# Solved: Internet Explorer Pop-Ups while surfing on Firefox



## BLUEtiful (Jul 6, 2007)

Hello, I am new to the forums, and I did search for the same issue and I did find something, but I don't think it will help me (since we have different computers, and I have already tried some of the steps).

I would like some help with this please, this issue started happening recently (once my Windows XP got the ServicePack2 and other updates, also an update from Firefox), it was around this time that all of this started happening.

Someone please help me, thanks in advance!

Okay here's my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:41:04 PM, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NetConceal\Anonymity Shield\ProxyNew.dll
O2 - BHO: (no name) - {-6F74-2D-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: (no name) - {C-D283-AD0D-D10D-8FADAFE575E6} - C:\WINDOWS\system32\buqttx.dll (file missing)
O2 - BHO: (no name) - {C9571A4D-D9DF-F82F-8C0E-8BADDAE17795} - C:\WINDOWS\system32\rfnc.dll (file missing)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [BitPump] "C:\Program Files\AnalogX\BitPump\bitpump.exe" /VerifySettings
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Novosoft Office Backup] C:\Program Files\Novosoft\Novosoft Office Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [Handy Backup 3.1] C:\Program Files\Novosoft\Novosoft Office Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with BitPump - C:\Program Files\AnalogX\BitPump\ieint.htm
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe


----------



## JSntgRvr (Jul 1, 2003)

Hi, *BLUE*. 

Welcome to TSG.








Your *Java* seems to be out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. *Beware it is NOT supported for use in 9x or ME and probably will not install in those systems*

*Ugrading Java*: 

Download the latest version of * Java Runtime Environment (JRE) 6u1*.
Scroll down to where it says "*The J2SE Runtime Environment (JRE) allows end-users to run Java applications*".
Click the "*Download*" button to the right.
Check the box that says: "*Accept License Agreement*".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Please download *VundoFix.exe* to your desktop.

*Note*:* In the event you already have Vundofix, this is a new version that I need you to download*.
Double-click *VundoFix.exe* to run it.
You will receive a message saying vundofix will close and re-open in a minute or less. Click *OK*
When VundoFix re-opens, click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click *OK*.
Turn your computer back on.
Please post the contents of C:\*vundofix.txt* in your next reply.
*Note:* It is possible that *VundoFix* encountered a file it could not remove. In this case, *VundoFix* will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo *button" when VundoFix appears at reboot.

Download ComboFix from *Here* or *Here* to your Desktop.

*Note*:* In the event you already have Combofix, this is a new version that I need you to download*.

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*

Download *Superantispyware (SAS)*

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click *Yes*.
Under *Configuration and Preferences*, click the *Preferences* button.
Click the *Scanning Control *tab.
Under *Scanner Options *make sure the following are checked:
Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining.
Please leave the others unchecked.
Click the Close button to leave the control center screen.

On the main screen, under *Scan for Harmful Software *click *Scan your computer*.
On the left check *C:\Fixed Drive*.
On the right, under *Complete Scan*, choose *Perform Complete Scan*.
Click *Next* to start the scan. *Please be patient while it scans your computer*.
After the scan is complete a summary box will appear. Click *OK*.
Make sure everything in the white box has a check next to it, then click *Next*.
It will quarantine what it found and if it asks if you want to reboot, click *Yes*.
To retrieve the removal information, please do the following:
After reboot, double-click the *SUPERAntispyware* icon on your desktop.
Click Preferences. Click the Statistics/Logs tab.
Under Scanner Logs, double-click *SUPERAntiSpyware* Scan Log.
It will open in your default text editor (such as Notepad/Wordpad).
Please highlight everything in the notepad, then right-click and choose copy.

Click close and close again to exit the program.
Please paste that information in your next reply along with a fresh *HijackThis log*.


----------



## BLUEtiful (Jul 6, 2007)

Sorry, I had to restore my computer to an earlier point due to the fact that, after I followed a few of your steps I could not connect to the internet. It was after I followed the combofix step, but Vundofix found no errors. So that seems okay. I'll try downloading Superantispyware and following those steps now...


----------



## JSntgRvr (Jul 1, 2003)

BLUEtiful said:


> Sorry, I had to restore my computer to an earlier point due to the fact that, after I followed a few of your steps I could not connect to the internet. It was after I followed the combofix step, but Vundofix found no errors. So that seems okay. I'll try downloading Superantispyware and following those steps now...


Very strange reaction to Combofix. After scanning with SuperAntispyware, please download *WinPFind3U.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *WinPFind3u* on your desktop.

Open the *WinPFind3u* folder and double-click on WinPFind3U.exe to start the program.
In the *Processes* group click *Non Microsoft *
In the *Win32 Services * group click *Non Microsoft*
In the *Driver Services * group click *Non Microsoft*
In the *Registry* group click *Non Microsoft *
In the *Files Created Within *group click *60 days *Make sure *Non-Microsoft only is UNCHECKED*
In the Files *Modified Within *group select *30 days *Make sure *Non-Microsoft only is UNCHECKED*
In the *File String Search *group select *Non Microsoft *
In the *Additional scans* sections please press select *All* and *uncheck* non-microsoft only

Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*


----------



## BLUEtiful (Jul 6, 2007)

Thanks for your help! I really appreciate it! I'm not getting any pop-ups anymore (I guess it was the outdated Java). Do I still have to follow the steps?


----------



## JSntgRvr (Jul 1, 2003)

BLUEtiful said:


> Thanks for your help! I really appreciate it! I'm not getting any pop-ups anymore (I guess it was the outdated Java). Do I still have to follow the steps?


Please do. I would like to take a deeper look into the system. The SuperAntispyware log will also be helpful.

Although you had a bad experience with Combofix, the tool should have created a log. I would like to take a look at that log also.

Thanks!


----------



## BLUEtiful (Jul 6, 2007)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/07/2007 at 11:46 PM

Application Version : 3.9.1008

Core Rules Database Version : 3266
Trace Rules Database Version: 1277

Scan type : Complete Scan
Total Scan Time : 04:17:51

Memory items scanned : 479
Memory threats detected : 0
Registry items scanned : 6006
Registry threats detected : 37
File items scanned : 72814
File threats detected : 270

Adware.Tracking Cookie
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][4].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][4].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected]r[3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected]_1g4b[1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][4].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][4].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected]_[1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][5].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][5].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][4].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][4].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][4].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][3].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][3].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][3].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][3].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][3].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected]almedia[1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][3].txt

Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Virus.HiddenDragon
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#Type
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#Start
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager#Description
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Security
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Enum
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Enum#NextInstance

Adware.ClickSpring/Outer Info Network
C:\Program Files\Outerinfo\outerinfo.ico
C:\Program Files\Outerinfo
C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Outerinfo

Trojan.Downloader-Gen/WinPop
C:\Program Files\WinPop\UnInstall.exe
C:\Program Files\WinPop

Trojan.Downloader-Gen/Inst2
C:\56.TMP

Adware.ClickSpring/Yazzle
C:\PROGRAM FILES\COMMON FILES\YAZZLE1122OINUNINSTALLER.EXE
C:\PROGRAM FILES\COMMON FILES\YAZZLE1552OINADMIN.EXE
C:\PROGRAM FILES\COMMON FILES\YAZZLE1552OINUNINSTALLER.EXE
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1122OINUNINSTALLER.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1552OINADMIN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1552OINUNINSTALLER.EXE.VIR

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSAPISV.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP275\A0118660.EXE
C:\WINDOWS\IA\KE.VBS

Adware.ClickSpring/PuritySCAN
C:\WINDOWS\SYSTEM32\WNSAPISV.EXE


----------



## BLUEtiful (Jul 6, 2007)

Okay, I tried posting the WinPFind3 log several times now, and this board only allows 30000 characters. I try cutting it, but my browser freezes. Is there another way I can send you the log?


----------



## BLUEtiful (Jul 6, 2007)

Okay, I found how to attach the file. There you go.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *BLUE* 

You have a bad PurityScan Infection and a rootkit in your system. *Combofix* is the preferred tool to remove these nasties.

Look in your control panel add/remove programs for the following:

Oin
outerinfo
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin 
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga

Click on it and click remove.

Download and run the Purityscan uninstaller from* Here*

Remove the Combofix you downloaded earlier and download the latest ComboFix from *Here* or *Here*. to your Desktop.


Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*

In the event you lose your conection, 

Enter your *Control Panel *and double-click on *Network Connections*
Then right click on your *Default Connection*
Usually Local Area Connection for Cable and DSL, or AOL Connection.

Left click on *Properties*
Double-Click on the *Internet Protocol (TCP/IP*) item
Select the radio dial that says *Obtain DNS Servers Automatically*
Press OK twice to get out of the properties screen
Restart the computer
Go to *Start*->*Run*->Type *CMD* and click *Ok*. The *MSDOS* Window will be displayed. At the command prompt, type the following and press *Enter* after each line:

*ipconfig /flushdns* (The space between g and / is needed)
*Exit*

Restart the computer.

If that does not resolve the issue, follow these steps:

*Reset the Internet Protocol (TCP/IP)*

Go to *Start*->*Run*, type *CMD *and click *Ok*. The *MSDOS* window will be displayed. At the prompt type the following and press Enter after each line:

*netsh int ip reset C:\Resetlog.txt
netsh winsock reset catalog
Exit*

Restart the computer.

*Warning* Programs that access or monitor the Internet such as antivirus, firewall or proxy clients may be negatively affected when you run the netsh winsock reset command. If you have a program that no longer functions correctly after you use this resolution, reinstall the program to restore functionality.

Keep me posted.


----------



## BLUEtiful (Jul 6, 2007)

"Compaq_Administrator" - 2007-07-08 20:33:11 - ComboFix 07-07-09.3 - Service Pack 2

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\COMPAQ~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\GE2DD4KU\www.broadcaster.com
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Program Files\Common Files\curity~1
C:\Program Files\ecurit~1
C:\Program Files\racle~1
C:\WINDOWS\crosof~1
C:\WINDOWS\IA
C:\WINDOWS\mbols~1
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\system32\wnsxs~1

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\core

((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))

2007-07-08 20:32	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-07-08 18:24 d--------	C:\WINDOWS\system32\ActiveScan
2007-07-07 12:57 d--------	C:\Program Files\SUPERAntiSpyware
2007-07-07 12:57 d--------	C:\DOCUME~1\COMPAQ~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-07 12:57 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-07 09:51 d-a------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-07 04:33 d--------	C:\Program Files\Common Files\Java(2)
2007-07-06 20:05	6,033,408	--a------	C:\DOCUME~1\COMPAQ~1\ntuser.dat
2007-07-02 12:15 d--------	C:\Program Files\Nanny Mania
2007-07-02 12:14 d--------	C:\Program Files\bfgclient
2007-07-02 12:14 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\BigFishGamesCache
2007-07-02 09:52 d--------	C:\Program Files\FileASSASSIN
2007-07-02 08:06 d--------	C:\Program Files\Windows Defender
2007-07-02 07:49 d--------	C:\Program Files\Lavasoft
2007-07-02 07:49 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-07-02 07:49 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-26 21:45	180,224	--a------	C:\WINDOWS\system32\NVUNINST.EXE
2007-06-26 21:27	80,384	--a------	C:\WINDOWS\system32\charmap.exe
2007-06-26 21:26	119,808	--a------	C:\WINDOWS\system32\winmine.exe
2007-06-26 21:25	126,976	--a------	C:\WINDOWS\system32\mshearts.exe
2007-06-25 14:29	9,392	--a------	C:\WINDOWS\system32\drivers\cur_mdfl.sys
2007-06-25 14:29	79,216	--a------	C:\WINDOWS\system32\drivers\cur_serd.sys
2007-06-25 14:29	66,672	--a------	C:\WINDOWS\system32\drivers\cur_bus.sys
2007-06-25 14:29	6,272	--a------	C:\WINDOWS\system32\drivers\cur_cmnt.sys
2007-06-25 14:29	6,272	--a------	C:\WINDOWS\system32\drivers\cur_cm.sys
2007-06-25 14:29	5,872	--a------	C:\WINDOWS\system32\drivers\cur_whnt.sys
2007-06-25 14:29	5,872	--a------	C:\WINDOWS\system32\drivers\cur_wh.sys
2007-06-25 14:29	100,304	--a------	C:\WINDOWS\system32\drivers\cur_mdm.sys
2007-06-24 23:26 d--hs----	C:\found.000
2007-06-22 08:16	55,296	--a------	C:\WINDOWS\system32\freecell.exe
2007-06-16 01:15	538,624	--a------	C:\WINDOWS\system32\spider.exe
2007-06-16 00:53	271,224	--a------	C:\WINDOWS\system32\mucltui.dll
2007-06-16 00:18 d--------	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-15 20:29 d--------	C:\WINDOWS\system32\PreInstall
2007-06-15 20:03	43,352	--a------	C:\WINDOWS\system32\wups2.dll
2007-06-15 20:03 d--------	C:\WINDOWS\system32\SoftwareDistribution
2007-06-15 19:55	33,792	--a------	C:\WINDOWS\system32\lmmib2.dll
2007-06-15 19:55 d----c---	C:\Inetpub
2007-06-15 19:55 d--------	C:\WINDOWS\system32\msmq
2007-06-15 19:55 d--------	C:\WINDOWS\system32\Logfiles
2007-06-15 19:42	9,392	--a------	C:\Program Files\cur_mdfl.sys
2007-06-15 19:42	79,216	--a------	C:\Program Files\cur_serd.sys
2007-06-15 19:42	66,672	--a------	C:\Program Files\cur_bus.sys
2007-06-15 19:42	64,512	--a------	C:\Program Files\Setup.exe
2007-06-15 19:42	6,800	--a------	C:\Program Files\cur_wh95.sys
2007-06-15 19:42	6,272	--a------	C:\Program Files\cur_cmnt.sys
2007-06-15 19:42	54,784	--a------	C:\Program Files\CUR_Uninstall.exe
2007-06-15 19:42	5,872	--a------	C:\Program Files\cur_whnt.sys
2007-06-15 19:42	4,112	--a------	C:\Program Files\cur_cr.sys
2007-06-15 19:42	100,304	--a------	C:\Program Files\cur_mdm.sys
2007-06-15 19:42	10,896	--a------	C:\Program Files\cur_cm95.sys
2007-06-15 01:47 d--------	C:\Program Files\Picasa2

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-08 23:00:06	--------	d-----w	C:\Program Files\DISC
2007-07-08 22:59:16	--------	d---a-w	C:\Program Files\Common Files\LightScribe
2007-07-03 02:09:53	4,122	----a-w	C:\DOCUME~1\COMPAQ~1\APPLIC~1\wklnhst.dat
2007-06-27 01:18:31	--------	d-----w	C:\Program Files\Common Files\AOL
2007-06-27 01:17:37	--------	d-----w	C:\DOCUME~1\COMPAQ~1\APPLIC~1\Novosoft
2007-06-22 12:21:43	--------	d-----w	C:\Program Files\Viewpoint
2007-06-22 12:21:34	--------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-06-22 12:21:30	--------	d-----w	C:\Program Files\Logitech
2007-06-22 12:17:57	--------	d-----w	C:\Program Files\Common Files\HP
2007-06-04 19:18:48	9,344	----a-w	C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 19:17:02	8,320	----a-w	C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56	6,272	----a-w	C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-02 09:08:41	--------	d-----w	C:\Program Files\Common Files\Real
2007-06-02 09:08:39	--------	d-----w	C:\Program Files\Real
2007-06-02 09:07:09	--------	d-----w	C:\Program Files\Novosoft
2007-06-01 18:15:00	--------	d-----w	C:\Program Files\MB Free Tarot Reading Software
2007-06-01 14:21:43	--------	d-----w	C:\Program Files\Windows Installer Clean Up
2007-06-01 14:21:34	--------	d-----w	C:\Program Files\MSECACHE
2007-06-01 14:13:32	--------	d-----w	C:\Program Files\MyPublisher
2007-06-01 14:13:05	--------	d-----w	C:\Program Files\Yahoo! Games
2007-06-01 14:12:37	--------	d-----w	C:\Program Files\Google
2007-05-28 01:13:04	--------	d-----w	C:\Program Files\ArcSoft
2007-05-27 21:09:40	--------	d-----w	C:\Program Files\Windows NT
2007-05-20 16:49:16	--------	d-----w	C:\Program Files\Common Files\Sandlot Shared
2007-05-20 14:16:28	--------	d-----w	C:\Program Files\Pantech
2007-05-20 00:14:49	--------	d-----w	C:\Program Files\SKTeletech
2007-05-20 00:14:35	--------	d-----w	C:\Program Files\SKY TELETECH
2007-05-18 01:29:36	--------	d-----w	C:\Program Files\Nexon
2007-05-16 15:12:02	683,520	------w	C:\WINDOWS\system32\inetcomm.dll
2007-05-10 01:09:46	284	----a-w	C:\DOCUME~1\COMPAQ~1\APPLIC~1\ViewerApp.dat
2007-05-09 23:53:20	50	-c--a-w	C:\AUTOEXEC.BAT
2007-05-09 23:37:35	--------	d-----w	C:\Program Files\Sony Corporation
2007-05-09 23:37:18	--------	d-----w	C:\Program Files\Common Files\muvee Technologies
2007-04-25 14:21:15	144,896	------w	C:\WINDOWS\system32\schannel.dll
2007-04-18 21:20:14	512	-c--a-w	C:\drmHeader.bin
2007-04-18 16:12:23	2,854,400	----a-w	C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36	33,624	----a-w	C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54	1,710,936	----a-w	C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48	549,720	----a-w	C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42	325,976	----a-w	C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36	203,096	----a-w	C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28	92,504	----a-w	C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20	53,080	----a-w	C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:44:18	208,248	----a-w	C:\WINDOWS\system32\muweb.dll
2007-04-13 19:19:52	7,680	----a-w	C:\WINDOWS\system32\lsdelete.exe
2005-05-13 22:12:00	217,073	--sha-r	C:\WINDOWS\meta4.exe
2005-10-24 16:13:58	66,560	--sha-r	C:\WINDOWS\MOTA113.exe
2005-10-14 02:27:00	422,400	--sha-r	C:\WINDOWS\x2.64.exe
2005-10-07 22:14:52	308,224	--sha-r	C:\WINDOWS\system32\avisynth.dll
2005-07-14 16:31:20	27,648	--sha-r	C:\WINDOWS\system32\AVSredirect.dll
2007-03-24 14:22:53	88	--sh--r	C:\WINDOWS\system32\BEBEF39827.sys
2005-06-26 19:32:28	616,448	--sha-r	C:\WINDOWS\system32\cygwin1.dll
2005-06-22 02:37:42	45,568	--sha-r	C:\WINDOWS\system32\cygz.dll
2004-01-25 03:00:00	70,656	--sha-r	C:\WINDOWS\system32\i420vfw.dll
2007-03-24 14:22:53	848	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
2006-04-27 14:24:24	2,945,024	--sha-r	C:\WINDOWS\system32\Smab.dll
2005-02-28 17:16:22	240,128	--sha-r	C:\WINDOWS\system32\x.264.exe
2004-01-25 03:00:00	70,656	--sha-r	C:\WINDOWS\system32\yv12vfw.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16	59032	--a------	C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}]
2006-11-29 17:26	135249	--a------	C:\Program Files\NetConceal\Anonymity Shield\ProxyNew.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04	853672	--a------	C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2005-11-10 23:22	184423	--a------	C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}]
2006-08-08 09:44	208896	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3534348-D283-AD0D-D10D-8FADAFE575E6}]
C:\WINDOWS\system32\buqttx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9571A4D-D9DF-F82F-8C0E-8BADDAE17795}]
C:\WINDOWS\system32\rfnc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-05-09 15:50 C:\WINDOWS\system32\nwiz.exe]
"ftutil2"="ftutil2.dll" [2004-06-07 17:05 C:\WINDOWS\system32\ftutil2.dll]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 02:19 C:\WINDOWS\arpwrmsg.exe]
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 23:05 C:\WINDOWS\RTHDCPL.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"PCDrProfiler"="" []
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 12:45]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 01:34]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 09:11]
"BitPump"="C:\Program Files\AnalogX\BitPump\bitpump.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Novosoft Office Backup"="C:\Program Files\Novosoft\Novosoft Office Backup\hbagent.exe" []
"Handy Backup 3.1"="C:\Program Files\Novosoft\Novosoft Office Backup\hbagent.exe" []
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 18:37]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-28 17:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
~~\SafeBoot\Minimal\dmserver

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1166619888\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
"C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

Contents of the 'Scheduled Tasks' folder
2007-07-09 00:41:23 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-08 21:22:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-08 21:25:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-08 21:24
C:\ComboFix2.txt ... 2007-07-07 04:50

--- E O F ---


----------



## JSntgRvr (Jul 1, 2003)

Hi, *BLUE*


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *ComboFix-Do.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 



> File::
> C:\57.tmp
> C:\F94.tmp
> C:\F95.tmp
> ...












Once saved, refering to the picture above, drag *ComboFix-Do.txt* into *ComboFix.exe*, and post back the resulting report along with a fresh Hijackthis log.


----------



## BLUEtiful (Jul 6, 2007)

"Compaq_Administrator" - 2007-07-09 22:03:32 - ComboFix 07-07-09.3 - Service Pack 2

((((((((((((((((((((((((( Files Created from 2007-06-10 to 2007-07-10 )))))))))))))))))))))))))))))))

2007-07-08 20:32	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-07-08 18:24 d--------	C:\WINDOWS\system32\ActiveScan
2007-07-07 12:57 d--------	C:\Program Files\SUPERAntiSpyware
2007-07-07 12:57 d--------	C:\DOCUME~1\COMPAQ~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-07 12:57 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-07 09:51 d-a------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-07 04:33 d--------	C:\Program Files\Common Files\Java(2)
2007-07-06 20:05	6,033,408	--a------	C:\DOCUME~1\COMPAQ~1\ntuser.dat
2007-07-02 12:15 d--------	C:\Program Files\Nanny Mania
2007-07-02 12:14 d--------	C:\Program Files\bfgclient
2007-07-02 12:14 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\BigFishGamesCache
2007-07-02 09:52 d--------	C:\Program Files\FileASSASSIN
2007-07-02 08:06 d--------	C:\Program Files\Windows Defender
2007-07-02 07:49 d--------	C:\Program Files\Lavasoft
2007-07-02 07:49 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-07-02 07:49 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-26 21:45	180,224	--a------	C:\WINDOWS\system32\NVUNINST.EXE
2007-06-26 21:27	80,384	--a------	C:\WINDOWS\system32\charmap.exe
2007-06-26 21:26	119,808	--a------	C:\WINDOWS\system32\winmine.exe
2007-06-26 21:25	126,976	--a------	C:\WINDOWS\system32\mshearts.exe
2007-06-25 14:29	9,392	--a------	C:\WINDOWS\system32\drivers\cur_mdfl.sys
2007-06-25 14:29	79,216	--a------	C:\WINDOWS\system32\drivers\cur_serd.sys
2007-06-25 14:29	66,672	--a------	C:\WINDOWS\system32\drivers\cur_bus.sys
2007-06-25 14:29	6,272	--a------	C:\WINDOWS\system32\drivers\cur_cmnt.sys
2007-06-25 14:29	6,272	--a------	C:\WINDOWS\system32\drivers\cur_cm.sys
2007-06-25 14:29	5,872	--a------	C:\WINDOWS\system32\drivers\cur_whnt.sys
2007-06-25 14:29	5,872	--a------	C:\WINDOWS\system32\drivers\cur_wh.sys
2007-06-25 14:29	100,304	--a------	C:\WINDOWS\system32\drivers\cur_mdm.sys
2007-06-24 23:26 d--hs----	C:\found.000
2007-06-22 08:16	55,296	--a------	C:\WINDOWS\system32\freecell.exe
2007-06-16 01:15	538,624	--a------	C:\WINDOWS\system32\spider.exe
2007-06-16 00:53	271,224	--a------	C:\WINDOWS\system32\mucltui.dll
2007-06-16 00:18 d--------	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-15 20:29 d--------	C:\WINDOWS\system32\PreInstall
2007-06-15 20:03	43,352	--a------	C:\WINDOWS\system32\wups2.dll
2007-06-15 20:03 d--------	C:\WINDOWS\system32\SoftwareDistribution
2007-06-15 19:55	33,792	--a------	C:\WINDOWS\system32\lmmib2.dll
2007-06-15 19:55 d----c---	C:\Inetpub
2007-06-15 19:55 d--------	C:\WINDOWS\system32\msmq
2007-06-15 19:55 d--------	C:\WINDOWS\system32\Logfiles
2007-06-15 19:42	9,392	--a------	C:\Program Files\cur_mdfl.sys
2007-06-15 19:42	79,216	--a------	C:\Program Files\cur_serd.sys
2007-06-15 19:42	66,672	--a------	C:\Program Files\cur_bus.sys
2007-06-15 19:42	64,512	--a------	C:\Program Files\Setup.exe
2007-06-15 19:42	6,800	--a------	C:\Program Files\cur_wh95.sys
2007-06-15 19:42	6,272	--a------	C:\Program Files\cur_cmnt.sys
2007-06-15 19:42	54,784	--a------	C:\Program Files\CUR_Uninstall.exe
2007-06-15 19:42	5,872	--a------	C:\Program Files\cur_whnt.sys
2007-06-15 19:42	4,112	--a------	C:\Program Files\cur_cr.sys
2007-06-15 19:42	100,304	--a------	C:\Program Files\cur_mdm.sys
2007-06-15 19:42	10,896	--a------	C:\Program Files\cur_cm95.sys
2007-06-15 01:47 d--------	C:\Program Files\Picasa2

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-09 23:14:33	5,546	----a-w	C:\DOCUME~1\COMPAQ~1\APPLIC~1\wklnhst.dat
2007-07-09 18:57:15	--------	d-----w	C:\DOCUME~1\COMPAQ~1\APPLIC~1\Template
2007-07-08 23:00:06	--------	d-----w	C:\Program Files\DISC
2007-07-08 22:59:16	--------	d---a-w	C:\Program Files\Common Files\LightScribe
2007-06-27 01:18:31	--------	d-----w	C:\Program Files\Common Files\AOL
2007-06-27 01:17:37	--------	d-----w	C:\DOCUME~1\COMPAQ~1\APPLIC~1\Novosoft
2007-06-22 12:21:43	--------	d-----w	C:\Program Files\Viewpoint
2007-06-22 12:21:34	--------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-06-22 12:21:30	--------	d-----w	C:\Program Files\Logitech
2007-06-22 12:17:57	--------	d-----w	C:\Program Files\Common Files\HP
2007-06-04 19:18:48	9,344	----a-w	C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 19:17:02	8,320	----a-w	C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56	6,272	----a-w	C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-02 09:08:41	--------	d-----w	C:\Program Files\Common Files\Real
2007-06-02 09:08:39	--------	d-----w	C:\Program Files\Real
2007-06-02 09:07:09	--------	d-----w	C:\Program Files\Novosoft
2007-06-01 18:15:00	--------	d-----w	C:\Program Files\MB Free Tarot Reading Software
2007-06-01 14:21:43	--------	d-----w	C:\Program Files\Windows Installer Clean Up
2007-06-01 14:21:34	--------	d-----w	C:\Program Files\MSECACHE
2007-06-01 14:13:32	--------	d-----w	C:\Program Files\MyPublisher
2007-06-01 14:13:05	--------	d-----w	C:\Program Files\Yahoo! Games
2007-06-01 14:12:37	--------	d-----w	C:\Program Files\Google
2007-05-28 01:13:04	--------	d-----w	C:\Program Files\ArcSoft
2007-05-27 21:09:40	--------	d-----w	C:\Program Files\Windows NT
2007-05-20 16:49:16	--------	d-----w	C:\Program Files\Common Files\Sandlot Shared
2007-05-20 14:16:28	--------	d-----w	C:\Program Files\Pantech
2007-05-20 00:14:49	--------	d-----w	C:\Program Files\SKTeletech
2007-05-20 00:14:35	--------	d-----w	C:\Program Files\SKY TELETECH
2007-05-18 01:29:36	--------	d-----w	C:\Program Files\Nexon
2007-05-16 15:12:02	683,520	------w	C:\WINDOWS\system32\inetcomm.dll
2007-05-10 01:09:46	284	----a-w	C:\DOCUME~1\COMPAQ~1\APPLIC~1\ViewerApp.dat
2007-05-09 23:53:20	50	-c--a-w	C:\AUTOEXEC.BAT
2007-04-25 14:21:15	144,896	------w	C:\WINDOWS\system32\schannel.dll
2007-04-18 21:20:14	512	-c--a-w	C:\drmHeader.bin
2007-04-18 16:12:23	2,854,400	----a-w	C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36	33,624	----a-w	C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54	1,710,936	----a-w	C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48	549,720	----a-w	C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42	325,976	----a-w	C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36	203,096	----a-w	C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28	92,504	----a-w	C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20	53,080	----a-w	C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:44:18	208,248	----a-w	C:\WINDOWS\system32\muweb.dll
2007-04-13 19:19:52	7,680	----a-w	C:\WINDOWS\system32\lsdelete.exe
2005-05-13 22:12:00	217,073	--sha-r	C:\WINDOWS\meta4.exe
2005-10-24 16:13:58	66,560	--sha-r	C:\WINDOWS\MOTA113.exe
2005-10-14 02:27:00	422,400	--sha-r	C:\WINDOWS\x2.64.exe
2005-10-07 22:14:52	308,224	--sha-r	C:\WINDOWS\system32\avisynth.dll
2005-07-14 16:31:20	27,648	--sha-r	C:\WINDOWS\system32\AVSredirect.dll
2007-03-24 14:22:53	88	--sh--r	C:\WINDOWS\system32\BEBEF39827.sys
2005-06-26 19:32:28	616,448	--sha-r	C:\WINDOWS\system32\cygwin1.dll
2005-06-22 02:37:42	45,568	--sha-r	C:\WINDOWS\system32\cygz.dll
2004-01-25 03:00:00	70,656	--sha-r	C:\WINDOWS\system32\i420vfw.dll
2007-03-24 14:22:53	848	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
2006-04-27 14:24:24	2,945,024	--sha-r	C:\WINDOWS\system32\Smab.dll
2005-02-28 17:16:22	240,128	--sha-r	C:\WINDOWS\system32\x.264.exe
2004-01-25 03:00:00	70,656	--sha-r	C:\WINDOWS\system32\yv12vfw.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16	59032	--a------	C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}]
2006-11-29 17:26	135249	--a------	C:\Program Files\NetConceal\Anonymity Shield\ProxyNew.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04	853672	--a------	C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2005-11-10 23:22	184423	--a------	C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}]
2006-08-08 09:44	208896	--a------	C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3534348-D283-AD0D-D10D-8FADAFE575E6}]
C:\WINDOWS\system32\buqttx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9571A4D-D9DF-F82F-8C0E-8BADDAE17795}]
C:\WINDOWS\system32\rfnc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-05-09 15:50 C:\WINDOWS\system32\nwiz.exe]
"ftutil2"="ftutil2.dll" [2004-06-07 17:05 C:\WINDOWS\system32\ftutil2.dll]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 02:19 C:\WINDOWS\arpwrmsg.exe]
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 23:05 C:\WINDOWS\RTHDCPL.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"PCDrProfiler"="" []
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 12:45]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 01:34]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 09:11]
"BitPump"="C:\Program Files\AnalogX\BitPump\bitpump.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Novosoft Office Backup"="C:\Program Files\Novosoft\Novosoft Office Backup\hbagent.exe" []
"Handy Backup 3.1"="C:\Program Files\Novosoft\Novosoft Office Backup\hbagent.exe" []
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 18:37]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-28 17:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
~~\SafeBoot\Minimal\dmserver

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1166619888\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
"C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

Contents of the 'Scheduled Tasks' folder
2007-07-10 02:04:48 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 22:12:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-09 22:12:50
C:\ComboFix-quarantined-files.txt ... 2007-07-09 22:12
C:\ComboFix2.txt ... 2007-07-08 21:25
C:\ComboFix3.txt ... 2007-07-07 04:50

--- E O F ---


----------



## JSntgRvr (Jul 1, 2003)

Let me see a Hijackthis log and let me know how is the computer doing.


----------



## BLUEtiful (Jul 6, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 12:22:35 AM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NetConceal\Anonymity Shield\ProxyNew.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: (no name) - {C3534348-D283-AD0D-D10D-8FADAFE575E6} - C:\WINDOWS\system32\buqttx.dll (file missing)
O2 - BHO: (no name) - {C9571A4D-D9DF-F82F-8C0E-8BADDAE17795} - C:\WINDOWS\system32\rfnc.dll (file missing)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [BitPump] "C:\Program Files\AnalogX\BitPump\bitpump.exe" /VerifySettings
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Novosoft Office Backup] C:\Program Files\Novosoft\Novosoft Office Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [Handy Backup 3.1] C:\Program Files\Novosoft\Novosoft Office Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with BitPump - C:\Program Files\AnalogX\BitPump\ieint.htm
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181952181718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181953426250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe


----------



## JSntgRvr (Jul 1, 2003)

Hi, *BLUE* 

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. *

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {C3534348-D283-AD0D-D10D-8FADAFE575E6} - C:\WINDOWS\system32\buqttx.dll (file missing)
O2 - BHO: (no name) - {C9571A4D-D9DF-F82F-8C0E-8BADDAE17795} - C:\WINDOWS\system32\rfnc.dll (file missing)

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.

The rest of the log looks clear.Congratulations.
















Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. *Beware it is NOT supported for use in 9x or ME and probably will not install in those systems*

*Ugrading Java*: 

Download the latest version of *Java Runtime Environment (JRE) 6u2*.
Scroll down to where it says "*The J2SE Runtime Environment (JRE) allows end-users to run Java applications*".
Click the "*Download*" button to the right.
Check the box that says: "*Accept License Agreement*".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

*Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.*

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

*Create a Restore point*:

Click *Start*, point to *All Programs*, point to *Accessories*, point to *System Tools*, and then click *System Restore*.
In the System Restore dialog box, click *Create a restore point*, and then click *Next*. 
Type a description for your restore point, such as "After Cleanup", then click *Create*.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

*IE-SpyAd* - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

*CleanUP*! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

Windows Updates - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read *this* article by Tony Klein.

Click *Here* for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "*Solved*".

Best wishes!


----------



## BLUEtiful (Jul 6, 2007)

Hey, thanks a lot! Your directions were easy to follow and understand. Again, thanks.  :up:


----------

