR> d-------- C:\Program Files\Driver Detective2008-05-23 09:29 . 2008-05-24 09:18 <DIR> d-------- C:\Program Files\TweakMASTER2008-05-23 09:29 . 2008-05-23 09:29 <DIR> d-------- C:\Program Files\DU Meter2008-05-23 09:29 . 2008-05-23 09:29 <DIR> d-------- C:\Documents and Settings\GaryT\Application Data\Hagel Technologies2008-05-23 09:29 . 2008-05-23 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hagel Technologies2008-05-22 19:00 . 2008-05-22 19:01 <DIR> d-------- C:\Program Files\Apple Software Update2008-05-22 19:00 . 2008-05-22 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple2008-05-22 15:22 . 2008-05-22 15:22 3,596,288 --a--c--- C:\WINDOWS\system32\qt-dx331.dll2008-05-22 15:22 . 2008-05-22 15:22 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe2008-05-22 15:22 . 2008-05-22 15:22 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb2008-05-22 15:20 . 2008-05-22 15:20 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll2008-05-22 15:20 . 2008-05-22 15:20 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll2008-05-22 15:19 . 2008-05-22 15:19 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax2008-05-22 15:19 . 2008-05-22 15:19 196,608 --a------ C:\WINDOWS\system32\dtu100.dll2008-05-22 15:19 . 2008-05-22 15:19 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe2008-05-22 15:19 . 2008-05-22 15:19 81,920 --a------ C:\WINDOWS\system32\dpl100.dll2008-05-22 15:19 . 2008-05-22 15:19 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest2008-05-22 15:19 . 2008-05-22 15:19 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest2008-05-22 15:18 . 2008-05-22 15:18 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll2008-05-22 14:23 . 2008-05-22 19:06 <DIR> d-------- C:\Program Files\QuickTime Alternative2008-05-22 14:23 . 2008-05-22 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer2008-05-22 14:23 . 2008-03-28 21:07 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx2008-05-22 14:23 . 2008-03-28 21:07 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts2008-05-22 10:57 . 2008-05-22 10:57 <DIR> d-------- C:\Documents and Settings\GaryT\Application Data\Malwarebytes2008-05-21 18:00 . 2008-05-21 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers Headquarters2008-05-19 20:08 . 2008-06-16 13:44 2,206 --a------ C:\WINDOWS\system32\wpa.dbl2008-05-19 16:12 . 2008-05-20 18:45 <DIR> d-------- C:\Program Files\Uninstall Plus2008-05-19 12:22 . 2008-05-19 12:22 <DIR> d-------- C:\Program Files\AviSynth 2.52008-05-19 12:20 . 2008-05-19 12:20 <DIR> d-------- C:\Program Files\DVD2SVCD2008-05-19 12:05 . 1999-09-10 04:06 4,672 --a------ C:\WINDOWS\system\wowpost.exe2008-05-19 12:04 . 1999-09-10 04:06 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll2008-05-19 12:04 . 1999-09-10 04:06 25,244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys2008-05-19 12:04 . 1997-12-22 22:02 23,936 --a------ C:\WINDOWS\system\aspi32.sys2008-05-19 12:04 . 1999-09-10 04:06 5,600 --a------ C:\WINDOWS\system\winaspi.dll2008-05-19 11:49 . 2008-05-21 17:41 <DIR> d-------- C:\Documents and Settings\GaryT\Application Data\ImgBurn2008-05-19 11:38 . 2008-05-21 12:44 <DIR> d-------- C:\Program Files\ImgBurn2008-05-18 16:33 . 2008-05-18 16:33 <DIR> d-------- C:\Documents and Settings\GaryT\Application Data\LEAPS2008-05-18 16:22 . 2008-05-19 16:39 <DIR> d-------- C:\Program Files\TMPGEnc 4.0 XPress2008-05-18 11:17 . 2008-06-10 14:04 <DIR> d-------- C:\Program Files\HDiskDefrag.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-06-17 02:16 --------- d-----w C:\Program Files\eTrust2008-06-17 02:02 --------- d-----w C:\Documents and Settings\GaryT\Application Data\ue_toolbar2008-06-17 01:48 --------- d-----w C:\Program Files\Firefox2008-06-17 01:35 --------- d-----w C:\Program Files\HJT2008-06-16 20:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP2008-06-16 02:32 --------- d-----w C:\Program Files\DivX2008-06-15 20:32 --------- d-----w C:\Program Files\ZipCentral2008-06-14 21:54 --------- d-----w C:\Documents and Settings\GaryT\Application Data\Vidalia2008-06-13 00:39 --------- d-----w C:\Program Files\Trillian2008-06-13 00:29 --------- d-----w C:\Program Files\CCleaner2008-06-12 20:47 --------- d-----w C:\Program Files\Uninstaller 20082008-06-12 20:41 --------- d-----w C:\Program Files\JkDefrag2008-06-03 16:52 --------- d-----w C:\Program Files\NCH Software2008-06-03 16:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Software2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll2008-05-29 18:34 --------- d-----w C:\Program Files\Photo Album 62008-05-28 02:54 --------- d-----w C:\Program Files\QuickTime2008-05-28 01:25 --------- d-----w C:\Program Files\Savings Bond Wizard2008-05-28 00:03 --------- d-----w C:\Program Files\UltraVNC2008-05-24 17:02 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-05-23 23:32 --------- d-----w C:\Program Files\Salamander 2.52008-05-23 16:55 --------- d-----w C:\Program Files\SUPERAntiSpyware2008-05-23 16:26 --------- d-----w C:\Program Files\CommView2008-05-22 22:22 43,528 -c----w C:\WINDOWS\system32\drivers\pxhelp20.sys2008-05-21 19:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard2008-05-19 20:53 --------- d-----w C:\Program Files\MSECACHE2008-05-17 04:45 --------- d-----w C:\Program Files\AutoIt32008-05-16 16:27 --------- d-----w C:\Program Files\PortReporter2008-05-16 16:24 --------- d-----w C:\Program Files\PortRptr2008-05-15 20:37 --------- d-----w C:\Program Files\HotFax MessageCenter2008-05-15 20:33 --------- d-----w C:\Program Files\Common Files\Smith Micro Shared2008-05-14 22:27 --------- d-----w C:\Program Files\BartPebuilder3110a2008-05-14 19:31 --------- d-----w C:\Documents and Settings\GaryT\Application Data\SonicWALL2008-05-14 19:22 --------- d-----w C:\Program Files\SonicWALL Global VPN Client2008-05-13 21:50 18,192 -c--a-w C:\WINDOWS\system32\pgdfgsvc.exe2008-05-12 16:00 --------- d-----w C:\Program Files\RunAsspc2008-05-07 17:51 --------- d-----w C:\Program Files\FlashGet2008-05-05 15:15 --------- d-----w C:\Program Files\Defrag Contig2008-05-05 14:59 --------- d-----w C:\Program Files\PageDfrg2008-05-05 03:57 --------- d-----w C:\Documents and Settings\GaryT\Application Data\Skype2008-05-04 23:00 --------- d-----w C:\Documents and Settings\GaryT\Application Data\skypePM2008-05-04 16:37 --------- d-----w C:\Program Files\Skype2008-05-04 16:37 --------- d-----w C:\Program Files\Common Files\Skype2008-05-04 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype2008-05-04 16:26 --------- d-----w C:\Program Files\SpeedFan2008-05-03 23:43 --------- d-----w C:\Program Files\Three Rings Design2008-05-03 23:42 --------- d-----w C:\Program Files\Java2008-05-03 20:07 --------- d-----w C:\Program Files\Update CheckerFilehippo.com2008-05-02 21:02 --------- d-----w C:\Program Files\Digital Media Converter2008-05-02 20:51 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll2008-05-02 19:00 --------- d-----w C:\Program Files\Common Files\DeskShare Shared2008-05-02 16:31 --------- d-----w C:\Program Files\Codec WMV9_VCM2008-05-01 18:25 16,450,560 --sh--r C:\SYSCMNDR.SYS2008-05-01 18:08 --------- d-----w C:\Program Files\testdisk-6.92008-05-01 00:19 --------- d-----w C:\Program Files\WinSnap2008-04-30 14:27 --------- d-----w C:\Program Files\IconSaver2008-04-29 21:17 --------- d-----w C:\Documents and Settings\GaryT\Application Data\GetRightToGo2008-04-29 19:01 --------- d-----w C:\Program Files\Ad-Aware 20072008-04-28 19:00 --------- d-----w C:\Program Files\Norton SystemWorks Premier2008-04-28 19:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared2008-04-28 17:50 --------- d-----w C:\Program Files\MediaInfo2008-04-28 17:37 --------- d-----w C:\Program Files\AVIcodec2008-04-28 17:17 --------- d-----w C:\Program Files\FileAlyzer2008-04-28 16:28 --------- d-----w C:\Program Files\FileType TrIDNet2008-04-28 16:18 --------- d-----w C:\Program Files\Globe72008-04-28 16:09 --------- d-----w C:\Documents and Settings\GaryT\Application Data\Globe72008-04-28 15:21 --------- d-----w C:\Program Files\Startup Delayer2008-04-28 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec2008-04-28 14:05 805 -c--a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF2008-04-28 14:05 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL2008-04-28 14:05 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS2008-04-28 14:05 10,740 -c--a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT2008-04-28 14:05 --------- d-----w C:\Program Files\Symantec2008-04-25 16:32 --------- d-----w C:\Program Files\Privoxy2008-04-22 16:41 --------- d-----w C:\Documents and Settings\GaryT\Application Data\DivX2008-04-22 16:19 --------- d-----w C:\Program Files\K-Lite Codec Pack2008-04-22 01:23 --------- d-----w C:\Program Files\LsGrab2008-04-18 16:31 --------- d-----w C:\Documents and Settings\GaryT\Application Data\Convivea2008-04-18 15:33 --------- d-----w C:\Program Files\Unziplify2008-04-18 14:05 --------- d-----w C:\Documents and Settings\GaryT\Application Data\Zeon2008-04-18 14:05 --------- d-----w C:\Documents and Settings\GaryT\Application Data\ScanSoft2008-04-18 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft2008-04-18 05:22 --------- d-----w C:\Program Files\ScanSoft2008-04-18 04:32 --------- d-----w C:\Program Files\Nero2008-04-18 01:14 --------- d-----w C:\Program Files\QuickBooks 20082008-04-10 04:04 99,904 ----a-w C:\WINDOWS\system32\isafeif.dll2008-04-10 04:04 79,424 ----a-w C:\WINDOWS\system32\vetredir.dll2008-04-10 04:04 75,280 ----a-w C:\WINDOWS\system32\isafprod.dll2008-03-07 19:18 1,004 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys.<pre>-c--a-w 655,272 2006-06-16 03:58:01 C:\Dnload\ivmsetup ver. 3.07 .exe-c--a-w 3,609,847 2006-03-01 01:32:58 C:\Dnload\JPGWIZ ver.2.4.0.6 .EXE----a-w 22,300,968 2008-04-29 22:09:33 C:\Dnload\SkypeSetup 3.8.0.115 .exe----a-w 1,697,344 2008-04-17 04:46:44 C:\Program Files\UltraVNC\vncviewer ver.1.0.4.914 .exe</pre>------- Sigcheck -------2004-08-03 16:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe2007-09-19 21:35 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\system32\user32.dll2004-08-03 16:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll2008-02-16 02:32 666112 bb1eacd6ab47e78ebca02eb781550d55 C:\WINDOWS\system32\wininet.dll2007-10-30 09:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\system32\drivers\tcpip.sys2004-08-03 16:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe2004-08-03 15:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys2004-08-03 15:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys2007-09-19 21:55 2062336 5cf9911d32a07860dab935adf265b8a9 C:\WINDOWS\system32\ntkrnlpa.exe2007-09-19 21:49 2185472 9a8f4f15f3a85f2b67525425f24df7f6 C:\WINDOWS\system32\ntoskrnl.exe2007-09-19 21:48 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\explorer.exe2004-08-03 16:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe2004-08-03 16:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe2004-08-03 16:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe.((((((((((((((((((((((((((((( snapshot@2008-06-16_14.30.47.68 ))))))))))))))))))))))))))))))))))))))))).- 2008-06-16 21:19:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat+ 2008-06-17 02:22:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat+ 2005-10-20 20:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-06-16\ERDNT.EXE+ 2008-06-16 21:25:54 9,666,560 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-06-16\Users\00000001\NTUSER.DAT+ 2008-06-16 21:25:56 376,832 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-06-16\Users\00000002\UsrClass.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Vidalia"="C:\Program Files\Vidalia\vidalia.exe" [2007-02-07 18:38 11891712]"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-22 18:21 1510640][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 10:34 487424]"TrackPointSrv"="tp4mon.exe" [2004-08-04 01:56 82432 C:\WINDOWS\system32\tp4mon.exe]"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 20:04 864256]"TPHOTKEY"="C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 11:19 94208]"TP4EX"="tp4ex.exe" [2005-10-17 02:11 65536 C:\WINDOWS\system32\TP4EX.exe]"Talk"="C:\Program Files\NCH Swift Sound\Talk\talk.exe" [2008-02-21 10:21 647172]"StartupDelayer"="C:\Program Files\Startup Delayer\Startup Launcher GUI.exe" [2007-12-14 02:11 44032]"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 10:52 1368064]"FtLnSOP_setup"="C:\WINDOWS\twain_32\Fjscan32\SOP\FtLnSOP.exe" [2005-01-06 01:16 212992]"FJTWAIN Setup"="C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe" [2006-06-14 15:03 126976]"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 02:33 243248]"atr.exe"="" []"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 21:00 344064]"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 09:53 88363 C:\WINDOWS\AGRSMMSG.exe]"cctray"="C:\Program Files\eTrust\cctray\cctray.exe" [2008-04-09 21:04 177416]"CAVRID"="C:\Program Files\eTrust\CA Anti-Virus\CAVRID.exe" [2008-04-09 21:04 230928]"Acrobat Assistant 8.0"="C:\Program Files\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-27 17:38 107112]"NSWosCheck"="C:\Program Files\Norton SystemWorks Premier\osCheck.exe" [2007-12-03 01:41 25472]"IconSaver"="C:\Program Files\IconSaver\IconSaver.exe" [2004-01-12 05:59 110592]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-27 10:07 208896]"SMSI Loader"="C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe" [2004-10-12 13:01 32768]"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]"TweakMASTER"="C:\Program Files\TweakMASTER\TMTray.exe" [2006-11-27 15:26 284712]"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2006-11-27 15:19 1582616]"EyelineRun"="C:\Program Files\NCH Software\Eyeline\eyeline.exe" [2008-06-03 09:52 425988]"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 20:07 140568]"Corel Photo Downloader"="C:\Program Files\Photo Album 6\MediaDetect.exe" [2007-02-21 01:15 112208][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 14:59 44544]"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []"IE7-10"="advpack.dll" [2004-08-03 16:56 99840 C:\WINDOWS\system32\advpack.dll][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"SynchronousMachineGroupPolicy"= 0 (0x0)"SynchronousUserGroupPolicy"= 0 (0x0)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoBandCustomize"= 0 (0x0)"NoMovingBands"= 0 (0x0)"NoCloseDragDropBands"= 0 (0x0)[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]notifyf2.dll 2005-07-06 00:45 28672 C:\WINDOWS\system32\notifyf2.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]tphklock.dll 2006-02-01 16:09 24576 C:\WINDOWS\system32\tphklock.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=apitrap.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"VIDC.HFYU"= huffyuv.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Authentication Packages REG_MULTI_SZ relog_ap[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IconSaver.exe.lnk]backup=C:\WINDOWS\pss\IconSaver.exe.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^GaryT^Start Menu^Programs^Startup^4t Tray Minimizer.lnk]backup=C:\WINDOWS\pss\4t Tray Minimizer.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^GaryT^Start Menu^Programs^Startup^Bluetooth.lnk]backup=C:\WINDOWS\pss\Bluetooth.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^GaryT^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]backup=C:\WINDOWS\pss\ERUNT AutoBackup.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^GaryT^Start Menu^Programs^Startup^FileBox eXtender.lnk]backup=C:\WINDOWS\pss\FileBox eXtender.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cctray][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"btwdins"=2 (0x2)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]"ctfmon.exe"=C:\WINDOWS\System32\ctfmon.exe"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized"OpAgent"="OpAgent.exe" /agent[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"SMSI Loader"="C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe" /PRNDRV"pdfFactory Dispatcher v2"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"frymxins"="C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl""HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper"IPSend.exe"=C:\Dnload\9xAddons\Autoit V3 Script\ipsend.exe"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler"VRS"="C:\Program Files\NCH Swift Sound\VRS\vrs.exe" -logon"IMSRun"="C:\Program Files\NCH Swift Sound\IMS\ims.exe" -logon"ScanSoft OmniPage 16-reminder"="C:\Program Files\ScanSoft\OmniPage16\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPage 16\Ereg\Ereg.ini""Globe7"="C:\Program Files\Globe7\Globe7.exe"[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\SonicWALL Global VPN Client\\SWGVpnClient.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="C:\\Program Files\\QuickBooks 2008\\QBDBMgrN.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\UltraVNC\\vncviewer.exe"="C:\\WINDOWS\\cwbrxd.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)"8010:UDP"= 8010:UDP:Express Talk RTP Incoming Audio (UDP)"8011:UDP"= 8011:UDP:Express Talk RTP Incoming Audio (UDP)"5060:UDP"= 5060:UDP:Express Talk Sip Incoming Calls (UDP)"512:TCP"= 512:TCP:exec server (rexecd, port 512)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12HPService REG_MULTI_SZ HPSLPSVC[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]\Shell\AutoRun\command - H:\LaunchU3.exe -a[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b55c9a1-bcda-11dc-9381-00d059ca1246}]\Shell\AutoRun\command - H:\LaunchU3.exe -a.Contents of the 'Scheduled Tasks' folder"2008-06-04 01:31:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"- C:\Program Files\Apple Software Update\SoftwareUpdate.exe"2008-06-03 15:32:28 C:\WINDOWS\Tasks\CleanTemp.job"- C:\Batch\CleanTemp2.bat.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-06-16 19:26:18Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PowerAlert Agent]"ImagePath"="C:\Program Files\TrippLite\PowerAlert\engine/pa.exe -service".--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\WINDOWS\system32\winlogon.exe-> C:\WINDOWS\system32\tphklock.dllPROCESS: C:\WINDOWS\explorer.exe-> C:\Program Files\Unlocker\UnlockerHook.dll.------------------------ Other Running Processes ------------------------.C:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\ati2evxx.exeC:\WINDOWS\system32\ati2evxx.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\eTrust\CA Anti-Virus\isafe.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Folder Watchdog Service 2\FwdSvc2.exeC:\Program Files\HP Web Jetadmin\hpwebjetd.exeC:\WINDOWS\system32\MNSFramework.exeC:\WINDOWS\system32\PSIService.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeC:\Program Files\HP Web Jetadmin\hpwebjetd.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\Program Files\Lenovo\System Update\SUService.exeC:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exeC:\WINDOWS\system32\TpKmpSvc.exeC:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exeC:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exeC:\Program Files\eTrust\CA Anti-Virus\vetmsg.exeC:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exeC:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exeC:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXEC:\Program Files\Privoxy\privoxy.exeC:\Program Files\WebDrive\wdService.exeC:\Program Files\Trillian\trillian.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\Proxomitron\Proxomitron.exeC:\WINDOWS\system32\hpnra.exeC:\Program Files\Unlocker\UnlockerAssistant.exeC:\Program Files\Spell Catcher Plus\Spell Catcher.exe.**************************************************************************.Completion time: 2008-06-16 19:34:55 - machine was rebootedComboFix-quarantined-files.txt 2008-06-17 02:34:15ComboFix2.txt 2008-06-17 00:20:44ComboFix3.txt 2008-06-16 21:32:02ComboFix4.txt 2007-11-05 21:29:13Pre-Run: 2,015,956,992 bytes freePost-Run: 1,998,716,928 bytes free421 --- E O F --- 2008-05-17 10:03:17HJT Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:07:09 PM, on 6/16/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\eTrust\CA Anti-Virus\ISafe.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\NCH Software\Eyeline\eyeline.exeC:\Program Files\Folder Watchdog Service 2\FwdSvc2.exeC:\Program Files\HP Web Jetadmin\hpwebjetd.exeC:\WINDOWS\system32\MNSFramework.exeC:\WINDOWS\System32\PSIService.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeC:\Program Files\HP Web Jetadmin\hpwebjetd.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\Program Files\Lenovo\System Update\SUService.exeC:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exeC:\WINDOWS\system32\TpKmpSVC.exeC:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exeC:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exeC:\Program Files\eTrust\CA Anti-Virus\VetMsg.exeC:\Program Files\NCH Swift Sound\VRS\vrs.exeC:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exeC:\WINDOWS\system32\tp4mon.exeC:\Program Files\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exeC:\Program Files\NCH Swift Sound\Talk\talk.exeC:\WINDOWS\twain_32\Fjscan32\SOP\FtLnSOP.exeC:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exeC:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exeC:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exeC:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\eTrust\cctray\cctray.exeC:\Program Files\eTrust\CA Anti-Virus\CAVRID.exeC:\Program Files\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\IconSaver\IconSaver.exeC:\Program Files\Java\jre1.6.0_06\bin\jusched.exeC:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exeC:\Program Files\TweakMASTER\TMTray.exeC:\Program Files\DU Meter\DUMeter.exeC:\Program Files\NCH Software\Eyeline\eyeline.exeC:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exeC:\Program Files\Photo Album 6\MediaDetect.exeC:\Program Files\Vidalia\vidalia.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\Privoxy\privoxy.exeC:\Program Files\WebDrive\wdService.exeC:\Program Files\Trillian\trillian.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\Proxomitron\Proxomitron.exeC:\WINDOWS\System32\hpnra.exeC:\Program Files\Unlocker\UnlockerAssistant.exeC:\WINDOWS\explorer.exeC:\Program Files\Spell Catcher Plus\Spell Catcher.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exeC:\WINDOWS\system32\taskmgr.exeC:\Program Files\VNCControl\VNCControl.exeC:\Program Files\UltraVNC\vncviewer.exeC:\Program Files\Salamander 2.5\salamand.exeC:\Program Files\HJT\HiJackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt\SnagItIEAddin.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: UltraEdit Toolbar - {4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} - C:\PROGRA~1\UE_TOO~1\UE_TOO~1.DLLO4 - HKLM\..\Run: [TVT Scheduler Proxy] "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe"O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exeO4 - HKLM\..\Run: [TPKMAPHELPER] "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" -helperO4 - HKLM\..\Run: [TPHOTKEY] "C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe"O4 - HKLM\..\Run: [TP4EX] tp4ex.exeO4 - HKLM\..\Run: [Talk] "C:\Program Files\NCH Swift Sound\Talk\talk.exe" -logonO4 - HKLM\..\Run: [startupDelayer] "C:\Program Files\Startup Delayer\Startup Launcher GUI.exe"O4 - HKLM\..\Run: [soundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\twain_32\Fjscan32\SOP\FtLnSOP.exeO4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /StationO4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [cctray] "C:\Program Files\eTrust\cctray\cctray.exe"O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\eTrust\CA Anti-Virus\CAVRID.exe"O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [NSWosCheck] C:\Program Files\Norton SystemWorks Premier\osCheck.exeO4 - HKLM\..\Run: [iconSaver] "C:\Program Files\IconSaver\IconSaver.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -schedulerO4 - HKLM\..\Run: [sMSI Loader] "C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe /PRNDRV"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [TweakMASTER] "C:\Program Files\TweakMASTER\TMTray.exe"O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exeO4 - HKLM\..\Run: [EyelineRun] "C:\Program Files\NCH Software\Eyeline\eyeline.exe" -logonO4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Photo Album 6\MediaDetect.exeO4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe"O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-21-2247778763-3604470327-847386435-1004\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe" (User '?')O4 - HKUS\S-1-5-21-2247778763-3604470327-847386435-1004\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')O4 - S-1-5-21-2247778763-3604470327-847386435-1004 Startup: EruntRegistrySave.bat (User '?')O4 - S-1-5-21-2247778763-3604470327-847386435-1004 Startup: trillian.exe.lnk = C:\Program Files\Trillian\trillian.exe (User '?')O4 - Startup: EruntRegistrySave.batO4 - Startup: trillian.exe.lnk = C:\Program Files\Trillian\trillian.exeO4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exeO8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htmO8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TWEAKM~1\TweakBHO.dll/IESCRIPTO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www1.pcpitstop.com/pcpitstop/PCPitStop.CABO17 - HKLM\System\CCS\Services\Tcpip\..\{330DAAC8-65B7-4C1D-8E5B-F6904A60CAF2}: NameServer = 66.80.130.23,66.80.131.5O17 - HKLM\System\CCS\Services\Tcpip\..\{35ED5B21-7585-40AD-A6CB-A544896180CC}: NameServer = 66.51.205.100,66.51.206.100O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\QuickBooks 2008\HelpAsyncPluggableProtocol.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exeO23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\eTrust\ccprovsp.exeO23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\eTrust\CA Anti-Virus\ISafe.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXEO23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper\DkService.exeO23 - Service: Eyeline Service (EyelineService) - Unknown owner - C:\Program Files\NCH Software\Eyeline\eyeline.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Folder Watchdog Service 2 - Alexander Seleznyov http://www.seleznyov.com - C:\Program Files\Folder Watchdog Service 2\FwdSvc2.exeO23 - Service: Folder Watchdog Service 2 Controller - Alexander Seleznyov http://www.seleznyov.com - C:\Program Files\Folder Watchdog Service 2\FwdSvc2.exeO23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exeO23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: MNS Framework (MNSFramework) - Unknown owner - C:\WINDOWS\system32\MNSFramework.exeO23 - Service: MWAgent - Unknown owner - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE (file missing)O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXEO23 - Service: Port Reporter (PortReporter) - Unknown owner - C:\Program Files\PortReporter\portreporter.exeO23 - Service: PowerAlert Agent - Unknown owner - C:\Program Files\TrippLite\PowerAlert\engine/pa.exeO23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exeO23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeO23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exeO23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL Global VPN Client\RampartSvc.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: RPM Remote Print Manager (RPM) - Brooks Internet Software, Inc - C:\Program Files\RPMElite\RPMSrvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXEO23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exeO23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exeO23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exeO23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exeO23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\eTrust\CA Anti-Virus\VetMsg.exeO23 - Service: VRS Recording System (VRSService) - NCH Software - C:\Program Files\NCH Swift Sound\VRS\vrs.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeO23 - Service: WebDrive Service (WebDriveService) - South River Technologies, LLC - C:\Program Files\WebDrive\wdService.exe--End of file - 16357 bytesThank you for working on this.Docfxit Link to post Share on other sites More sharing options...
JeanInMontana Posted June 17, 2008 ID:20511 Share Posted June 17, 2008 If you can't connect to a web site how are you here? You have processes and services running like crazy. What do you mean you can't start a service? Have you tried doing a System Restore? MBAM is at version 1.17 now try getting it to run please. One other thing you might do is a SFCscannow to repair missing files etc. You can do this without the CD for Windows and the instructions are in the PC Help forum here . Are you adding the code box to the ComboFix scan? I have never seen that.OK I may have found something C:\WINDOWS\system\wowpost.exe <======= Upload and scan that file at www.virustotal.com also upload it to http://uploads.malwarebytes.org/I'll check back later to see the answers to my interrogation. Link to post Share on other sites More sharing options...
Docfxit Posted June 17, 2008 Author ID:20516 Share Posted June 17, 2008 If you can't connect to a web site how are you here? I'm using another computer.You have processes and services running like crazy. What do you mean you can't start a service? A ton of services aren't starting. I can' only see the standard services. (Not the Extended) I can't get to Network Connections. I can't see anything in User Accounts. (The screen is blank)Secondary Logon says "Starting" Not started. I can't stop it.I don't have a start or task bar.Have you tried doing a System Restore? I get a message saying "System Restore is not able to protect your computer. Please restart your computer and then run System Restore again.MBAM is at version 1.17 now try getting it to run please. I'm getting the same message "Run-time Error '372' Vbalsgrid6.ocx. I'm guessing it requires a service that isn't running.One other thing you might do is a SFCscannow to repair missing files etc. You can do this without the CD for Windows and the instructions are in the PC Help forum here . I ran SFC /scannow. After a reboot nothing changed.Are you adding the code box to the ComboFix scan? I have never seen that.I am not adding it. It's in the original file C:\ComboFix.txtOK I may have found something C:\WINDOWS\system\wowpost.exe <======= Upload and scan that file at www.virustotal.com also upload it to http://uploads.malwarebytes.org/www.virustotal.com shows it's clean. When I upload it to http://uploads.malwarebytes.org/ it goes into an endless loop saying there was an error uploading the file!I'll check back later to see the answers to my interrogation. Thank you for your time.Docfxit Link to post Share on other sites More sharing options...
JeanInMontana Posted June 18, 2008 ID:20584 Share Posted June 18, 2008 Did you zip the file to upload? I think you have way more than malware. Most likely system damage only a reformat will fix. This is making all fixes useless. Seems what we need to run won't yet plenty is running. I'm going to have a friend look at this. Link to post Share on other sites More sharing options...
ShadowPuterDude Posted June 18, 2008 ID:20646 Share Posted June 18, 2008 Hello, Jean has asked me to have a look here and see if there is something that can be done to bring the system back to an operable state.Download:- ISeeYouXP by ShadowPuterDudeDouble-click ISeeYouXP.exe, ISeeYouXp will be extracted to C:\ISeeYouXP; and a shortcut to ISeeYouXP.bat will be placed on the Desktop.Double-click the ISeeYouXP shortcut to run ISeeYouXP.Possible Error MessagesIf your ISeeYouXP.txt log appears to be empty or semi-empty or you get an error message similar to the below when running ISeeYouXP.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OSC:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Window applications.To fix the above error message, choose the download below which is appropriate for your systemFor Windows XP Pro: download and run: XPproFixFor Windows XP Home: download and run: XPHomeFixFor Windows 2000: download and run: W2KFixThen run ISeeYouXP.bat again and attach the log.[*]A possible second type of error message may occur as shown in the quote box below! If you get either of these two messages, perform the Resolution steps given in this: Virtual Device Driver Error Message in 16-Bit MS-DOS Subsystem16 bit MS-DOS Subsystem drive:\program path XXXX. An installable Virtual Device Driver failed DLL initialization. Choose 'Close' to terminate the application. -or- 16 bit MS-DOS Subsystem drive:\program path SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers. VDD. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application.After attempting to fix the above errors, run ISeeYouXP.bat and attach the log.This log is quite long, as it dumps a lot of data about your system state, file system and registry.Attach the ISeeYouXP log. It will be on your Desktop. Link to post Share on other sites More sharing options...
Docfxit Posted June 19, 2008 Author ID:20671 Share Posted June 19, 2008 Did you zip the file to upload? No I didn't zip the file. Did you try to upload a file? Does it work for you?I think you have way more than malware. Most likely system damage only a reformat will fix. If I had very little on this computer I wouldn't be wasting my time trying to fix it. I'd reformat. Since I have so much installed I'd like to continue trying to fix it. I realize your area of expertise is removing malware. I don't know if I still have malware on this computer or if the malware did it's damage and is gone now.This is making all fixes useless. Seems what we need to run won't yet plenty is running. I'm going to have a friend look at this.Thanks a bunch for getting some to help out. I really appreciate your efforts. Gary Link to post Share on other sites More sharing options...
JeanInMontana Posted June 19, 2008 ID:20680 Share Posted June 19, 2008 Please cooperate with ShadowPuterDude. I have asked him to try and help you. Link to post Share on other sites More sharing options...
Docfxit Posted June 21, 2008 Author ID:20826 Share Posted June 21, 2008 Please cooperate with ShadowPuterDude. I have asked him to try and help you.I definitely will as soon as I get the time.Thank you,Docfxit Link to post Share on other sites More sharing options...
JeanInMontana Posted July 1, 2008 ID:21603 Share Posted July 1, 2008 Topic reopened per user request. Link to post Share on other sites More sharing options...
Docfxit Posted July 1, 2008 Author ID:21643 Share Posted July 1, 2008 I have uploaded my file here: ISeeYouXP.txt Updated fileThank you for taking a look at it.Docfxit Link to post Share on other sites More sharing options...
ShadowPuterDude Posted July 1, 2008 ID:21645 Share Posted July 1, 2008 That log has been edited to remove information that is vital to properly diagnosing the system.Run ISeeYouXP and attach the log here, unedited. If the log is too large then zip the log and attach it.Do NOT upload the log to any third-party services. Link to post Share on other sites More sharing options...
Docfxit Posted July 1, 2008 Author ID:21649 Share Posted July 1, 2008 That log has been edited to remove information that is vital to properly diagnosing the system.The file is complete as it was run. You might be missing something because VBS files don't seem to run. I have tried to get them to run with no luck.Run ISeeYouXP and attach the log here, unedited. If the log is too large then zip the log and attach it.Do NOT upload the log to any third-party services.Ok.The file was too big to paste into this post.I didn't notice I could upload a file here. Much more convenient.It's attached.Thank you,DocfxitISeeYouXP.zipISeeYouXP.zip Link to post Share on other sites More sharing options...
ShadowPuterDude Posted July 1, 2008 ID:21651 Share Posted July 1, 2008 Download and install Windows Script 5.7 for Windows XP; and then run ISeeYouXP again.See if that makes a difference. Link to post Share on other sites More sharing options...
Docfxit Posted July 1, 2008 Author ID:21657 Share Posted July 1, 2008 Download and install Windows Script 5.7 for Windows XP; and then run ISeeYouXP again.See if that makes a difference.Thank you for the suggestion.I have installed the update. I have re-booted. I still can't get a script to run.Thank you,Docfxit Link to post Share on other sites More sharing options...
ShadowPuterDude Posted July 1, 2008 ID:21660 Share Posted July 1, 2008 Do the following:Start -> Runtype: cmd.execlick 'OK'The command console will open.Enter the following commands at the command prompt pressing the enter key after every command:regsvr32 vbalgrid.ocxregsvr32 vbscript.dllexitThe Command Console will close.If there are any error messages I need to know that and what they are.If the dll and activex control registered properly, run ISeeYouXP again.If ISeeYouXP ran successfully attach that log. Link to post Share on other sites More sharing options...
Docfxit Posted July 2, 2008 Author ID:21682 Share Posted July 2, 2008 Do the following:Start -> Runtype: cmd.execlick 'OK'The command console will open.Enter the following commands at the command prompt pressing the enter key after every command:regsvr32 vbalgrid.ocxI received the message:LoadLibrary ("vbalgrid.ocx")failed-The specified module could not be found.regsvr32 vbscript.dll DllRegisterServer in vbscri.dll succeede.exitThe Command Console will close.If there are any error messages I need to know that and what they are.If the dll and activex control registered properly, run ISeeYouXP again.The dll registered fine. I don't see any activex.If ISeeYouXP ran successfully attach that log.When I run ISeeYouXP all the vbx files come out with an error:C:\ISEEYO~1\ieinfo.vbs(6, 1) (null): 0x80041003Thank you,Docfxit Link to post Share on other sites More sharing options...
Recommended Posts