Help: Task Manager Disabled, SLow PC, have many virus (i think)

Question

Good Day to all. I am currently running on a safe mode to post this thread. My main problem is that the response of my pc is very very slow and my task manager is disabled. Also i cannot open files because of the slow response of my pc. Anyway here's my Hijack log. Logfile of HijackThis v1.99.1 Scan saved at 12:48:07 PM, on 7/1/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\System32\cisvc.exe C:\DOCUME~1\Ken\LOCALS~1\Temp	mp15B2.tmp.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe C:\Program Files\Norton AntiVirus
avapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\system32
vsvc32.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\stunnel\stunnel.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Microsoft Security Adviser\msctrl.exe C:\Program Files\Microsoft Security Adviser\msavsc.exe C:\Program Files\Microsoft Security Adviser\msscan.exe C:\Program Files\Microsoft Security Adviser\msiemon.exe C:\Program Files\Microsoft Security Adviser\msfw.exe C:\Program Files\Microsoft Security Adviser\mssadv.exe C:\WINDOWS\wvtqqr.exe C:\WINDOWS\avp.exe C:\WINDOWS\mgrs.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Ken\Desktop\HijackThis.exe C:\Program Files\Symantec\LiveUpdate\AUpdate.exe C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: (no name) - {0370ea26-5ddc-4d8d-99e5-b73cf7f8a55a} - C:\WINDOWS\system32\mscnit.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32	mp1762.tmp.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] 'C:\Program Files\HP\HP Software Update\HPWuSchd.exe' O4 - HKLM\..\Run: [HP Component Manager] 'C:\Program Files\HP\hpcoretech\hpcmpmgr.exe' O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\MDM.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] 'C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe' O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe O4 - HKLM\..\Run: [ccPrxy.exe] ccPrxy.exe O4 - HKLM\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe O4 - HKLM\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe O4 - HKLM\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe O4 - HKLM\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe O4 - HKLM\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe O4 - HKLM\..\Run: [Microsoft security adviser] C:\Program Files\Microsoft Security Adviser\mssadv.exe O4 - HKLM\..\Run: [xerox] C:\WINDOWS\wvtqqr.exe O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe O4 - HKLM\..\Run: [smgr] mgrs.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [Yahoo! Pager] 'C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE' -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe O4 - HKCU\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe O4 - HKCU\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe O4 - HKCU\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe O4 - HKCU\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe O4 - HKCU\..\Run: [Microsoft security adviser] C:\Program Files\Microsoft Security Adviser\mssadv.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1118413853152 O17 - HKLM\System\CCS\Services\Tcpip\..\{59A70E28-A589-42FE-8102-8A7482C962FF}: NameServer = 85.255.114.5,85.255.112.147 O17 - HKLM\System\CCS\Services\Tcpip\..\{80ECA0FB-2E8F-4115-9766-C28B0703645B}: NameServer = 85.255.114.5,85.255.112.147 O17 - HKLM\System\CCS\Services\Tcpip\..\{AFB173EB-E8D3-46CB-9F85-89AF0217CBEE}: NameServer = 85.255.114.5,85.255.112.147 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.5 85.255.112.147 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.5 85.255.112.147 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.5 85.255.112.147 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: attrib.dll O20 - Winlogon Notify: mscnit - C:\WINDOWS\SYSTEM32\mscnit.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: DomainService - - C:\DOCUME~1\Ken\LOCALS~1\Temp	mp15B2.tmp.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus
avapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: stunnel - Unknown owner - C:\Program Files\stunnel\stunnel.exe' -service -install (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Thanks Guys.. -numb_skull1001

bamajim · Answer

numb_skull1001

Wow thats quite an infection you have there. It will take a couple of runs at this to completely remove the infection, so please be patient.

1. You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

Now lets check some settings on your system.

(2000/XP) Only

In the windows control panel.
If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems

Next Go start run type cmd and hit OK
type
ipconfig /flushdns (that space between g and / is needed)
then hit enter, type exit hit enter
2. I need you to help us out with some research

Please go HERE

Put Your Name, and Dell HJT forum

and In the file to submit box, click Browse.Using Windows Explorer

(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)

Locate the file

C:\WINDOWS\wvtqqr.exe

In the comments tell them that I asked you to upload the file
Then Select Send File.

bamajim Graduate of MRU

numb_skull1001 · Answer

Hi bamajim, Thanks for the quick response. Here's the fixwareout report and a fresh Hjt Log and i also manage to upload the file that you asked me too. Fixwareout Last edited 6/27/2007 Post this report in the forums please ... »»»»»Prerun check HKLM\SOFTWARE\~\Winlogon\ 'System'='cscsn.exe' HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters 'nameserver'='85.255.114.5' HKEY_LOCAL_MACHINE\system\currentcontrolset\services	cpip\parameters\interfaces\{59A70E28-A589-42FE-8102-8A7482C962FF} 'nameserver'='85.255.114.5,85.255.112.147' HKEY_LOCAL_MACHINE\system\currentcontrolset\services	cpip\parameters\interfaces\{80ECA0FB-2E8F-4115-9766-C28B0703645B} 'nameserver'='85.255.114.5,85.255.112.147' HKEY_LOCAL_MACHINE\system\currentcontrolset\services	cpip\parameters\interfaces\{AFB173EB-E8D3-46CB-9F85-89AF0217CBEE} 'nameserver'='85.255.114.5,85.255.112.147' HKEY_LOCAL_MACHINE\system\currentcontrolset\services	cpip\parameters\interfaces\{59A70E28-A589-42FE-8102-8A7482C962FF} 'DhcpNameServer'='85.255.114.5,85.255.112.147' HKEY_LOCAL_MACHINE\system\currentcontrolset\services	cpip\parameters\interfaces\{AFB173EB-E8D3-46CB-9F85-89AF0217CBEE} 'DhcpNameServer'='85.255.114.5,85.255.112.147' Successfully flushed the DNS Resolver Cache. System was rebooted successfully. »»»»» Postrun check HKLM\SOFTWARE\~\Winlogon\ 'system'='' .... HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls '0mdm' Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls '1mdm' Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r '}8ABCE4973DB3-7FAA-00E4-0592-437BEC5B{' Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r '}E09E18E8EEFE-209B-A5F4-AF97-DDA28B93{' Deleted C:\WINDOWS\System32\kutcs.exe Deleted C:\WINDOWS\System32	rddx.exe Deleted .... »»»»» Misc files. 'C:\Program Files\Microsoft Security Adviser' Deleted C:\WINDOWS\system32\{39B82ADD-79FA-4F5A-B902-EFEE8E81E90E}.exe Deleted C:\WINDOWS\system32\{B5CEB734-2950-4E00-AAF7-3BD3794ECBA8}.exe Deleted C:\WINDOWS\System32\kernel32.exe Deleted C:\WINDOWS\msavsc.dll Deleted C:\WINDOWS\msctrl.dll Deleted C:\WINDOWS\msfw.dll Deleted C:\WINDOWS\msiemon.dll Deleted C:\WINDOWS\mssadv.dll Deleted C:\WINDOWS\msscan.dll Deleted .... »»»»» Checking for older varients. .... Search five digit cs, dm, kd, jb, other, files. The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection. C:\WINDOWS\system32\dmufd.exe 57894 08/04/2004 Click browse, find the file then click submit. http://www.virustotal.com/flash/index_en.html Or http://virusscan.jotti.org/ »»»»» Other C:\WINDOWS\Temp\cscsn.ren 52759 06/29/2007 »»»»» Current runs (hklm hkcu 'run' Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ccApp'='\'C:\Program Files\Common Files\Symantec Shared\ccApp.exe\'' 'Advanced Tools Check'='C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE' 'SoundMan'='SOUNDMAN.EXE' 'Symantec NetDriver Monitor'='C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer' 'TkBellExe'='C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot' 'NvCplDaemon'='RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup' 'NvMediaCenter'='RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit' 'NeroFilterCheck'='C:\WINDOWS\system32\NeroCheck.exe' 'HP Software Update'='\'C:\Program Files\HP\HP Software Update\HPWuSchd.exe\'' 'HP Component Manager'='\'C:\Program Files\HP\hpcoretech\hpcmpmgr.exe\'' 'SVCHOST'='C:\WINDOWS\MDM.EXE' 'SunJavaUpdateSched'='\'C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe\'' 'QuickTime Task'='\'C:\Program Files\QuickTime\qttask.exe\' -atboottime' 'Lexmark_X79-55'='C:\WINDOWS\system32\lsasss.exe' 'ccPrxy.exe'='ccPrxy.exe' 'xerox'='C:\WINDOWS\wvtqqr.exe' 'avp'='C:\WINDOWS\avp.exe' 'smgr'='mgrs.exe' 'MSConfig'='C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto' [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Yahoo! Pager'='\'C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE\' -quiet' 'ctfmon.exe'='C:\WINDOWS\system32\ctfmon.exe' 'swg'='C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe' .... Hosts file was reset, If you use a custom hosts file please replace it »»»»» End report »»»»» Here's the Fresh HJT Log Logfile of HijackThis v1.99.1 Scan saved at 10:18:19 PM, on 7/2/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\System32\cisvc.exe C:\DOCUME~1\Ken\LOCALS~1\Temp	mp15B2.tmp.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe C:\Program Files\Norton AntiVirus
avapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\system32
vsvc32.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\stunnel\stunnel.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\wvtqqr.exe C:\WINDOWS\avp.exe C:\WINDOWS\mgrs.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\DAP\DAP.EXE C:\Documents and Settings\Ken\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: (no name) - {0370ea26-5ddc-4d8d-99e5-b73cf7f8a55a} - C:\WINDOWS\system32\mscnit.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32	mp1762.tmp.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] 'C:\Program Files\HP\HP Software Update\HPWuSchd.exe' O4 - HKLM\..\Run: [HP Component Manager] 'C:\Program Files\HP\hpcoretech\hpcmpmgr.exe' O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\MDM.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] 'C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe' O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe O4 - HKLM\..\Run: [ccPrxy.exe] ccPrxy.exe O4 - HKLM\..\Run: [xerox] C:\WINDOWS\wvtqqr.exe O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe O4 - HKLM\..\Run: [smgr] mgrs.exe O4 - HKCU\..\Run: [Yahoo! Pager] 'C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE' -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1118413853152 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: attrib.dll O20 - Winlogon Notify: mscnit - C:\WINDOWS\SYSTEM32\mscnit.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: DomainService - - C:\DOCUME~1\Ken\LOCALS~1\Temp	mp15B2.tmp.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus
avapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: stunnel - Unknown owner - C:\Program Files\stunnel\stunnel.exe' -service -install (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

bamajim · Answer

numb_skull1001

Your Welcome and thanks for the file. Getting there.

1. Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

numb_skull1001 · Answer

(cont) and here's the SDfix Report. SDFix: Version 1.88 Run by Ken on Tue 07/03/2007 at 09:48 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Below files will be copied to Backups folder then removed: C:\DOCUME~1\KEN\LOCALS~1\TEMP\64AGENT.EXE - Deleted C:\DOCUME~1\KEN\LOCALS~1\TEMP\MONSER~1.EXE - Deleted C:\DOCUME~1\KEN\LOCALS~1\TEMP\SYSLOOK.EXE - Deleted C:\DOCUME~1\KEN\LOCALS~1\TEMP\SYSSV.EXE - Deleted C:\DOCUME~1\KEN\LOCALS~1\TEMP\GIKM.EXE - Deleted C:\DOCUME~1\KEN\LOCALS~1\TEMP\KPOK.EXE - Deleted C:\DOCUME~1\KEN\LOCALS~1\TEMP\OPHG.EXE - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1010.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp102F.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1061.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp10B9.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp117E.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp11A5.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1255.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1278.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp12A8.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp12AD.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp12B9.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp12C7.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp12D5.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp12D9.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp12DC.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp12E0.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp12F8.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1303.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1304.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1307.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1309.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1328.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1329.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1330.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1332.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1342.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1345.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1346.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp135D.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1360.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp13E0.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp13E1.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp149C.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp14D2.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1515.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1526.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1586.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp15B2.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp15B8.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp15BB.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp15BD.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp15EE.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1614.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1637.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1679.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp167E.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp168E.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp16D1.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp16FB.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1725.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1727.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1728.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1729.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp174D.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp175E.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp175F.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1762.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1763.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1764.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1766.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1768.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp176B.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1773.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1778.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp1791.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mp17A1.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mpE7A.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mpEB6.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mpFE1.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mpFE4.tmp.exe - Deleted C:\DOCUME~1\Ken\LOCALS~1\Temp	mpFE7.tmp.exe - Deleted C:\WINDOWS\avp.exe - Deleted C:\WINDOWS\mgrs.exe - Deleted C:\WINDOWS\svchost.ini - Deleted C:\WINDOWS\system32\driver.exe - Deleted C:\WINDOWS\system32\sysmon32.exe - Deleted C:\WINDOWS\system32\sysmon32.exe - Deleted Removing Temp Files... ADS Check: Checking C:\WINDOWS C:\WINDOWS No streams found. Checking C:\WINDOWS\system32 C:\WINDOWS\system32 No streams found. Checking C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe No streams found. Checking C:\WINDOWS\system32
toskrnl.exe C:\WINDOWS\system32
toskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] '%windir%\system32\sessmgr.exe'='%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019' 'C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe'='C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe:*:Enabled:Dreamweaver MX' 'C:\Program Files\Macromedia\Fireworks MX\Fireworks.exe'='C:\Program Files\Macromedia\Fireworks MX\Fireworks.exe:*:Enabled:Fireworks MX' 'C:\xampp\apache\bin\Apache.exe'='C:\xampp\apache\bin\Apache.exe:*:Enabled:Apache HTTP Server' 'C:\xampp\mysql\bin\mysqld.exe'='C:\xampp\mysql\bin\mysqld.exe:*:Enabled:mysqld' 'C:\xampplite\apache\bin\Apache.exe'='C:\xampplite\apache\bin\Apache.exe:*:Enabled:Apache HTTP Server' 'C:\xampplite\mysql\bin\mysqld.exe'='C:\xampplite\mysql\bin\mysqld.exe:*:Enabled:mysqld' 'C:\Program Files\Yahoo!\Messenger\YPager.exe'='C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger' 'C:\Program Files\Yahoo!\Messenger\YServer.exe'='C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server' 'C:\Program Files\Zend\ZendStudioClient-4.0.2\jre\bin\javaw.exe'='C:\Program Files\Zend\ZendStudioClient-4.0.2\jre\bin\javaw.exe:*:Enabled:javaw' 'C:\Program Files\Gnoozle\Gnoozle.exe'='C:\Program Files\Gnoozle\Gnoozle.exe:*:Enabled:Gnoozle' 'C:\Starcraft\starcraft.exe'='C:\Starcraft\starcraft.exe:*:Disabled:Starcraft' 'C:\Program Files\Internet Explorer\iexplore.exe'='C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer' 'C:\Program Files\Macromedia\Flash MX\Flash.exe'='C:\Program Files\Macromedia\Flash MX\Flash.exe:*:Disabled:Flash 6.0 r25' 'C:\Program Files\FreeStyle Online\FreeStyle.exe'='C:\Program Files\FreeStyle Online\FreeStyle.exe:*:Enabled:FreeStyle' 'C:\Program Files\xampp\apache\bin\Apache.exe'='C:\Program Files\xampp\apache\bin\Apache.exe:*:Enabled:Apache HTTP Server' 'C:\Program Files\DAP\DAP.exe'='C:\Program Files\DAP\DAP.exe:*:Enabled:Download Accelerator Plus' 'C:\Program Files\Ocean Technology\GG E-Sports Platform\GGclient.exe'='C:\Program Files\Ocean Technology\GG E-Sports Platform\GGclient.exe:*:Enabled:GG E-Sports Platform Client' 'C:\Program Files\BitComet\BitComet.exe'='C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client' 'C:\Program Files\TVU Player\TVUPlayer.exe'='C:\Program Files\TVU Player\TVUPlayer.exe:*:Enabled:TVUPlayer' 'C:\Program Files\IM\IM.exe'='C:\Program Files\IM\IM.exe:*:Enabled:IM' 'G:\RavMonE.exe'='G:\RavMonE.exe:*:Disabled:RavMonE' 'C:\WINDOWS\RavMonE.exe'='C:\WINDOWS\RavMonE.exe:*:Disabled:RavMonE' 'C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe'='C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger' 'C:\Program Files\stunnel\stunnel.exe'='C:\Program Files\stunnel\stunnel.exe:*:Enabled:stunnel' 'C:\Program Files\xampp\mysql\bin\mysqld.exe'='C:\Program Files\xampp\mysql\bin\mysqld.exe:*:Enabled:mysqld' 'C:\Program Files\Skype\Phone\Skype.exe'='C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype' 'C:\Program Files\Mozilla Firefox\firefox.exe'='C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox' 'C:\Program Files\Warcraft III\Warcraft III.exe'='C:\Program Files\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III' 'C:\DOCUME~1\Ken\LOCALS~1\Temp\tmp15B2.tmp.exe'='C:\DOCUME~1\Ken\LOCALS~1\Temp\' [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] '%windir%\system32\sessmgr.exe'='%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019' Remaining Files: --------------- Backups Folder: - C:\SDFix\backups\backups.zip Listing Files with Hidden Attributes: C:\xampplite\htdocs\fsmsFinal\Templates\jd_b030 - myfreetemplates.com\images\Thumbs.db C:\Documents and Settings\Main\Local Settings\Temp\_Setupx.dll C:\RavMon.exe C:\Documents and Settings\Ken\Templates\ldup.exe C:\WINDOWS\ldup.exe C:\WINDOWS\system32\Tools\All.exe C:\WINDOWS\system32\Tools\Change.exe C:\WINDOWS\system32\Tools\CheckPath.exe C:\WINDOWS\system32\Tools\Counter.exe C:\WINDOWS\system32\Tools\DelFolders.exe C:\WINDOWS\system32\Tools\DirectSetup.exe C:\WINDOWS\system32\Tools\RegClean.exe C:\WINDOWS\system32\Tools\Regexe.exe C:\WINDOWS\system32\Tools\Restart.exe C:\WINDOWS\system32\Tools\RunRegexe.exe C:\Documents and Settings\All Users\Application Data\Microsoft\visualstudio\7.1\vs000223.tmp C:\Documents and Settings\Ken\Desktop\~WRL1387.tmp C:\Documents and Settings\Ken\Desktop\2nd Yr. 1stterm\Literat\~WRL0003.tmp C:\Documents and Settings\Ken\Desktop\2nd Yr. 1stterm\Literat\~WRL1356.tmp C:\Documents and Settings\Ken\Desktop\2nd Yr. 1stterm\Literat\~WRL1390.tmp C:\Documents and Settings\Ken\Desktop\2nd Yr. 1stterm\Literat\~WRL2357.tmp C:\Documents and Settings\Ken\Desktop\2nd Yr. 1stterm\Literat\~WRL3712.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 2ndterm\~WRL3297.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 2ndterm\CSPROJ2\CSPROJ[DOT]\~WRL0492.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 2ndterm\CSPROJ2\CSPROJ[DOT]\~WRL1368.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 2ndterm\CSPROJ2\CSPROJ[DOT]\~WRL2095.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 2ndterm\CSPROJ2\CSPROJ[DOT]\~WRL2917.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 2ndterm\CSPROJ2\CSPROJ[DOT]\~WRL4025.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 2ndterm\CSPROJ2\csproj_2\diagrams\~WRL0492.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 2ndterm\CSPROJ2\csproj_2\diagrams\~WRL1368.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 2ndterm\CSPROJ2\csproj_2\diagrams\~WRL2095.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 2ndterm\CSPROJ2\csproj_2\diagrams\~WRL2917.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 2ndterm\CSPROJ2\csproj_2\diagrams\~WRL4025.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 3rdterm\ECONTAX\econ\presentation econtax\~WRL0320.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 3rdterm\ECONTAX\econ\presentation econtax\~WRL0505.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 3rdterm\ECONTAX\econ\presentation econtax\~WRL0962.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 3rdterm\ECONTAX\econ\presentation econtax\~WRL1070.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 3rdterm\ECONTAX\econ\presentation econtax\~WRL1082.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 3rdterm\ECONTAX\econ\presentation econtax\~WRL1236.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 3rdterm\ECONTAX\econ\presentation econtax\~WRL1956.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 3rdterm\ECONTAX\econ\presentation econtax\~WRL2243.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 3rdterm\ECONTAX\econ\presentation econtax\~WRL2789.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 3rdterm\ECONTAX\econ\presentation econtax\~WRL3824.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 3rdterm\ECONTAX\econ\presentation econtax\~WRL3968.tmp C:\Documents and Settings\Ken\Desktop\3rd Yr. 3rdterm\ECONTAX\econ\presentation econtax\~WRL4007.tmp C:\Documents and Settings\Ken\Desktop\4th Yr. 3rdTerm\~WRL0003.tmp C:\Documents and Settings\Ken\Desktop\4th Yr. 3rdTerm\~WRL3615.tmp C:\Documents and Settings\Main\My Documents\~WRL0002.tmp C:\Documents and Settings\Main\My Documents\kirbyOCASTRO\1st Term\HUMANITIES\~WRL0004.tmp Listing User Accounts: ACTUser Administrator ASPNET Guest HelpAssistant Ken Main SQLDebugger SUPPORT_388945a0 VUSR_KENNETH Finished

bamajim · Answer

numb_skull1001

Much better.

Do you have a USB key or anyother USB storage device that you plug into your PC on a regular basis?

1. Please download Combofix and save to your desktop:

Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

bamajim Graduate of MRU

CastleCops Instructor

numb_skull1001 · Answer

Here's the fresh HJT log. Logfile of HijackThis v1.99.1 Scan saved at 9:04:04 PM, on 7/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\cisvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe C:\Program Files\Norton AntiVirus
avapsvc.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\system32
vsvc32.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wvtqqr.exe C:\Program Files\stunnel\stunnel.exe C:\WINDOWS\system32\ctfmon.exe C:\DOCUME~1\Ken\LOCALS~1\Temp	mp3.tmp.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Ken\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: (no name) - {0370ea26-5ddc-4d8d-99e5-b73cf7f8a55a} - C:\WINDOWS\system32\mscnit.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32	mp9.tmp.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] 'C:\Program Files\HP\HP Software Update\HPWuSchd.exe' O4 - HKLM\..\Run: [HP Component Manager] 'C:\Program Files\HP\hpcoretech\hpcmpmgr.exe' O4 - HKLM\..\Run: [SunJavaUpdateSched] 'C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe' O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe O4 - HKLM\..\Run: [ccPrxy.exe] ccPrxy.exe O4 - HKLM\..\Run: [xerox] C:\WINDOWS\wvtqqr.exe O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\MDM.EXE O4 - HKLM\..\Run: [winehq.org] rundll32.exe 'C:\WINDOWS\ljihfe.dll',realset O4 - HKCU\..\Run: [Yahoo! Pager] 'C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE' -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [SysRestore] 'C:\DOCUME~1\Ken\LOCALS~1\Temp	mp3.tmp.exe' O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1118413853152 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: attrib.dll O20 - Winlogon Notify: mscnit - C:\WINDOWS\SYSTEM32\mscnit.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: DomainService - Unknown owner - C:\DOCUME~1\Ken\LOCALS~1\Temp	mp15B2.tmp.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus
avapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: stunnel - Unknown owner - C:\Program Files\stunnel\stunnel.exe' -service -install (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

numb_skull1001 · Answer

Hi barnajim. Yes, I do have USB drive and use it often on my pc. I also noticed these ravmonE.exe and infrom.exe in my usb drive. Could you tell me what are those? Also if you may, tell me what infections did i get in my pc. Thanks. Here's my Combo Fix log. 'Ken' - 2007-07-04 21:21:37 - ComboFix 07-07-04.4 - Service Pack 2 (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32	mp1061.tmp.dll C:\WINDOWS\byyvts.dll C:\WINDOWS\gebbbx.dll C:\WINDOWS\ljkige.dll C:\WINDOWS\pmlihf.dll C:\WINDOWS\urspnm.dll C:\WINDOWS\vtrpqq.dll C:\WINDOWS\stvyyb.ini C:\WINDOWS\xbbbeg.ini C:\WINDOWS\egikjl.ini C:\WINDOWS\fhilmp.ini C:\WINDOWS\mnpsru.ini C:\WINDOWS\qqprtv.ini C:\WINDOWS\system32\mscnit.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\Ken\APPLIC~1.\macromedia\Flash Player\#SharedObjects\MP3SGH55\www.broadcaster.com C:\DOCUME~1\Ken\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\DOCUME~1\Ken\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\WINDOWS\svchost.exe C:\WINDOWS\svchost.ini C:\WINDOWS\system32\attrib.dll C:\WINDOWS\system32\EKT57.sys C:\WINDOWS\system32	mp1010.tmp.dll C:\WINDOWS\system32	mp1061.tmp.dll C:\WINDOWS\system32	mp117E.tmp.dll C:\WINDOWS\system32	mp12A8.tmp.dll C:\WINDOWS\system32	mp12DC.tmp.dll C:\WINDOWS\system32	mp12F8.tmp.dll C:\WINDOWS\system32	mp1307.tmp.dll C:\WINDOWS\system32	mp1330.tmp.dll C:\WINDOWS\system32	mp1345.tmp.dll C:\WINDOWS\system32	mp13E0.tmp.dll C:\WINDOWS\system32	mpE7A.tmp.dll C:\WINDOWS\system32	mpFE1.tmp.dll C:\WINDOWS\system32\winsys64.exe ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_DOMAINSERVICE -------\LEGACY_EKT57 -------\DomainService -------\RpcApi ((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 ))))))))))))))))))))))))))))))) 2007-07-04 21:21 51,200 --a------ C:\WINDOWS
ircmd.exe 2007-07-04 20:32 134,993 --a------ C:\WINDOWS\mlmkig.dll 2007-07-04 20:27 59,360 --a------ C:\WINDOWS\system32	mp16.tmp.dll 2007-07-03 17:46 59,409 --a------ C:\WINDOWS\system32	mp9.tmp.dll 2007-07-03 17:42 22,016 --a------ C:\WINDOWS\MDM.EXE 2007-07-03 09:41 134,972 --a------ C:\WINDOWS\ssrpqn.dll 2007-07-02 21:48 9,277 --a------ C:\dnsbak.reg 2007-07-01 12:12 d-------- C:\HJT 2007-06-30 22:32 d--hs---- C:\WINDOWS\CSC 2007-06-29 20:29 15,360 --a------ C:\WINDOWS\wvtqqr.exe 2007-06-29 20:22 134,887 --a------ C:\WINDOWS\iiifec.dll 2007-06-29 10:28 59,457 --a------ C:\WINDOWS\system32	mp1762.tmp.dll 2007-06-25 18:33 59,480 --a------ C:\WINDOWS\system32	mp1763.tmp.dll 2007-06-23 15:15 59,414 --a------ C:\WINDOWS\system32	mp1728.tmp.dll 2007-06-23 15:14 134,837 --a------ C:\WINDOWS\wvtqqr.dll 2007-06-22 18:27 d-------- C:\Program Files\Crimson Editor 2007-06-22 16:49 59,448 --a------ C:\WINDOWS\system32	mp15EE.tmp.dll 2007-06-21 16:29 23,040 --ahs---- C:\WINDOWS\ldup.exe 2007-06-20 18:33 46,336 --a------ C:\WINDOWS\system32	mp1586.tmp.dll 2007-06-16 18:37 46,336 --a------ C:\WINDOWS\system32	mp15BD.tmp.dll 2007-06-10 05:39 d-------- C:\Program Files\3GP Player (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-03 14:51:01 -------- d-----w C:\Program Files\Warcraft III 2007-06-30 15:35:28 -------- d-----w C:\Program Files\SQLyog Community 2007-06-30 15:32:46 1,100 ----a-w C:\WINDOWS\system32\d3d8caps.dat 2007-06-30 15:22:19 -------- d-----w C:\Program Files\Common Files\WhenU 2007-06-11 02:07:52 -------- d-----w C:\Program Files\OpenOffice.org1.1.3 2007-06-08 10:05:54 -------- d-----w C:\Program Files\Ocean Technology 2007-05-28 02:45:00 -------- d-----w C:\Program Files\QuickTime 2007-05-26 10:03:18 -------- d-----w C:\Program Files\SymNetDrv 2007-05-25 22:49:43 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-04-16 14:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-16 14:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-16 14:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-16 14:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-16 14:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-16 14:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-16 14:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}] 2006-10-26 10:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2004-12-14 01:56 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}] 2006-10-31 15:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] 2006-12-15 03:23 440056 --a------ C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] 2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar5.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}] 2003-12-04 18:22 103368 --a------ C:\Program Files\Norton AntiVirus\NavShExt.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ccApp'='C:\Program Files\Common Files\Symantec Shared\ccApp.exe' [] 'Advanced Tools Check'='C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE' [] 'SoundMan'='SOUNDMAN.EXE' [2004-02-09 16:54 C:\WINDOWS\SOUNDMAN.EXE] 'Symantec NetDriver Monitor'='C:\PROGRA~1\SYMNET~1\SNDMon.exe' [] 'TkBellExe'='C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe' [] 'HP Software Update'='C:\Program Files\HP\HP Software Update\HPWuSchd.exe' [] 'HP Component Manager'='C:\Program Files\HP\hpcoretech\hpcmpmgr.exe' [] 'SunJavaUpdateSched'='C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe' [] 'QuickTime Task'='C:\Program Files\QuickTime\qttask.exe' [] 'ccPrxy.exe'='ccPrxy.exe' [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Yahoo! Pager'='C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe' [2006-11-30 21:49] 'ctfmon.exe'='C:\WINDOWS\system32\ctfmon.exe' [2004-08-04 00:56] 'swg'='C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe' [] [HKEY_USERS\.default\software\microsoft\windows\currentversionun] 'MSMSGS'='C:\Program Files\Messenger\msmsgs.exe' /background [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] 'appinit_dlls'=attrib.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Gnoozle.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Gnoozle.lnk backup=C:\WINDOWS\pss\Gnoozle.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] 'C:\Program Files\DAEMON Tools\daemon.exe' -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load] ?????4??????????? [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg
wiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV] C:\WINDOWS\RavMonE.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 'C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run] ?????4??????????? [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2] C:\WINDOWS\vsnpstd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysRestore] 'C:\DOCUME~1\Ken\LOCALS~1\Temp	mp163D.tmp.exe' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave] 'C:\Program Files\Save\Save.exe' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] 'ose'=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{165ae000-03b1-11da-b1ba-00115b5b09b9}] AutoRun\command- G:\RavMon.exe explore\Command- G:\RavMon.exe -e open\Command- G:\RavMon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17bfd594-a23a-11db-b8a5-00115b5b09b9}] Auto\command- G:\RavMonE.exe e AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28957e64-ff20-11d9-b19f-00115b5b09b9}] AutoRun\command- H:\RavMon.exe explore\Command- H:\RavMon.exe -e open\Command- H:\RavMon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6348593c-4aa1-11db-b782-00115b5b09b9}] AutoRun\command- H:\RavMon.exe explore\Command- H:\RavMon.exe -e open\Command- H:\RavMon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81c50d02-d9d8-11d9-b0e1-00115b5b09b9}] AutoRun\command- New Document.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0a3cc23-aa99-11da-b520-c7fd2f7b8d21}] AutoRun\command- G:\RavMon.exe explore\Command- G:\RavMon.exe -e open\Command- G:\RavMon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d64d4abd-95eb-11da-b4c5-83fb1e2d6dfa}] AutoRun\command- G:\RavMon.exe explore\Command- G:\RavMon.exe -e open\Command- G:\RavMon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd7e665d-ba72-11da-b567-828daf5fe10e}] AutoRun\command- New Document.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef43cfbe-05e2-11dc-b9de-00115b5b09b9}] AutoRun\command- H:\RavMon.exe explore\Command- H:\RavMon.exe -e open\Command- H:\RavMon.exe Contents of the 'Scheduled Tasks' folder 2007-07-04 13:57:00 C:\WINDOWS	asks\Symantec NetDetect.job ************************************************************************** catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-04 21:54:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MySQL] 'ImagePath'='\'C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\' --defaults-file=\'C:\Program Files\MySQL\MySQL Server 5.0\my.ini\' MySQL' Completion time: 2007-07-04 21:58:17 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-07-04 21:57 --- E O F --- (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32	mp1061.tmp.dll C:\WINDOWS\byyvts.dll C:\WINDOWS\gebbbx.dll C:\WINDOWS\ljkige.dll C:\WINDOWS\pmlihf.dll C:\WINDOWS\urspnm.dll C:\WINDOWS\vtrpqq.dll C:\WINDOWS\stvyyb.ini C:\WINDOWS\xbbbeg.ini C:\WINDOWS\egikjl.ini C:\WINDOWS\fhilmp.ini C:\WINDOWS\mnpsru.ini C:\WINDOWS\qqprtv.ini C:\WINDOWS\system32\mscnit.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\Ken\APPLIC~1.\macromedia\Flash Player\#SharedObjects\MP3SGH55\www.broadcaster.com C:\DOCUME~1\Ken\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\DOCUME~1\Ken\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\WINDOWS\svchost.exe C:\WINDOWS\svchost.ini C:\WINDOWS\system32\attrib.dll C:\WINDOWS\system32\EKT57.sys C:\WINDOWS\system32	mp1010.tmp.dll C:\WINDOWS\system32	mp1061.tmp.dll C:\WINDOWS\system32	mp117E.tmp.dll C:\WINDOWS\system32	mp12A8.tmp.dll C:\WINDOWS\system32	mp12DC.tmp.dll C:\WINDOWS\system32	mp12F8.tmp.dll C:\WINDOWS\system32	mp1307.tmp.dll C:\WINDOWS\system32	mp1330.tmp.dll C:\WINDOWS\system32	mp1345.tmp.dll C:\WINDOWS\system32	mp13E0.tmp.dll C:\WINDOWS\system32	mpE7A.tmp.dll C:\WINDOWS\system32	mpFE1.tmp.dll C:\WINDOWS\system32\winsys64.exe ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_DOMAINSERVICE -------\LEGACY_EKT57 -------\DomainService -------\RpcApi ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_DOMAINSERVICE -------\LEGACY_EKT57 -------\DomainService -------\RpcApi ((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 )))))))))))))))))))))))))))))))

bamajim · Answer

numb_skull1001

The infections you had were Wareout, SdBot infection, and Vundo, just to name a few. The file you found is part of a flash drive infection that reinfects the PC when attached. We will deal with that now.

1. Go HERE and download the Flash_Disinfector tool by sUBs

Save it to your Desktop
Double Click to run the tool
Follow the promts

Note: have your USB storage devices handy and attach them when prompted

The file RavMonE.exe will need to be deleted from all drives and storage devices

2. Open NotePad (not wordpad). Copy and paste the following into Notepad

File::
C:\WINDOWS\mlmkig.dll
C:\WINDOWS\system32\tmp16.tmp.dll
C:\WINDOWS\system32\tmp9.tmp.dll
C:\WINDOWS\ssrpqn.dll
C:\WINDOWS\wvtqqr.exe
C:\WINDOWS\iiifec.dll
C:\WINDOWS\system32\tmp1762.tmp.dll
C:\WINDOWS\system32\tmp1763.tmp.dll
C:\WINDOWS\system32\tmp1728.tmp.dll
C:\WINDOWS\wvtqqr.dll
C:\WINDOWS\system32\tmp15EE.tmp.dll
C:\WINDOWS\ldup.exe
C:\WINDOWS\system32\tmp1586.tmp.dll
C:\WINDOWS\system32\tmp15BD.tmp.dll
C:\Documents and Settings\Ken\Local Settings\Temp\tmp163D.tmp.exe
C:\Program Files\Save\Save.exe
C:\WINDOWS\RavMonE.exe

Folder::
C:\Program Files\Save

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{165ae000-03b1-11da-b1ba-00115b5b09b9}]
"AutoRun\command"=-
"explore\Command"=-
"open\Command"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17bfd594-a23a-11db-b8a5-00115b5b09b9}]
"Auto\command"=-
"AutoRun\command"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28957e64-ff20-11d9-b19f-00115b5b09b9}]
"AutoRun\command"=-
"explore\Command"=-
"open\Command"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6348593c-4aa1-11db-b782-00115b5b09b9}]
"AutoRun\command"=-
"explore\Command"=-
"open\Command"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81c50d02-d9d8-11d9-b0e1-00115b5b09b9}]
"AutoRun\command"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0a3cc23-aa99-11da-b520-c7fd2f7b8d21}]
"AutoRun\command"=-
"explore\Command"=-
"open\Command"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d64d4abd-95eb-11da-b4c5-83fb1e2d6dfa}]
"AutoRun\command"=-
"explore\Command"=-
"open\Command"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd7e665d-ba72-11da-b567-828daf5fe10e}]
"AutoRun\command"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef43cfbe-05e2-11dc-b9de-00115b5b09b9}]
"AutoRun\command"=-
"explore\Command"=-
"open\Command"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{165ae000-03b1-11da-b1ba-00115b5b09b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17bfd594-a23a-11db-b8a5-00115b5b09b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28957e64-ff20-11d9-b19f-00115b5b09b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6348593c-4aa1-11db-b782-00115b5b09b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81c50d02-d9d8-11d9-b0e1-00115b5b09b9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0a3cc23-aa99-11da-b520-c7fd2f7b8d21}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d64d4abd-95eb-11da-b4c5-83fb1e2d6dfa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd7e665d-ba72-11da-b567-828daf5fe10e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef43cfbe-05e2-11dc-b9de-00115b5b09b9}]

Save the File as ComboFix-Do.txt ->> Save it to your Desktop

Using the Image as a reference, drag ComboFix-Do.txt into ComboFix.exe

user posted image

You will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

numb_skull1001 · Answer

Here's the new ComboFix log 'Ken' - 2007-07-05 22:15:34 - ComboFix 07-07-04.4 - Service Pack 2 Command switches used :: C:\Documents and Settings\Ken\Desktop\ComboFix-Do.txt ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\iiifec.dll C:\WINDOWS\ldup.exe C:\WINDOWS\mlmkig.dll C:\WINDOWS\ssrpqn.dll C:\WINDOWS\svchost.exe C:\WINDOWS\svchost.ini C:\WINDOWS\system32	mp1586.tmp.dll C:\WINDOWS\system32	mp15BD.tmp.dll C:\WINDOWS\system32	mp15EE.tmp.dll C:\WINDOWS\system32	mp16.tmp.dll C:\WINDOWS\system32	mp1728.tmp.dll C:\WINDOWS\system32	mp1762.tmp.dll C:\WINDOWS\system32	mp1763.tmp.dll C:\WINDOWS\system32	mp9.tmp.dll C:\WINDOWS\wvtqqr.dll C:\WINDOWS\wvtqqr.exe ((((((((((((((((((((((((( Files Created from 2007-06-05 to 2007-07-05 ))))))))))))))))))))))))))))))) 2007-07-05 22:09 26,112 --a------ C:\WINDOWS\system32
ircmd.exe 2007-07-04 21:21 51,200 --a------ C:\WINDOWS
ircmd.exe 2007-07-03 17:42 22,016 --a------ C:\WINDOWS\MDM.EXE 2007-07-02 21:48 9,277 --a------ C:\dnsbak.reg 2007-07-01 12:12 d-------- C:\HJT 2007-06-30 22:32 d--hs---- C:\WINDOWS\CSC 2007-06-22 18:27 d-------- C:\Program Files\Crimson Editor 2007-06-10 05:39 d-------- C:\Program Files\3GP Player (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-04 16:27:54 -------- d-----w C:\Program Files\Warcraft III 2007-06-30 15:35:28 -------- d-----w C:\Program Files\SQLyog Community 2007-06-30 15:32:46 1,100 ----a-w C:\WINDOWS\system32\d3d8caps.dat 2007-06-30 15:22:19 -------- d-----w C:\Program Files\Common Files\WhenU 2007-06-11 02:07:52 -------- d-----w C:\Program Files\OpenOffice.org1.1.3 2007-06-08 10:05:54 -------- d-----w C:\Program Files\Ocean Technology 2007-05-28 02:45:00 -------- d-----w C:\Program Files\QuickTime 2007-05-26 10:03:18 -------- d-----w C:\Program Files\SymNetDrv 2007-05-25 22:49:43 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-04-16 14:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-16 14:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-16 14:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-16 14:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-16 14:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-16 14:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-16 14:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}] 2006-10-26 10:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2004-12-14 01:56 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}] 2006-10-31 15:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] 2006-12-15 03:23 440056 --a------ C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] 2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar5.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}] 2003-12-04 18:22 103368 --a------ C:\Program Files\Norton AntiVirus\NavShExt.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ccApp'='C:\Program Files\Common Files\Symantec Shared\ccApp.exe' [] 'Advanced Tools Check'='C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE' [] 'SoundMan'='SOUNDMAN.EXE' [2004-02-09 16:54 C:\WINDOWS\SOUNDMAN.EXE] 'Symantec NetDriver Monitor'='C:\PROGRA~1\SYMNET~1\SNDMon.exe' [] 'TkBellExe'='C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe' [] 'HP Software Update'='C:\Program Files\HP\HP Software Update\HPWuSchd.exe' [] 'HP Component Manager'='C:\Program Files\HP\hpcoretech\hpcmpmgr.exe' [] 'SunJavaUpdateSched'='C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe' [] 'QuickTime Task'='C:\Program Files\QuickTime\qttask.exe' [] 'ccPrxy.exe'='ccPrxy.exe' [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Yahoo! Pager'='C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe' [2006-11-30 21:49] 'ctfmon.exe'='C:\WINDOWS\system32\ctfmon.exe' [2004-08-04 00:56] 'swg'='C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe' [] [HKEY_USERS\.default\software\microsoft\windows\currentversionun] 'MSMSGS'='C:\Program Files\Messenger\msmsgs.exe' /background [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] 'appinit_dlls'=attrib.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Gnoozle.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Gnoozle.lnk backup=C:\WINDOWS\pss\Gnoozle.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] 'C:\Program Files\DAEMON Tools\daemon.exe' -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load] ?????4??????????? [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg
wiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 'C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run] ?????4??????????? [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2] C:\WINDOWS\vsnpstd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysRestore] 'C:\DOCUME~1\Ken\LOCALS~1\Temp	mp163D.tmp.exe' [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] 'ose'=3 (0x3) Contents of the 'Scheduled Tasks' folder 2007-07-05 14:27:00 C:\WINDOWS	asks\Symantec NetDetect.job ************************************************************************** catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-05 22:31:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MySQL] 'ImagePath'='\'C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\' --defaults-file=\'C:\Program Files\MySQL\MySQL Server 5.0\my.ini\' MySQL' Completion time: 2007-07-05 22:32:34 C:\ComboFix-quarantined-files.txt ... 2007-07-05 22:32 C:\ComboFix2.txt ... 2007-07-04 22:04 --- E O F ---

bamajim · Answer

numb_skull1001   Well done. Were you able to disinfect the other drives as well?   Could I see a fresh Hijackthis log please.   bamajim   Graduate of MRU CastleCops Instructor

numb_skull1001 · Answer

Hi barnajim. My PC looks better now. Thank you so much. Here's the fresh HJT log. Logfile of HijackThis v1.99.1 Scan saved at 08:43, on 2007-07-06 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe C:\Program Files\Norton AntiVirus
avapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\system32
vsvc32.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\stunnel\stunnel.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Ken\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [HP Software Update] 'C:\Program Files\HP\HP Software Update\HPWuSchd.exe' O4 - HKLM\..\Run: [HP Component Manager] 'C:\Program Files\HP\hpcoretech\hpcmpmgr.exe' O4 - HKLM\..\Run: [SunJavaUpdateSched] 'C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe' O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [ccPrxy.exe] ccPrxy.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [Yahoo! Pager] 'C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe' -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1118413853152 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: attrib.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus
avapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: stunnel - Unknown owner - C:\Program Files\stunnel\stunnel.exe' -service -install (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

bamajim · Answer

numb_skull1001 Were you able to disinfect the other drives as well? 1. Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first. 2. Run an online virus scan called Kaspersky from HERE. 1. Click on ' Kaspersky Online Scanner' 2. A new smaller window will pop up. Press on ' Accept'. After reading the contents. 3. Now Kaspersky will update the anti-virus database. Let it run. 4. Click on ' Next'->>' Scan Settings', and make sure the database is set to ' extended'. And check both the scan options. Then click OK. 5. Then click on ' My Computer'. And the scan will start. 6. Once finished, save a log as '. txt' to the desktop. Copy and post the results of the Kaspersky Online scan bamajim   Graduate of MRU CastleCops Instructor

Virus & Spyware

Help: Task Manager Disabled, SLow PC, have many virus (i think)

Was this post helpful?