0

Explanation first. Ok so I have this problem my computer runs uber slow and when I check my proccesses I have tracert.exe running a lot. Also Getting a ton of pop ups, but'm pretty sure those are just extraneous problems because whenever I delete spyware using spyware doctor tey go away. When I try to delete the Big bad one in SD however it says something about a high level threat need to rebootto delete. I do it restarts and SD runs agan right when I log on before even the start menu comes up... It finds nothin.. strt bar and Icons load...problems reappear...and If I run SD again it finds the problems again after windows has loaded. I deleted a suspicious looking program called "HP Boot Optimizer" from the wizard. it sped up my computer, but I had pop ups still tillI deleted the spyware...but after restart it came back again, except now i never shows under programs, but I can findit a C:\Program Files\ Hewlett-Packard\HP Boot Optimizer... here is the HijackThislog.
ps: SD always finds the same # of infections every restart, its soewhere between like 122-168

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:19:11 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GameSpot\DownloadManager_Win32.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor .exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\My Documents\a?sembly\r?gedit.exe
C:\Program Files\Router\Router.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\Program Files\Spyware Doctor\swdoctor .exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\AIM6\aim6 .exe
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\Program Files\Router\Router .exe
C:\Program Files\GameSpot\GDM_TrayApp.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\mrofinu.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrq.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: LiveSearchClubToolbarBhoApp Class - {3D266504-0FBC-4d3f-9E7C-4077A77C7DC4} - C:\Program Files\Live Search Club Toolbar\LiveSearchClubToolbarBho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {90AAA931-19A3-3F5A-DC2B-30E674F20C91} - C:\WINDOWS\system32\zqhyd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\iifdcya.dll
O2 - BHO: (no name) - {CF230C03-BA29-4790-911F-A934C1069190} - C:\WINDOWS\system32\ssqrq.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Live Search Club Toolbar - {719D74AB-1AF9-43a1-8C62-D8750628D93E} - C:\Program Files\Live Search Club Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" /run
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px .exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE54C29159A7DBE80DC744B6CDE3F546CAC59B6
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor .exe" /Q
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Amhgr] "C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\My Documents\a?sembly\r?gedit.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GDM_TrayApp.exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_premium.pl?1&6&04.00.09.13&premium&unknown&http://www.toyota.com/vehicles/config/fj/config.html?noreloadredir
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133305996812
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: iifdcya - C:\WINDOWS\SYSTEM32\iifdcya.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 12996 bytes

Thanks in advancefor any help

PPS: I put red around what I think might b unusual due to my investigation...I may be wrong as this i my first time using HijackThis... and I'm not having the tracert.exe running all the time after I delete the HP Boot Optimizer so I'm pretty sure thats all bad.

2
Contributors
9
Replies
10
Views
9 Years
Discussion Span
Last Post by crunchie
0

Hi and welcome to Daniweb forums :).

Please download the latest version of hijackthis; http://www.daniweb.com/forums/thread83821.html

==

Please download ComboFix by sUBs from HERE or HERE

  • Save it to your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    "%userprofile%\desktop\ComboFix.exe" /KillAll

    [IMG]http://i5.photobucket.com/albums/y153/crunchie1/RunBox_KillAll.jpg[/IMG]

  • Click OK and this will start ComboFix.
  • When finished, it will produce a log. Please save that log to a Notepad File and include it in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* Re-enable all the programs that were disabled prior to the running of ComboFix.

* Post the following logs/Reports:


  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

K so I tried that but that application "failed to save" the restore pointand then after it sad it could take 10 or more min I waited a half hour and came back, the wndow had faded behind the icons on my desktop so I hit Ctrl-Alt-Delete to see if it was running, It said no programs running, I moved an Icon and the window disapeared. Went to run Hijackthis to look and see if anything changed but I kept getting "Insufficient system resources to complete the requested service" Tried to repeat your instructions but got the same ssage but at the top it said nircmd.com... no I was not connected to net, router completely removed from comp... restarted and now it runs slower than ever, takes about 10min to get windows to do something, 5-6min to open Internet Explorer, and the same time to go from one page to anoter, excruciatingly frustrating. Here's my new hijackthis log... combofix never made one because it always froze. Plus after Restart Im now getting Icons on my desktop that lead to advertisments online... I don't know if my log changed but it takes a long time to scroll sI'll probably look at it after I post. I'll red anying I see thats suspicious to me but like I said Im inexperienced with it. Sorry for spelling the slownes is cutting out letters. Thanks a lot again in advance. oh and the optimzer thing isnt coming back anymore but its still running slow.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:13, on 2008-01-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GameSpot\DownloadManager_Win32.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor .exe
C:\Program Files\AIM6\aim6.exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\My Documents\a?sembly\r?gedit.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\AIM6\aim6 .exe
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\Program Files\Spyware Doctor\swdoctor .exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\GameSpot\GDM_TrayApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\aim6\anotify.exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\ECURIT~1\tracert.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrq.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: LiveSearchClubToolbarBhoApp Class - {3D266504-0FBC-4d3f-9E7C-4077A77C7DC4} - C:\Program Files\Live Search Club Toolbar\LiveSearchClubToolbarBho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {90AAA931-19A3-3F5A-DC2B-30E674F20C91} - C:\WINDOWS\system32\zqhyd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {AC9A9D6F-A3AB-4808-8BC4-9FC6699ED154} - C:\WINDOWS\system32\ssqrq.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\iifdcya.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Live Search Club Toolbar - {719D74AB-1AF9-43a1-8C62-D8750628D93E} - C:\Program Files\Live Search Club Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" /runO4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px .exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE54C29159A7DBE80DC744B6CDE3F546CAC59B6
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor .exe" /Q
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Amhgr] "C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\My Documents\a?sembly\r?gedit.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GDM_TrayApp.exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_premium.pl?1&6&04.00.09.13&premium&unknown&http://www.toyota.com/vehicles/config/fj/config.html?noreloadredir
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133305996812
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: iifdcya - C:\WINDOWS\SYSTEM32\iifdcya.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 12597 bytes

0

Also note that the Powereg Scheduler.exe and Powerreg Scheduler V3. exe that are represented like 30 times. all of them except the last ones have a space before the .exe making them look the same, but they aedifferent files, oooh, sneaky.

0

Please download the latest version of hijackthis; http://www.daniweb.com/forums/thread83821.html

This please.

Try running combofix in safe mode please.

==

Please download VundoFix.exe
to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

0

Ran VundoFix, came up with about 12-16files, reboot to delete, came up with 4, reboot to delete again, came up with none. Immediately rebooted in safe made and ran ComboFix, seemed to do wonders, after reboot everything running 3000% better, got a popup on the way to this site, but I'me sure I can remove that with spyware doctor like I did before, it just came back after every reboot. Thank You so much for your time. here is the VundoFix, ComboFix, and HijackThis logs, in that order seperated by a line of o's. Thanks so much again this was far worse than any infection I've evr ran into.
ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 19:59:11 2008-01-17

Listing files found while scanning....

C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\geebc.exe
C:\WINDOWS\system32\iifdcya.dll
C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
C:\WINDOWS\system32\NCTAudioFile2.dll
C:\WINDOWS\system32\NCTAudioPlayer2.dll
C:\WINDOWS\system32\NCTAudioRecord2.dll
C:\WINDOWS\system32\NCTAVIFile.dll
C:\WINDOWS\system32\NCTQuickTimeFile.dll
C:\WINDOWS\system32\NCTVideoCoreM.dll
C:\WINDOWS\system32\NCTWMAFile2.dll
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\ezSP_Px.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\geebc.exe
C:\WINDOWS\system32\geebc.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifdcya.dll
C:\WINDOWS\system32\iifdcya.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
C:\WINDOWS\system32\NCTAudioCDGrabber2.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTAudioFile2.dll
C:\WINDOWS\system32\NCTAudioFile2.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTAudioPlayer2.dll
C:\WINDOWS\system32\NCTAudioPlayer2.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTAudioRecord2.dll
C:\WINDOWS\system32\NCTAudioRecord2.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTAVIFile.dll
C:\WINDOWS\system32\NCTAVIFile.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTQuickTimeFile.dll
C:\WINDOWS\system32\NCTQuickTimeFile.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTVideoCoreM.dll
C:\WINDOWS\system32\NCTVideoCoreM.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTWMAFile2.dll
C:\WINDOWS\system32\NCTWMAFile2.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\qrqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ssqrq.exe
C:\WINDOWS\system32\ssqrq.exe Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\iifdcya.dll
C:\WINDOWS\system32\iifdcya.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\qrqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...
ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

ComboFix 08-01-16.4 - Seth 2008-01-17 22:23:44.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.332 [GMT -5:00]
Running from: C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\My Documents\ASEMBL~1
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\My Documents\ASEMBL~1\r?gedit.exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\download
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\windows
C:\Program Files\Common Files\windows\ack.html
C:\Program Files\Common Files\windows\AutoIt3.exe
C:\Program Files\Common Files\windows\autoitscript.au3
C:\Program Files\Common Files\windows\psapi.dll
C:\Program Files\Common Files\windows\request.html
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\PowerISO\PWRISOVM .EXE
C:\Program Files\QdrDrive
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD .exe
C:\Program Files\Sony\SonicStage\SsAAD .exe
C:\Program Files\Spyware Doctor\swdoctor .exe
C:\Program Files\Spyware Doctor\swdoctor .exe
C:\Program Files\Spyware Doctor\swdoctor .exe
C:\Program Files\Temporary
C:\Program Files\winupdate
C:\WINDOWS\b.exe
C:\WINDOWS\b103.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b151.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\ecurit~1\?ecurity\
C:\WINDOWS\system32\ecurit~1\tracert .exe
C:\WINDOWS\system32\ecurit~1\tracert.exe
C:\WINDOWS\system32\iifdcya.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\RCX89.tmp
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.exe
C:\WINDOWS\system32\wintsvcc32.exe
C:\WINDOWS\system32\zqhyd.dll
D:\Autorun.inf

<pre>
C:\Program Files\AIM6\aim6 .exe ---> aim6.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe ---> QooBox
C:\Program Files\DAEMON Tools\daemon .exe ---> daemon.exe
C:\Program Files\Dot1XCfg\Dot1XCfg .exe ---> Dot1XCfg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe ---> QooBox
C:\Program Files\Messenger\msmsgs .exe ---> QooBox
C:\Program Files\PowerISO\PWRISOVM .EXE ---> QooBox
Error moving C:\Program Files\QuickTime\qttask        .exe to C:\Program Files\QuickTime\qttask.exe: 5.
C:\Program Files\SlySoft\AnyDVD\AnyDVD .exe ---> QooBox
C:\Program Files\Sony\SonicStage\SsAAD .exe ---> QooBox
C:\Program Files\Spyware Doctor\swdoctor     .exe ---> swdoctor.exe
C:\Program Files\Spyware Doctor\swdoctor .exe ---> swdoctor.exe
C:\WINDOWS\system32\ctfmon .exe ---> ctfmon.exe
</pre>

.
.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-17 19:59 . 2008-01-17 22:03 <DIR> d-------- C:\VundoFix Backups
2008-01-16 16:59 . 2008-01-16 16:59 72,566 --a------ C:\WINDOWS\system32\GameFly_2.ico
2008-01-16 13:40 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 18:36 . 2008-01-14 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 14:28 . 2008-01-15 19:25 389,120 --a------ C:\WINDOWS\system32\ezSP_Px .exe
2008-01-13 13:33 . 2008-01-17 22:39 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-13 13:29 . 2008-01-15 16:58 39,936 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2008-01-12 14:56 . 2008-01-12 14:56 <DIR> d-------- C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Application Data\CrystalSpace
2008-01-12 14:56 . 2008-01-12 14:56 <DIR> d-------- C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Application Data\CrystalApp
2008-01-01 15:45 . 2008-01-01 15:45 <DIR> d-------- C:\Program Files\7-Zip
2007-12-30 17:41 . 2007-12-30 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WildTangent
2007-12-30 17:40 . 2007-12-30 17:40 <DIR> d-------- C:\Program Files\HP Games
2007-12-30 04:31 . 2007-12-30 04:31 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-30 04:30 . 2008-01-12 12:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-29 14:43 . 2007-12-29 15:10 <DIR> d-------- C:\PICTURES
2007-12-22 23:17 . 2007-12-22 23:17 <DIR> d-------- C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Application Data\InstallShield
2007-12-18 16:39 . 2007-12-18 16:39 <DIR> d-------- C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Application Data\vlc
2007-12-18 16:37 . 2007-12-18 16:37 <DIR> d-------- C:\Program Files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 03:39 --------- d-----w C:\Program Files\Spyware Doctor
2008-01-18 03:39 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-18 03:39 --------- d-----w C:\Program Files\AIM6
2008-01-18 03:33 --------- d-----w C:\Program Files\QuickTime
2008-01-18 03:33 --------- d-----w C:\Program Files\PowerISO
2008-01-18 03:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-15 22:24 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-12 17:44 --------- d-----w C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Application Data\uTorrent
2008-01-01 23:10 --------- d-----w C:\Program Files\AIRFLO
2007-12-27 20:35 --------- d-----w C:\Program Files\LimeWire
2007-12-23 04:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-17 11:30 --------- d-----w C:\Program Files\JoWooD
2007-12-16 23:11 --------- d-----w C:\Program Files\DOSBox-0.65
2007-11-30 15:23 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-11-24 23:25 --------- d-----w C:\Program Files\Coupons
2007-11-23 23:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-23 22:24 --------- d-----w C:\Program Files\Atari
2007-11-20 01:53 --------- d-----w C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Application Data\Free Download Manager
2005-12-24 22:15 251 ----a-w C:\Program Files\wt3d.ini
2005-09-25 22:24 12,800 ----a-w C:\Documents and Settings\Brenda\a.exe
.

<pre>
----a-w           598,016 2008-01-18 03:41:25  C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w           567,296 2008-01-18 03:41:26  C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w           260,062 2005-09-05 15:19:42  C:\FILES\LimeWire\Ogre Battle 64 - Person of Lordly Caliber (U) [!]\Diablo II CD Key Generator .exe
----a-w           448,512 2008-01-16 00:25:17  C:\Program Files\QuickTime\qttask        .exe
----a-w           389,120 2008-01-16 00:25:14  C:\WINDOWS\system32\ezSP_Px .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D266504-0FBC-4d3f-9E7C-4077A77C7DC4}]
2007-08-10 02:00 217088 --a------ C:\Program Files\Live Search Club Toolbar\LiveSearchClubToolbarBho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E81A936-E5C3-4BC1-9853-35736D1822DE}]
2008-01-17 22:41 336384 --a------ C:\WINDOWS\system32\ssqrq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{719D74AB-1AF9-43A1-8C62-D8750628D93E}

[HKEY_CLASSES_ROOT\clsid\{719d74ab-1af9-43a1-8c62-d8750628d93e}]
[HKEY_CLASSES_ROOT\LiveToolbar.LiveToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{7507B80F-C1DE-4b0a-A0BA-120C64075F11}]
[HKEY_CLASSES_ROOT\LiveToolbar.LiveToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-15 19:25 2226688]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor .exe" [ ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-17 22:41 412160]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-17 22:41 520192]
"Amhgr"="C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\My Documents\a?sembly\r?gedit.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [2008-01-17 22:41 401408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" [ ]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px .exe" [2008-01-15 19:25 389120]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 20:07 7110656]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-15 19:25 521216]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-01-15 19:25 448512]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2008-01-15 19:25 452096]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-01-15 19:25 476672]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-15 19:25 559104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="" []

C:\Documents and Settings\Seth\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2005-07-23 12:35:10]

C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\
GameSpot Download Manager.lnk - C:\Program Files\GameSpot\GDM_TrayApp.exe [2007-08-28 12:23:00]
PowerReg Scheduler .exe [2008-01-17 22:41:25]
PowerReg Scheduler V3 .exe [2008-01-17 22:41:26]
PowerReg Scheduler V3.exe [2008-01-17 22:41:28]
PowerReg Scheduler.exe [2008-01-17 22:41:29]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18:55:40]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-05 04:28:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 16:23:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\ssqrq.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ssqrq

R2 DNADownloader;DNADownloader;C:\Program Files\GameSpot\DownloadManager_Win32.exe [2007-08-28 12:33]
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 18:55]
R3 USB_RNDIS_XP;Westell USB Network Interface;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-10 07:00]
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 07:00]
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [2004-07-14 12:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

.
Contents of the 'Scheduled Tasks' folder
"2007-12-26 15:48:30 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 22:40:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\ssqrq.exe 339968 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\system32\ssqrq.dll
.
Completion time: 2008-01-17 22:46:10 - machine was rebooted [Seth]
ComboFix-quarantined-files.txt 2008-01-18 03:46:05
ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:11 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GameSpot\DownloadManager_Win32.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\GameSpot\GDM_TrayApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aim6 .exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrq.exe
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Live Search Club Toolbar - {719D74AB-1AF9-43a1-8C62-D8750628D93E} - C:\Program Files\Live Search Club Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" /run
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px .exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor .exe" /Q
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Amhgr] "C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\My Documents\a?sembly\r?gedit.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GDM_TrayApp.exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_premium.pl?1&6&04.00.09.13&premium&unknown&http://www.toyota.com/vehicles/config/fj/config.html?noreloadredir
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133305996812
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 9370 bytes

ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

Thanks so Much yet again!:)

0

Yeah, Ran Spyware Doctor and had 64 infections including a trojan, but they were alleasily remove and upon restart my computer is finally back to normal:icon_cheesygrin:

0

Can you please rename hijackthis.exe to analysethis before running another scan.

========A. Please RUN HijackThis

  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop

    F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrq.exe

    O4 - Startup: PowerReg Scheduler .exe
    O4 - Startup: PowerReg Scheduler V3 .exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\ssqrq.exe

Folder::
C:\VundoFix Backups

RENV::
----a-w 598,016 2008-01-18 03:41:25 C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 567,296 2008-01-18 03:41:26 C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 260,062 2005-09-05 15:19:42 C:\FILES\LimeWire\Ogre Battle 64 - Person of Lordly Caliber (U) [!]\Diablo II CD Key Generator .exe
----a-w 448,512 2008-01-16 00:25:17 C:\Program Files\QuickTime\qttask .exe
----a-w 389,120 2008-01-16 00:25:14 C:\WINDOWS\system32\ezSP_Px .exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


7. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

==

Stay away from key generators and cracks!

Attachments CFScript.gif 27.09 KB
0

Great, everything you told me to get rid of appears to be fone except that .ini file, no matter how many times I tell Hijackthis it, it doesn't go away.
ComboFix log
ooooooooooo
Hijackthis Log
ooooooooooo

ComboFix 08-01-16.4 - Seth 2008-01-18 14:49:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.186 [GMT -5:00]
Running from: C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\ssqrq.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\ezSP_Px.exe.bad
C:\VundoFix Backups\geebc.exe.bad
C:\VundoFix Backups\iifdcya.dll.bad
C:\VundoFix Backups\NCTAudioCDGrabber2.dll.bad
C:\VundoFix Backups\NCTAudioFile2.dll.bad
C:\VundoFix Backups\NCTAudioPlayer2.dll.bad
C:\VundoFix Backups\NCTAudioRecord2.dll.bad
C:\VundoFix Backups\NCTAVIFile.dll.bad
C:\VundoFix Backups\NCTQuickTimeFile.dll.bad
C:\VundoFix Backups\NCTVideoCoreM.dll.bad
C:\VundoFix Backups\NCTWMAFile2.dll.bad
C:\VundoFix Backups\qrqss.ini.bad
C:\VundoFix Backups\qrqss.ini2.bad
C:\VundoFix Backups\ssqrq.dll.bad
C:\VundoFix Backups\ssqrq.exe.bad
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-18 09:33 . 2008-01-18 14:50 389,120 --a------ C:\WINDOWS\system32\ezSP_Px .exe
2008-01-18 09:32 . 2008-01-18 09:32 <DIR> d-------- C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Incomplete
2008-01-16 16:59 . 2008-01-16 16:59 72,566 --a------ C:\WINDOWS\system32\GameFly_2.ico
2008-01-16 13:40 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 18:36 . 2008-01-14 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 14:28 . 2008-01-15 19:25 389,120 --a------ C:\WINDOWS\system32\ezSP_Px .exe
2008-01-13 13:33 . 2008-01-18 14:50 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-13 13:29 . 2008-01-15 16:58 39,936 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2008-01-12 14:56 . 2008-01-12 14:56 <DIR> d-------- C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Application Data\CrystalSpace
2008-01-12 14:56 . 2008-01-12 14:56 <DIR> d-------- C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Application Data\CrystalApp
2008-01-01 15:45 . 2008-01-01 15:45 <DIR> d-------- C:\Program Files\7-Zip
2007-12-30 17:41 . 2007-12-30 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WildTangent
2007-12-30 17:40 . 2007-12-30 17:40 <DIR> d-------- C:\Program Files\HP Games
2007-12-30 04:31 . 2007-12-30 04:31 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-30 04:30 . 2008-01-12 12:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-29 14:43 . 2007-12-29 15:10 <DIR> d-------- C:\PICTURES
2007-12-22 23:17 . 2007-12-22 23:17 <DIR> d-------- C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Application Data\InstallShield
2007-12-18 16:39 . 2007-12-18 16:39 <DIR> d-------- C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Application Data\vlc
2007-12-18 16:37 . 2007-12-18 16:37 <DIR> d-------- C:\Program Files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 19:50 --------- d-----w C:\Program Files\Spyware Doctor
2008-01-18 19:50 --------- d-----w C:\Program Files\QuickTime
2008-01-18 19:50 --------- d-----w C:\Program Files\PowerISO
2008-01-18 19:50 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-18 19:50 --------- d-----w C:\Program Files\AIM6
2008-01-18 18:02 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-15 22:24 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-12 17:44 --------- d-----w C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Application Data\uTorrent
2008-01-01 23:10 --------- d-----w C:\Program Files\AIRFLO
2007-12-27 20:35 --------- d-----w C:\Program Files\LimeWire
2007-12-23 04:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-17 11:30 --------- d-----w C:\Program Files\JoWooD
2007-12-16 23:11 --------- d-----w C:\Program Files\DOSBox-0.65
2007-11-30 15:23 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-11-24 23:25 --------- d-----w C:\Program Files\Coupons
2007-11-23 23:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-23 22:24 --------- d-----w C:\Program Files\Atari
2007-11-20 01:53 --------- d-----w C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Application Data\Free Download Manager
2005-12-24 22:15 251 ----a-w C:\Program Files\wt3d.ini
2005-09-25 22:24 12,800 ----a-w C:\Documents and Settings\Brenda\a.exe
.

<pre>
----a-w           567,296 2008-01-18 03:41:26  C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Desktop\backups\backup-20080118-144415-195-PowerReg Scheduler V3 .exe
----a-w           598,016 2008-01-18 03:41:25  C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Desktop\backups\backup-20080118-144415-497-PowerReg Scheduler .exe
----a-w           598,016 2008-01-18 20:10:11  C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler  .exe
----a-w           225,280 2008-01-18 20:10:14  C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3   .exe
----a-w           567,296 2008-01-18 19:50:22  C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3  .exe
----a-w            50,736 2008-01-18 20:09:59  C:\Program Files\AIM6\aim6 .exe
----a-w           180,269 2008-01-18 18:01:38  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w           171,464 2008-01-18 20:10:00  C:\Program Files\DAEMON Tools\daemon .exe
----a-w            61,440 2008-01-18 20:10:01  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w            68,856 2008-01-18 18:02:00  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           132,496 2008-01-18 18:01:38  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w         1,694,208 2008-01-18 18:01:44  C:\Program Files\Messenger\msmsgs .exe
----a-w           200,704 2008-01-18 18:01:39  C:\Program Files\PowerISO\PWRISOVM .EXE
----a-w           448,512 2008-01-18 19:50:47  C:\Program Files\QuickTime\qttask         .exe
----a-w           448,512 2008-01-16 00:25:17  C:\Program Files\QuickTime\qttask        .exe
----a-w         1,637,312 2008-01-18 18:01:44  C:\Program Files\SlySoft\AnyDVD\AnyDVD .exe
----a-w            81,920 2008-01-18 18:01:38  C:\Program Files\Sony\SonicStage\SsAAD .exe
----a-w           389,120 2008-01-18 19:50:39  C:\WINDOWS\system32\ezSP_Px  .exe
----a-w           389,120 2008-01-16 00:25:14  C:\WINDOWS\system32\ezSP_Px .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-17_22.45.39.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-01-18 19:48:36 241,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 19:48:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 19:48:36 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 19:48:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 19:48:36 8,974,336 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-18 19:48:36 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 19:48:36 8,679,424 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000007\ntuser.dat
+ 2008-01-18 19:48:36 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000008\UsrClass.dat
+ 2008-01-18 20:08:45 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_60c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D266504-0FBC-4d3f-9E7C-4077A77C7DC4}]
2007-08-10 02:00 217088 --a------ C:\Program Files\Live Search Club Toolbar\LiveSearchClubToolbarBho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F72F2D89-4A45-46F7-83A4-B45C5838806C}]
2008-01-18 15:09 336384 --a------ C:\WINDOWS\system32\ssqrq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{719D74AB-1AF9-43A1-8C62-D8750628D93E}

[HKEY_CLASSES_ROOT\clsid\{719d74ab-1af9-43a1-8c62-d8750628d93e}]
[HKEY_CLASSES_ROOT\LiveToolbar.LiveToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{7507B80F-C1DE-4b0a-A0BA-120C64075F11}]
[HKEY_CLASSES_ROOT\LiveToolbar.LiveToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-18 14:50 2226688]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor .exe" [ ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-18 14:50 412160]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-18 14:50 520192]
"Amhgr"="C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\My Documents\a?sembly\r?gedit.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [2008-01-17 22:41 401408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" [ ]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px .exe" [2008-01-18 14:50 389120]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 20:07 7110656]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-15 19:25 521216]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-01-18 14:50 448512]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2008-01-15 19:25 452096]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-01-15 19:25 476672]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-15 19:25 559104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="" []

C:\Documents and Settings\Seth\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2005-07-23 12:35:10]

C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\
GameSpot Download Manager.lnk - C:\Program Files\GameSpot\GDM_TrayApp.exe [2007-08-28 12:23:00]
PowerReg Scheduler .exe [2008-01-18 15:10:11]
PowerReg Scheduler V3 .exe [2008-01-18 15:10:14]
PowerReg Scheduler V3 .exe [2008-01-18 14:50:22]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18:55:40]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-05 04:28:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 16:23:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\ssqrq.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ssqrq

R2 DNADownloader;DNADownloader;C:\Program Files\GameSpot\DownloadManager_Win32.exe [2007-08-28 12:33]
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 18:55]
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 07:00]
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [2004-07-14 12:51]
S3 USB_RNDIS_XP;Westell USB Network Interface;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-10 07:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

.
Contents of the 'Scheduled Tasks' folder
"2007-12-26 15:48:30 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 15:09:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\ssqrq.exe 339968 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\system32\ssqrq.dll
.
Completion time: 2008-01-18 15:15:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 20:15:05
ComboFix2.txt 2008-01-18 03:46:10
ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:06 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GameSpot\DownloadManager_Win32.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\Program Files\GameSpot\GDM_TrayApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aim6 .exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Desktop\analysethis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrq.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: LiveSearchClubToolbarBhoApp Class - {3D266504-0FBC-4d3f-9E7C-4077A77C7DC4} - C:\Program Files\Live Search Club Toolbar\LiveSearchClubToolbarBho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {F72F2D89-4A45-46F7-83A4-B45C5838806C} - C:\WINDOWS\system32\ssqrq.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Live Search Club Toolbar - {719D74AB-1AF9-43a1-8C62-D8750628D93E} - C:\Program Files\Live Search Club Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" /run
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px .exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor .exe" /Q
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Amhgr] "C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\My Documents\a?sembly\r?gedit.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GDM_TrayApp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_premium.pl?1&6&04.00.09.13&premium&unknown&http://www.toyota.com/vehicles/config/fj/config.html?noreloadredir
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133305996812
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 9911 bytes
ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

0

Please boot into safe mode.

A. Please RUN HijackThis

  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrq.exe

    O2 - BHO: (no name) - {F72F2D89-4A45-46F7-83A4-B45C5838806C} - C:\WINDOWS\system32\ssqrq.dll

    O4 - HKCU\..\Run: [Amhgr] "C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\My Documents\a?sembly\r?gedit.exe"

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\ssqrq.exe

RENV::
----a-w 567,296 2008-01-18 03:41:26 C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Desktop\backups\backup-20080118-144415-195-PowerReg Scheduler V3 .exe
----a-w 598,016 2008-01-18 03:41:25 C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Desktop\backups\backup-20080118-144415-497-PowerReg Scheduler .exe
----a-w 598,016 2008-01-18 20:10:11 C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 225,280 2008-01-18 20:10:14 C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-01-18 19:50:22 C:\Documents and Settings\Seth.YOUR-55E5F9E3D2.000\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 50,736 2008-01-18 20:09:59 C:\Program Files\AIM6\aim6 .exe
----a-w 180,269 2008-01-18 18:01:38 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 171,464 2008-01-18 20:10:00 C:\Program Files\DAEMON Tools\daemon .exe
----a-w 61,440 2008-01-18 20:10:01 C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w 68,856 2008-01-18 18:02:00 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w 132,496 2008-01-18 18:01:38 C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w 1,694,208 2008-01-18 18:01:44 C:\Program Files\Messenger\msmsgs .exe
----a-w 200,704 2008-01-18 18:01:39 C:\Program Files\PowerISO\PWRISOVM .EXE
----a-w 448,512 2008-01-18 19:50:47 C:\Program Files\QuickTime\qttask .exe
----a-w 448,512 2008-01-16 00:25:17 C:\Program Files\QuickTime\qttask .exe
----a-w 1,637,312 2008-01-18 18:01:44 C:\Program Files\SlySoft\AnyDVD\AnyDVD .exe
----a-w 81,920 2008-01-18 18:01:38 C:\Program Files\Sony\SonicStage\SsAAD .exe
----a-w 389,120 2008-01-18 19:50:39 C:\WINDOWS\system32\ezSP_Px .exe
----a-w 389,120 2008-01-16 00:25:14 C:\WINDOWS\system32\ezSP_Px .exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]


7. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.