0

I am so frustrated at my computer.... it works when it wants to, won't when it doesn't. Windows keep closing on me... computer going really slow at times... and my cd burner won't work properly, when it did before.... i have tried so many things... i just don't know what else to do... please help...

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:34 PM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
O2 - BHO: {ff58c7ee-4a23-ebaa-ede4-6729d6ba4500} - {0054ab6d-9276-4ede-aabe-32a4ee7c85ff} - C:\WINDOWS\system32\kcicddhl.dll (file missing)
O2 - BHO: (no name) - {0240CB11-AA5B-46C3-9FFC-684D4D489AC2} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {AAB76CC5-7767-458C-A3BF-D7F36F08AEA2} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {DEB27EE4-F5C0-4C9C-81A0-77D9285651D5} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [38d88512] rundll32.exe "C:\WINDOWS\system32\btbwebkl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm098NCUS
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195009468921
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hggefec - hggefec.dll (file missing)
O20 - Winlogon Notify: vqwmqfqj - vqwmqfqj.dll (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ubckcong.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

--
End of file - 12017 bytes

2
Contributors
10
Replies
11
Views
9 Years
Discussion Span
Last Post by gerbil
0

Hi, mom,
would you please start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: {ff58c7ee-4a23-ebaa-ede4-6729d6ba4500} - {0054ab6d-9276-4ede-aabe-32a4ee7c85ff} - C:\WINDOWS\system32\kcicddhl.dll (file missing)
O2 - BHO: (no name) - {0240CB11-AA5B-46C3-9FFC-684D4D489AC2} - (no file)
O2 - BHO: (no name) - {AAB76CC5-7767-458C-A3BF-D7F36F08AEA2} - (no file)
O2 - BHO: (no name) - {DEB27EE4-F5C0-4C9C-81A0-77D9285651D5} - (no file)
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [38d88512] rundll32.exe "C:\WINDOWS\system32\btbwebkl.dll",b
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZKxdm098NCUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O20 - Winlogon Notify: hggefec - hggefec.dll (file missing)
O20 - Winlogon Notify: vqwmqfqj - vqwmqfqj.dll (file missing)

Good. Now we remove this service:
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ubckcong.exe (file missing)
Delete this folder:
C:\program files\MyWebSearch
Delete these files:
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\btbwebkl.dll

==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post that log plus a fresh hijackthis log, please.

0

i did the hijackthis part

i cant find C:\program files\MyWebSearch

it wont let me delete C:\WINDOWS\Fonts\svchost.exe
and there are two of those files... onei in the c: folder and one in the d: folder i went to the ctrl-alt-del screen and went to processes because it said it was in use or locked, and there are two files, when i try to end the process, it makes the computer turn off... gives me a minute and then shuts down

I also cant find C:\WINDOWS\system32\btbwebkl.dll
There is always a error message when i start the computer saying it cant utlilize that file or something like that... and all i can do is press ok...

i didnt go any farther than that yet... hope you can help.. thank you...

0

i went ahead and tried to do the last part.. this is the log.

ComboFix 07-11-19.3 - marci 2007-11-25 12:19:00.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.423 [GMT -5:00]
Running from: C:\Documents and Settings\marci\Local Settings\Temporary Internet Files\Content.IE5\71A7LMF6\ComboFix[1].exe
* Created a new restore point
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\greg\Desktop\Live Safety Center.lnk
C:\Documents and Settings\greg\Desktop\Online Security Guide.lnk
C:\Documents and Settings\greg\Favorites\Online Security Guide.lnk
C:\Documents and Settings\marci\Application Data\FunWebProducts
C:\Documents and Settings\marci\Favorites\Online Security Guide.lnk
C:\Program Files\internet explorer\msimg32.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\vqwmqfqj.dllbox
D:\Autorun.inf


.
(((((((((((((((((((((((((   Files Created from 2007-10-25 to 2007-11-25  )))))))))))))))))))))))))))))))
.


2007-11-24 21:21    <DIR>    d--------   C:\Program Files\Opera
2007-11-24 18:07    <DIR>    d--------   C:\Program Files\n7 Studios
2007-11-24 15:35    <DIR>    d--------   C:\Program Files\HT Fireman CDDVD Burner 1.4
2007-11-22 17:11    940,794 --a------   C:\WINDOWS\system32\LoopyMusic.wav
2007-11-22 17:11    146,650 --a------   C:\WINDOWS\system32\BuzzingBee.wav
2007-11-22 17:11    81,920  --a------   C:\WINDOWS\ALCFDRTM.EXE
2007-11-21 20:33    5,387   --a------   C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log
2007-11-21 17:15    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\AVG7
2007-11-21 08:13    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\AVG7
2007-11-20 22:32    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\AVG7
2007-11-20 22:31    <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-20 22:31    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\avg7
2007-11-20 22:21    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\FrostWire
2007-11-20 20:19    775,902 ---hs----   C:\WINDOWS\system32\lkbewbtb.ini
2007-11-19 23:00    6,058,496   --a------   C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-19 23:00    2,455,488   --a------   C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-19 23:00    991,232 --a------   C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-19 23:00    459,264 --a------   C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-19 23:00    383,488 --a------   C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-19 23:00    267,776 --a------   C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-19 23:00    63,488  --a------   C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-19 23:00    52,224  --a------   C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-19 23:00    13,824  --a------   C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-19 10:02    688,633 --ahs----   C:\WINDOWS\system32\stpgqvlf.ini
2007-11-18 21:00    <DIR>    d--------   C:\SystemRoot
2007-11-18 20:55    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\WinBatch
2007-11-18 20:51    <DIR>    d--------   C:\temp
2007-11-18 15:36    <DIR>    d--------   C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2007-11-18 13:53    <DIR>    d--------   C:\Program Files\FrostWire
2007-11-17 22:41    <DIR>    d--------   C:\Program Files\Lavasoft
2007-11-17 22:41    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-17 22:15    <DIR>    d--------   C:\Program Files\Trend Micro
2007-11-17 22:11    <DIR>    d--------   C:\VundoFix Backups
2007-11-17 21:51    102,664 --a------   C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-17 21:49    <DIR>    d--------   C:\Documents and Settings\marci\.housecall6.6
2007-11-17 21:49    445,370 --ahs----   C:\WINDOWS\system32\jmllm.ini2
2007-11-17 21:48    <DIR>    d--------   C:\WINDOWS\Sun
2007-11-17 21:36    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\HPQ
2007-11-17 15:36    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\LimeWire
2007-11-17 15:35    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\SiteAdvisor
2007-11-17 12:41    28,672  --a------   C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-17 12:17    4,112   --a------   C:\WINDOWS\system32\tmp.reg
2007-11-17 12:17    0   --a------   C:\WINDOWS\system32\tmp.txt
2007-11-17 10:20    14,018  --ahs----   C:\WINDOWS\system32\rrqss.ini2
2007-11-17 09:07    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-17 09:00    <DIR>    d--------   C:\Program Files\SUPERAntiSpyware
2007-11-17 09:00    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\SUPERAntiSpyware.com
2007-11-17 09:00    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-17 08:31    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\HPQ
2007-11-17 08:12    9,503   --a------   C:\WINDOWS\system32\Config.MPF
2007-11-16 22:14    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 22:07    <DIR>    d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-11-16 21:45    <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-16 21:44    <DIR>    d--------   C:\Program Files\SiteAdvisor
2007-11-16 21:44    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\SiteAdvisor
2007-11-16 21:44    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-16 21:41    201,288 --a------   C:\WINDOWS\system32\drivers\mfehidk.sys
2007-11-16 21:41    79,304  --a------   C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-11-16 21:41    40,488  --a------   C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-11-16 21:41    35,240  --a------   C:\WINDOWS\system32\drivers\mfebopk.sys
2007-11-16 21:41    33,800  --a------   C:\WINDOWS\system32\drivers\mferkdk.sys
2007-11-16 21:40    113,952 --a------   C:\WINDOWS\system32\drivers\Mpfp.sys
2007-11-16 21:37    <DIR>    d--------   C:\Program Files\McAfee.com
2007-11-16 21:37    <DIR>    d--------   C:\Program Files\Common Files\McAfee
2007-11-16 21:36    <DIR>    d--------   C:\Program Files\McAfee
2007-11-16 20:55    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-16 20:49    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\WinPatrol
2007-11-16 20:48    <DIR>    d--------   C:\Program Files\BillP Studios
2007-11-16 18:42    688,573 --ahs----   C:\WINDOWS\system32\qbdxdgri.ini
2007-11-16 18:35    2,413   --a------   C:\Documents and Settings\greg\x.dat
2007-11-16 18:35    2,269   --a------   C:\Documents and Settings\greg\z.dat
2007-11-15 22:30    455,668 --ahs----   C:\WINDOWS\system32\gjllm.ini2
2007-11-15 22:30    455,668 --ahs----   C:\WINDOWS\system32\gjllm.ini
2007-11-15 22:28    147,456 --a------   C:\WINDOWS\system32\vbzip10.dll
2007-11-15 22:25    1,517   --a------   C:\Documents and Settings\marci\x.dat
2007-11-15 22:25    1,427   --a------   C:\Documents and Settings\marci\z.dat
2007-11-15 22:25    120 --a------   C:\n.bat
2007-11-15 22:25    0   --a------   C:\z.dat
2007-11-15 22:25    0   --a------   C:\x.dat
2007-11-15 21:08    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\Apple Computer
2007-11-15 21:05    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\Template
2007-11-15 21:05    0   --a------   C:\Documents and Settings\marci\Application Data\wklnhst.dat
2007-11-14 21:55    <DIR>    d--------   C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-14 07:32    271,224 --a------   C:\WINDOWS\system32\mucltui.dll
2007-11-14 07:32    30,072  --a------   C:\WINDOWS\system32\mucltui.dll.mui
2007-11-11 21:41    <DIR>    d--------   C:\Program Files\QuickTime
2007-11-11 21:41    <DIR>    d--------   C:\Program Files\Apple Software Update
2007-11-11 21:41    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-11 21:41    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Apple
2007-11-11 15:54    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\Sonic
2007-11-11 15:54    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\Leadertech
2007-11-10 23:28    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\Sonic
2007-11-10 23:28    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\Leadertech
2007-11-10 21:57    <DIR>    d---s----   C:\Documents and Settings\greg\UserData
2007-11-10 15:34    129,400 --a------   C:\WINDOWS\system32\TZLog.log
2007-11-10 15:32    <DIR>    d--------   C:\Program Files\MSXML 4.0
2007-11-10 15:30    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\HP
2007-11-10 14:30    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\MySpace
2007-11-10 11:51    23,040  ---------   C:\WINDOWS\kb913800.exe
2007-11-10 11:50    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Yahoo!


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 02:19 C:\WINDOWS\arpwrmsg.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 03:07 C:\WINDOWS\system32\HdAShCut.exe]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 13:06]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 13:10]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 01:35]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 12:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 09:12]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-17 08:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 16:57]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04]


C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-11-17 08:03:54]


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 09:23:26]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-17 09:03:02]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme


[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


S4 0312811195683926mcinstcleanup;McAfee Application Installer Cleanup (0312811195683926);C:\WINDOWS\TEMP\031281~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service


.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 02:30:00 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exe
"2007-11-17 02:38:55 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-11-17 02:38:53 C:\WINDOWS\Tasks\McQcTask.job"
"2007-11-09 04:55:52 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************


catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 12:24:06
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 2007-11-25 12:26:58 - machine was rebooted
.
--- E O F ---

Edited by happygeek: fixed formatting

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:12 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\windows\system\hpsysdrv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195009468921
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

--
End of file - 10502 bytes

0

Hello again, Marci.
It appears that you have a vundo infection, or traces of one.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!

==What files are in this folder: C:\SystemRoot ?

==Please move Combofix from where it is to either your desktop or a new folder.
==Copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________
File::
C:\WINDOWS\system32\lkbewbtb.ini
C:\WINDOWS\system32\stpgqvlf.ini
C:\WINDOWS\system32\jmllm.ini2
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\qbdxdgri.ini
C:\WINDOWS\system32\gjllm.ini2
C:\WINDOWS\system32\gjllm.ini
C:\Documents and Settings\marci\x.dat
C:\Documents and Settings\marci\z.dat
C:\n.bat
C:\z.dat
C:\x.dat
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\btbwebkl.dll
__________________________________________________________

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
K. Post that log, the contents of C:\vundofix.txt plus a new HijackThis log.
And tell me about C:\Systemroot folder's contents.

0

The vundofix did not find any infected files. I looked in the system room folder and there was nothing shown in it. I did the combo fix and the log is below, i will post the new hijackthis log next.

ComboFix 07-11-19.4 - marci 2007-11-26 21:21:06.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.448 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\marci\Desktop\CFScript.txt
* Created a new restore point


FILE
C:\Documents and Settings\marci\x.dat
C:\Documents and Settings\marci\z.dat
C:\n.bat
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\btbwebkl.dll
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\gjllm.ini2
C:\WINDOWS\system32\jmllm.ini2
C:\WINDOWS\system32\lkbewbtb.ini
C:\WINDOWS\system32\qbdxdgri.ini
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\stpgqvlf.ini
C:\x.dat
C:\z.dat
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\Documents and Settings\marci\x.dat
C:\Documents and Settings\marci\z.dat
C:\n.bat
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\gjllm.ini2
C:\WINDOWS\system32\jmllm.ini2
C:\WINDOWS\system32\lkbewbtb.ini
C:\WINDOWS\system32\qbdxdgri.ini
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\stpgqvlf.ini
C:\x.dat
C:\z.dat


.
(((((((((((((((((((((((((   Files Created from 2007-10-27 to 2007-11-27  )))))))))))))))))))))))))))))))
.


2007-11-25 19:55    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\Uniblue
2007-11-25 19:54    <DIR>    d--------   C:\Program Files\Uniblue
2007-11-25 18:29    <DIR>    d--------   C:\Program Files\A Christmas Tree Screensaver
2007-11-24 21:21    <DIR>    d--------   C:\Program Files\Opera
2007-11-24 18:07    <DIR>    d--------   C:\Program Files\n7 Studios
2007-11-24 15:35    <DIR>    d--------   C:\Program Files\HT Fireman CDDVD Burner 1.4
2007-11-22 17:11    940,794 --a------   C:\WINDOWS\system32\LoopyMusic.wav
2007-11-22 17:11    146,650 --a------   C:\WINDOWS\system32\BuzzingBee.wav
2007-11-22 17:11    81,920  --a------   C:\WINDOWS\ALCFDRTM.EXE
2007-11-21 17:15    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\AVG7
2007-11-21 08:13    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\AVG7
2007-11-20 22:32    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\AVG7
2007-11-20 22:31    <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-20 22:31    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\avg7
2007-11-20 22:21    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\FrostWire
2007-11-19 23:00    6,058,496   --a------   C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-19 23:00    2,455,488   --a------   C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-19 23:00    991,232 --a------   C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-19 23:00    459,264 --a------   C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-19 23:00    383,488 --a------   C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-19 23:00    267,776 --a------   C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-19 23:00    63,488  --a------   C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-19 23:00    52,224  --a------   C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-19 23:00    13,824  --a------   C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-18 21:00    <DIR>    d--------   C:\SystemRoot
2007-11-18 20:55    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\WinBatch
2007-11-18 20:51    <DIR>    d--------   C:\temp
2007-11-18 15:36    <DIR>    d--------   C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2007-11-18 13:53    <DIR>    d--------   C:\Program Files\FrostWire
2007-11-17 22:41    <DIR>    d--------   C:\Program Files\Lavasoft
2007-11-17 22:41    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-17 22:15    <DIR>    d--------   C:\Program Files\Trend Micro
2007-11-17 22:11    <DIR>    d--------   C:\VundoFix Backups
2007-11-17 21:51    102,664 --a------   C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-17 21:49    <DIR>    d--------   C:\Documents and Settings\marci\.housecall6.6
2007-11-17 21:48    <DIR>    d--------   C:\WINDOWS\Sun
2007-11-17 21:36    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\HPQ
2007-11-17 15:36    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\LimeWire
2007-11-17 15:35    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\SiteAdvisor
2007-11-17 12:41    28,672  --a------   C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-17 12:17    4,112   --a------   C:\WINDOWS\system32\tmp.reg
2007-11-17 09:07    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-17 09:00    <DIR>    d--------   C:\Program Files\SUPERAntiSpyware
2007-11-17 09:00    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\SUPERAntiSpyware.com
2007-11-17 09:00    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-17 08:31    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\HPQ
2007-11-17 08:12    9,503   --a------   C:\WINDOWS\system32\Config.MPF
2007-11-16 22:14    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 22:07    <DIR>    d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-11-16 21:45    <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-16 21:44    <DIR>    d--------   C:\Program Files\SiteAdvisor
2007-11-16 21:44    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\SiteAdvisor
2007-11-16 21:44    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-16 21:41    201,288 --a------   C:\WINDOWS\system32\drivers\mfehidk.sys
2007-11-16 21:41    79,304  --a------   C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-11-16 21:41    40,488  --a------   C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-11-16 21:41    35,240  --a------   C:\WINDOWS\system32\drivers\mfebopk.sys
2007-11-16 21:41    33,800  --a------   C:\WINDOWS\system32\drivers\mferkdk.sys
2007-11-16 21:40    113,952 --a------   C:\WINDOWS\system32\drivers\Mpfp.sys
2007-11-16 21:37    <DIR>    d--------   C:\Program Files\McAfee.com
2007-11-16 21:37    <DIR>    d--------   C:\Program Files\Common Files\McAfee
2007-11-16 21:36    <DIR>    d--------   C:\Program Files\McAfee
2007-11-16 20:55    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-16 20:49    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\WinPatrol
2007-11-16 20:48    <DIR>    d--------   C:\Program Files\BillP Studios
2007-11-16 18:35    2,413   --a------   C:\Documents and Settings\greg\x.dat
2007-11-16 18:35    2,269   --a------   C:\Documents and Settings\greg\z.dat
2007-11-15 22:28    147,456 --a------   C:\WINDOWS\system32\vbzip10.dll
2007-11-15 21:08    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\Apple Computer
2007-11-15 21:05    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\Template
2007-11-15 21:05    0   --a------   C:\Documents and Settings\marci\Application Data\wklnhst.dat
2007-11-14 21:55    <DIR>    d--------   C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-14 07:32    271,224 --a------   C:\WINDOWS\system32\mucltui.dll
2007-11-14 07:32    30,072  --a------   C:\WINDOWS\system32\mucltui.dll.mui
2007-11-11 21:41    <DIR>    d--------   C:\Program Files\QuickTime
2007-11-11 21:41    <DIR>    d--------   C:\Program Files\Apple Software Update
2007-11-11 21:41    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-11 21:41    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Apple
2007-11-11 15:54    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\Sonic
2007-11-11 15:54    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\Leadertech
2007-11-10 23:28    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\Sonic
2007-11-10 23:28    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\Leadertech
2007-11-10 21:57    <DIR>    d---s----   C:\Documents and Settings\greg\UserData
2007-11-10 15:32    <DIR>    d--------   C:\Program Files\MSXML 4.0
2007-11-10 15:30    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\HP
2007-11-10 14:30    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\MySpace
2007-11-10 11:51    23,040  ---------   C:\WINDOWS\kb913800.exe
2007-11-10 11:50    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-10 11:48    <DIR>    d--------   C:\Program Files\Yahoo!
2007-11-09 22:27    <DIR>    d--------   C:\Program Files\MySpace
2007-11-09 22:27    <DIR>    d--------   C:\Documents and Settings\marci\Application Data\MySpace
2007-11-09 09:10    <DIR>    d--hs----   C:\Documents and Settings\marci\UserData
2007-11-09 09:03    <DIR>    d--------   C:\Documents and Settings\greg\Shared
2007-11-09 09:03    <DIR>    d--------   C:\Documents and Settings\greg\Incomplete
2007-11-09 09:03    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\FrostWire
2007-11-09 09:01    <DIR>    d--------   C:\Documents and Settings\greg\WINDOWS
2007-11-09 09:01    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\Symantec
2007-11-09 09:01    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\Intuit
2007-11-09 09:01    <DIR>    d--------   C:\Documents and Settings\greg\Application Data\Digital Interactive Systems Corporation
2007-11-09 08:58    <DIR>    d--------   C:\Documents and Settings\marci\Shared


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.


(((((((((((((((((((((((((((((   snapshot@2007-11-25_12.26.18.40   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-25 19:05:45   26,624  ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\d6652cfc7f6018eed9f5af0ab54a5fbd\Accessibility.ni.dll
+ 2007-11-25 19:05:49   888,832 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\092bf3cc8044d2d907d217ddadaee5bf\AspNetMMCExt.ni.dll
+ 2007-11-25 19:05:50   237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\e916794475f60f6fdeda5abc582ab0e0\CustomMarshalers.ni.dll
+ 2007-11-25 19:05:49   15,360  ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\b287592c089a5c567ff52af8c9bbfd3f\dfsvc.ni.exe
+ 2007-11-25 19:05:52   880,640 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\a332a2f7f965beb9f3b2661c5b7b7920\Microsoft.Build.Engine.ni.dll
+ 2007-11-25 19:05:52   81,920  ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\4f35fff09ced0739ec67374b29ca257c\Microsoft.Build.Framework.ni.dll
+ 2007-11-25 19:05:56   1,687,552   ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\40c449b85be08f74666e578de70723b7\Microsoft.Build.Tasks.ni.dll
+ 2007-11-25 19:05:56   163,840 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\2892e08fb3b2dd93f88db30da4437a9f\Microsoft.Build.Utilities.ni.dll
+ 2007-11-25 19:06:00   1,720,320   ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\25e198cac97b29d08c492bc5388a9fec\Microsoft.VisualBasic.ni.dll
+ 2007-11-25 19:06:01   1,003,520   ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\54f291b3d674c2ea212a9244f3ba9fbd\System.Configuration.ni.dll
+ 2007-11-25 19:06:03   1,724,416   ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\8b1086c976b2577a95e0e7f113caf7bf\System.Deployment.ni.dll
+ 2007-11-25 19:06:05   1,216,512   ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\046eec3d74cec4cd460ff7c1842d257e\System.DirectoryServices.ni.dll
+ 2007-11-25 19:06:06   512,000 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\5449046c90901704a120252427a00033\System.DirectoryServices.Protocols.ni.dll
+ 2007-11-25 19:06:07   659,456 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\a50404715d38a9b2035dcac4d5fbf9c8\System.EnterpriseServices.ni.dll
+ 2007-11-25 19:06:07   294,912 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\a50404715d38a9b2035dcac4d5fbf9c8\System.EnterpriseServices.Wrapper.dll
+ 2007-11-25 19:06:09   729,088 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Security\8962db3b03601d2c02f3836f1e523170\System.Security.ni.dll
+ 2007-11-25 19:06:10   684,032 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\610351fe2a8d287c009a958ac852e2d0\System.Transactions.ni.dll
+ 2007-11-25 19:06:32   2,306,048   ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\ab2958c06dce21c6cc3515068671c3a9\System.Web.Mobile.ni.dll
+ 2007-11-25 19:06:33   237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\bede7399f09b947c9c27f702bfff7c7a\System.Web.RegularExpressions.ni.dll
+ 2007-11-25 19:06:36   1,941,504   ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\0c492219b15640ed399b978141942e54\System.Web.Services.ni.dll
+ 2007-11-25 19:06:29   12,185,600  ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\7a66b932276b50c95261a636d7a51f34\System.Web.ni.dll
+ 2003-12-08 17:18:00   413,696 ----a-w C:\WINDOWS\system32\A Christmas Tree.scr
- 2007-11-25 16:16:06   32,768  ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-27 01:02:31   32,768  ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-25 16:16:06   32,768  ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-27 01:02:31   32,768  ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-25 16:16:06   32,768  ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-27 01:02:31   32,768  ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 02:19 C:\WINDOWS\arpwrmsg.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 03:07 C:\WINDOWS\system32\HdAShCut.exe]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 13:06]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 13:10]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 01:35]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 12:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 09:12]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-17 08:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 16:57]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04]


C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-11-17 08:03:54]


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 09:23:26]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-17 09:03:02]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme


[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


S4 0312811195683926mcinstcleanup;McAfee Application Installer Cleanup (0312811195683926);C:\WINDOWS\TEMP\031281~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service


.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 02:30:00 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exe
"2007-11-17 02:38:55 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-11-17 02:38:53 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-11-09 04:55:52 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************


catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 21:22:59
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 2007-11-26 21:24:01
C:\ComboFix2.txt ... 2007-11-25 12:26
.
--- E O F ---

Edited by happygeek: fixed formatting

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:19 PM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195009468921
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

--
End of file - 10513 bytes

0

marci, delete this folder and these two files:
C:\SystemRoot
C:\Documents and Settings\greg\x.dat
C:\Documents and Settings\greg\z.dat
How are things running now?

0

I deleted those files... The computer seems to be working pretty good, the only problem that I still am having is the cd burner. It starts to burn a cd, but only gets one song burnt, or won't play all the songs... I have burned cd's that play all the way through, it just has been acting up lately... I tryed again today, after i deleted the files from above. Any suggestions? Thanks for all your help.

0

Mmm... as a first step I would reinstall my burner software. But I am not the one to ask, I still get pretty excited when I do a fault-free load and burn.
You know, you have a fairly uninteresting set of home pages. If you don't like them clear those R0 and R1 entries, and choose a homepage that you actually use a lot, or to save wasting downloads just use about:blank [you set that via internet options, general, Use Blank]..

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.