# Solved: "Explorer.exe" process keeps running, IE Windows intermittently open, "Generic.dx"



## sandjosh (Jul 30, 2007)

Hi TechGuy,

I'm having some recent problems on my laptop. When I log-in and start using it, the performance starts slowing down. When I look at the Task Manager, I notice that the task called Explorer.exe takes up a lot of my CPU. In a couple of minutes, I also start getting Internet Explorer windows to pop-up on my screen (I normally use Firefox) with advertisements suggesting that my computer is infected and some software downloads that could help. I recently installed McAfee Total Works, or whatever they call their 10-in-1 software which is supposed to do it all. I ran several scans, and on some of them, if did find and disable the Generic.dx trojan. Even though it claims it is doing something, I don't notice any changes - Explorer.exe continues to bog me down, and the IE windows keep popping up to the point that I cannot use my computer effectively anymore.

IBM T-40 laptop (about three and a half years old)
Microsoft XP-Professional

Any pointers would be truly appreciated!!

Thanks,
Sandjosh


----------



## MFDnNC (Sep 7, 2004)

*Click here* to download *HJTInstall.exe*

Save *HJTInstall.exe* to your desktop.
Doubleclick on the *HJTInstall.exe* icon on your desktop.
By default it will install to *C:\Program Files\Trend Micro\HijackThis* . 
Click on *Install*.
It will create a HijackThis icon on the desktop.
Once installed, it will launch *Hijackthis*.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


----------



## sandjosh (Jul 30, 2007)

Hi MFGnNC,

Here is the log from HijackThis:

****************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:07 AM, on 7/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Web Buying\v1.8.0\webbuying.exe
C:\WINDOWS\F?nts\dllhost.exe
D:\Data\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Mcafee\MWL\MwlGui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\System32\wfcaojcg.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.0\webbuying.exe
O4 - HKCU\..\Run: [Esar] "C:\PROGRA~1\COMMON~1\CROSOF~1.NET\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [Qxkb] C:\WINDOWS\F?nts\dllhost.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\userid\Cookies\SJAC82~1.SH! C:\DOCUME~1\userid\Cookies\SJ7FD0~1.SH! C:\DOCUME~1\userid\Cookies\SJ7B99~1.SH! C:\DOCUME~1\userid\Cookies\SJ8D92~1.SH! C:\DOCUME~1\userid\Cookies\SJCCC0~1.SH! C:\DOCUME~1\userid\Cookies\SJE08F~1.SH! C:\DOCUME~1\userid\Cookies\SJ8137~1.SH! C:\DOCUME~1\userid\Cookies\SJ9F3E~1.SH! C:\DOCUME~1\userid\Cookies\SJE9D6~1.SH! C:\DOCUME~1\userid\Cookies\SJ7586~1.SH! C:\DOCUME~1\userid\Cookies\SJ6997~1.SH! C:\DOCUME~1\userid\Cookies\SJF54C~1.SH! C:\DOCUME~1\userid\Cookies\SJAC43~1.SH! C:\DOCUME~1\userid\Cookies\SJ4701~1.SH! C:\DOCUME~1\userid\Cookies\SJ9FC0~1.SH! C:\DOCUME~1\userid\Cookies\SJBFB2~1.SH! C:\DOCUME~1\userid\Cookies\SJ05CB~1.SH! C:\DOCUME~1\userid\Cookies\SJF180~1.SH! C:\DOCUME~1\userid\Cookies\SJC46B~1.SH! C:\DOCUME~1\userid\Cookies\SJ5B66~1.SH! C:\DOCUME~1\userid\Cookies\SJ2B65~1.SH! C:\DOCUME~1\userid\Cookies\SJ26C2~1.SH! C:\DOCUME~1\userid\Cookies\SJ3100~1.SH! C:\DOCUME~1\userid\Co
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe
O4 - Startup: palmOne Registration.lnk = D:\Data\Palm\register.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = D:\Data\Palm\Hotsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\profsy.html

--
End of file - 13139 bytes

****************

Thanks,
-Sandjosh


----------



## MFDnNC (Sep 7, 2004)

BTW - Welcome to TSG!
===========
*NOTE: If you have downloaded ComboFix previously please delete that version and download it again!*

Download this file :

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
or
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note: 
Do not mouseclick combofix's window while its running. That may cause it to stall

==============
Download Superantispyware (SAS) free home version

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
·	It will ask if you want to update the program definitions, click Yes.
·	Under Configuration and Preferences, click the Preferences button.
·	Click the Scanning Control tab.
·	Under Scanner Options make sure the following are checked:
o	Close browsers before scanning
o	Scan for tracking cookies
o	Terminate memory threats before quarantining.
o	Please leave the others unchecked.
o	Click the Close button to leave the control center screen.
·	On the main screen, under Scan for Harmful Software click Scan your computer.
·	On the left check C:\Fixed Drive.
·	On the right, under Complete Scan, choose Perform Complete Scan.
·	Click Next to start the scan. Please be patient while it scans your computer.
·	After the scan is complete a summary box will appear. Click OK.
·	Make sure everything in the white box has a check next to it, then click Next.
·	It will quarantine what it found and if it asks if you want to reboot, click Yes.
·	To retrieve the removal information for me please do the following:
o	After reboot, double-click the SUPERAntispyware icon on your desktop.
o	Click Preferences. Click the Statistics/Logs tab.
o	Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o	It will open in your default text editor (such as Notepad/Wordpad).
o	Please highlight everything in the notepad, then right-click and choose copy.
·	Click close and close again to exit the program.
·	Please paste that information here for me *with a new HijackThis log*.

This will take some time!!!!!!!!


----------



## sandjosh (Jul 30, 2007)

Hi MFDnNc,

Here is the log from ComboFix:

ComboFix 07-07-30.2 - "sjoshi" 2007-07-30 11:00:40.1 [GMT -7:00] - *FAT32* 
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True
* Created a new restore point

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\hgghgdb.dll 
C:\WINDOWS\system32\yrdupulk.dll 
C:\WINDOWS\system32\kcguixll.dll 
C:\WINDOWS\system32\pqbtmebb.exe 
C:\WINDOWS\system32\ucvksynp.exe 
C:\WINDOWS\system32\yrdupulk.dll 
C:\WINDOWS\system32\hgghgdb.dll 
C:\WINDOWS\system32\gffhk.ini 
C:\WINDOWS\system32\gffhk.tmp 
C:\WINDOWS\system32\gffhk.bak1 
C:\WINDOWS\system32\gffhk.bak2 
C:\WINDOWS\system32\gffhk.ini2 
C:\WINDOWS\system32\gffhk.ini 
C:\WINDOWS\system32\gffhk.tmp 
C:\WINDOWS\system32\gffhk.bak1 
C:\WINDOWS\system32\gffhk.bak2 
C:\WINDOWS\system32\gffhk.ini2 
C:\WINDOWS\system32\khffg.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\userid.\err.log
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\MSN\profsy.html
C:\Program Files\Online Services\hokeqobi83122.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\svhost
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.0\wbuninst.exe
C:\Program Files\web buying\v1.8.0\webbuying.exe
C:\Program Files\winantispyware 2007
C:\Program Files\winantispyware 2007\RTMonitor.dat\0da3aaf3b3d44a7217892792\c4cbb9c5638e49b34bea80ae\0cdc70c33e6644bd15299ab9\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\0da3aaf3b3d44a7217892792\c4cbb9c5638e49b34bea80ae\0cdc70c33e6644bd15299ab9\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\0da3aaf3b3d44a7217892792\c4cbb9c5638e49b34bea80ae\0cdc70c33e6644bd15299ab9\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\0da3aaf3b3d44a7217892792\c4cbb9c5638e49b34bea80ae\5125a458ec784513c4b4abb7\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\0da3aaf3b3d44a7217892792\c4cbb9c5638e49b34bea80ae\5125a458ec784513c4b4abb7\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\0da3aaf3b3d44a7217892792\c4cbb9c5638e49b34bea80ae\5125a458ec784513c4b4abb7\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\0da3aaf3b3d44a7217892792\c4cbb9c5638e49b34bea80ae\8f79e33a213748eedc26b78b\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\0da3aaf3b3d44a7217892792\c4cbb9c5638e49b34bea80ae\8f79e33a213748eedc26b78b\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\0da3aaf3b3d44a7217892792\c4cbb9c5638e49b34bea80ae\8f79e33a213748eedc26b78b\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\0da3aaf3b3d44a7217892792\c4cbb9c5638e49b34bea80ae\b44e7b1a70fc49546d535cb0\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\0da3aaf3b3d44a7217892792\c4cbb9c5638e49b34bea80ae\b44e7b1a70fc49546d535cb0\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\0da3aaf3b3d44a7217892792\c4cbb9c5638e49b34bea80ae\b44e7b1a70fc49546d535cb0\#name
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~1\dllhost.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\bqnbytaf.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\htvdrrtn.exe
C:\WINDOWS\system32\jdotldtw.exe
C:\WINDOWS\system32\L1
C:\WINDOWS\system32\L1\mwspasrt83122.exe
C:\WINDOWS\system32\L11
C:\WINDOWS\system32\L3
C:\WINDOWS\system32\L3\wr716.exe
C:\WINDOWS\system32\L5
C:\WINDOWS\system32\L7
C:\WINDOWS\system32\L9
C:\WINDOWS\system32\puisjgbh.exe
C:\WINDOWS\system32\sumwqoad.exe
C:\WINDOWS\system32\vupinxac.exe
C:\WINDOWS\system32\vxamgig.dll
C:\WINDOWS\system32\wapiicom.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\yceitujd.exe
C:\WINDOWS\wr.txt

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\LEGACY_FOPN
-------\core

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-30 )))))))))))))))))))))))))))))))

2007-07-30 10:58	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-07-30 10:47 d--------	C:\Program Files\Trend Micro
2007-07-29 21:36	126,016	--a------	C:\WINDOWS\system32\wfcaojcg.dll
2007-07-29 20:58	126,016	--a------	C:\WINDOWS\system32\utwsqwrm.dll
2007-07-29 18:26	126,016	--a------	C:\WINDOWS\system32\rhbtdsvy.dll
2007-07-28 16:30	126,016	--a------	C:\WINDOWS\system32\vmoiwnfa.dll
2007-07-28 15:17	126,016	--a------	C:\WINDOWS\system32\yguqcqye.dll
2007-07-25 18:30 d--------	C:\Program Files\SiteAdvisor
2007-07-25 18:30 d--------	C:\DOCUME~1\userid\APPLIC~1\SiteAdvisor
2007-07-25 18:30 d--------	C:\DOCUME~1\LOCALS~1\APPLIC~1\SiteAdvisor
2007-07-25 18:30 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-07-25 18:27	86,848	--a------	C:\WINDOWS\system32\drivers\WscNetDr.sys
2007-07-25 18:25	143,360	---------	C:\WINDOWS\system32\dunzip32.dll
2007-07-25 18:23	71,496	--a------	C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-07-25 18:23	37,480	--a------	C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-07-25 18:23	34,184	--a------	C:\WINDOWS\system32\drivers\mfebopk.sys
2007-07-25 18:23	32,008	--a------	C:\WINDOWS\system32\drivers\mferkdk.sys
2007-07-25 18:23	170,408	--a------	C:\WINDOWS\system32\drivers\mfehidk.sys
2007-07-25 18:22	109,608	--a------	C:\WINDOWS\system32\drivers\Mpfp.sys
2007-07-25 18:19 d--------	C:\Program Files\Common Files\McAfee
2007-07-25 18:11 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-23 20:11 d--------	C:\DOCUME~1\userid\APPLIC~1\AdobeAUM
2007-07-22 13:10	171,520	--a------	C:\WINDOWS\system32\fyjmrta.dll
2007-07-22 13:09 d--------	C:\Temp\brr
2007-07-22 13:09 d--------	C:\Temp\0c2
2007-07-22 13:09 d--------	C:\Temp
2007-07-21 10:20 d--------	C:\DOCUME~1\userid\WINDOWS
2007-07-21 06:42 d--------	C:\Program Files\iTunes
2007-07-21 06:42 d--------	C:\Program Files\iPod
2007-06-09 15:58 d--------	C:\DOCUME~1\userid\APPLIC~1\Sony Corporation
2007-06-09 15:50	62,744	--a------	C:\WINDOWS\system32\xinput1_2.dll
2007-06-09 15:50	236,824	--a------	C:\WINDOWS\system32\xactengine2_3.dll
2007-06-09 15:49	2,297,552	--a------	C:\WINDOWS\system32\d3dx9_26.dll
2007-06-09 15:47	974,848	--a------	C:\WINDOWS\system32\dxdiag.exe
2007-06-09 15:47	83,968	--a------	C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-06-09 15:47	797,184	--a------	C:\WINDOWS\system32\d3dim700.dll
2007-06-09 15:47	79,360	--a------	C:\WINDOWS\system32\dpwsockx.dll
2007-06-09 15:47	77,824	--a------	C:\WINDOWS\system32\dpmodemx.dll
2007-06-09 15:47	723,968	--a------	C:\WINDOWS\system32\dpnet.dll
2007-06-09 15:47	68,096	--a------	C:\WINDOWS\system32\dpnhupnp.dll
2007-06-09 15:47	63,768	--a------	C:\WINDOWS\system32\dxdllreg.exe
2007-06-09 15:47	52,096	--a------	C:\WINDOWS\system32\drivers\msdv.sys
2007-06-09 15:47	491,520	--a------	C:\WINDOWS\system32\dsdmoprp.dll
2007-06-09 15:47	48,512	--a------	C:\WINDOWS\system32\drivers\stream.sys
2007-06-09 15:47	470,528	--a------	C:\WINDOWS\system32\qdvd.dll
2007-06-09 15:47	47,104	--a------	C:\WINDOWS\system32\wstdecod.dll
2007-06-09 15:47	381,952	--a------	C:\WINDOWS\system32\dsound.dll
2007-06-09 15:47	381,952	--a------	C:\WINDOWS\system32\dpvoice.dll
2007-06-09 15:47	354,816	--a------	C:\WINDOWS\system32\psisdecd.dll
2007-06-09 15:47	324,096	--a------	C:\WINDOWS\system32\mswebdvd.dll
2007-06-09 15:47	32,768	--a------	C:\WINDOWS\system32\dpnhpast.dll
2007-06-09 15:47	316,928	--a------	C:\WINDOWS\system32\qdv.dll
2007-06-09 15:47	292,864	--a------	C:\WINDOWS\system32\ddraw.dll
2007-06-09 15:47	257,024	--a------	C:\WINDOWS\system32\qcap.dll
2007-06-09 15:47	230,400	--a------	C:\WINDOWS\system32\dplayx.dll
2007-06-09 15:47	181,248	--a------	C:\WINDOWS\system32\dmime.dll
2007-06-09 15:47	18,688	--a------	C:\WINDOWS\system32\drivers\wstcodec.sys
2007-06-09 15:47	16,896	--a------	C:\WINDOWS\system32\msyuv.dll
2007-06-09 15:47	16,384	--a------	C:\WINDOWS\system32\drivers\ccdecode.sys
2007-06-09 15:47	15,104	--a------	C:\WINDOWS\system32\drivers\mpe.sys
2007-06-09 15:47	14,976	--a------	C:\WINDOWS\system32\drivers\streamip.sys
2007-06-09 15:47	132,608	--a------	C:\WINDOWS\system32\devenum.dll
2007-06-09 15:47	122,880	--a------	C:\WINDOWS\system32\dmusic.dll
2007-06-09 15:47	11,392	--a------	C:\WINDOWS\system32\drivers\bdasup.sys
2007-06-09 15:47	10,880	--a------	C:\WINDOWS\system32\drivers\slip.sys
2007-06-09 15:47	10,112	--a------	C:\WINDOWS\system32\drivers\ndisip.sys
2007-06-09 15:47	1,798,144	--a------	C:\WINDOWS\system32\qedit.dll
2007-06-09 15:47	1,769,472	--a------	C:\WINDOWS\system32\dxdiagn.dll
2007-06-09 15:47	1,703,936	--a------	C:\WINDOWS\system32\d3d9.dll
2007-06-09 15:47	1,230,336	--a------	C:\WINDOWS\system32\msvidctl.dll
2007-06-09 15:47	1,201,152	--a------	C:\WINDOWS\system32\d3d8.dll
2007-06-09 15:47	1,189,888	--a------	C:\WINDOWS\system32\dx8vb.dll
2007-06-09 15:44	6,097	--a------	C:\WINDOWS\system32\drivers\sonyhcb.sys
2007-06-09 15:44	53,248	--a------	C:\WINDOWS\system32\SONYHCY.DLL
2007-06-09 15:44	38,739	--a------	C:\WINDOWS\system32\drivers\sonyhcc.sys
2007-06-09 15:44	3,654	--a------	C:\WINDOWS\system32\drivers\Sonyhcp.dll
2007-06-09 15:44	299,923	--a------	C:\WINDOWS\system32\drivers\sonyhcs.sys
2007-06-09 15:44	118,520	--a------	C:\WINDOWS\system32\PxInsI64.exe
2007-06-09 15:44	115,960	--a------	C:\WINDOWS\system32\PxCpyI64.exe
2007-06-09 15:44	102,220	--a------	C:\WINDOWS\system32\drivers\sonypvs1.sys
2007-06-09 15:37 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Corporation
2007-06-09 15:24 d--------	C:\Program Files\Sony
2007-06-04 10:34 d--------	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-03 11:04	271,224	--a------	C:\WINDOWS\system32\mucltui.dll
2007-06-03 11:04	208,248	--a------	C:\WINDOWS\system32\muweb.dll
2007-06-02 15:56 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Live Toolbar
2007-06-02 15:55 d--------	C:\Program Files\Windows Live Toolbar
2007-06-02 10:24 d--------	C:\Program Files\Common Files\Skype
2007-06-02 09:37 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-29 00:08	26016	--a------	C:\DOCUME~1\userid\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-31 23:41	---------	d--------	C:\Program Files\Apple Software Update

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24C934A9-D6F7-4B27-A52D-6C0DB90BD0AD}]
C:\Program Files\Online Services\hokeqobi83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4aa26317-3c88-4837-af48-fea34360582f}]
2007-07-22 13:10	171520	--a------	C:\WINDOWS\System32\fyjmrta.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{636E46D9-A743-A8CC-1A10-FE8DB156D5C1}]
C:\WINDOWS\System32\vxamgig.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 13:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 11:59 C:\WINDOWS\AGRSMMSG.exe]
"SBC Yahoo! Connection Manager"="C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe" [2003-02-03 09:23]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-02-03 09:18]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 14:34]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 14:33]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 10:00]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-10-03 14:14]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-09 22:32]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 17:30]
"MWLExe"="C:\Program Files\Mcafee\MWL\MWLGuiSt.exe" [2007-03-12 11:40]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-02-08 19:39]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-01-19 17:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 03:41]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Esar"="C:\PROGRA~1\COMMON~1\CROSOF~1.NET\wuaclt.exe" []
"Qxkb"="C:\WINDOWS\F?nts\dllhost.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\userid\Cookies\SJAC82~1.SH! C:\DOCUME~1\userid\Cookies\SJ7FD0~1.SH! C:\DOCUME~1\userid\Cookies\SJ7B99~1.SH! C:\DOCUME~1\userid\Cookies\SJ8D92~1.SH! C:\DOCUME~1\userid\Cookies\SJCCC0~1.SH! C:\DOCUME~1\userid\Cookies\SJE08F~1.SH! C:\DOCUME~1\userid\Cookies\SJ8137~1.SH! C:\DOCUME~1\userid\Cookies\SJ9F3E~1.SH! C:\DOCUME~1\userid\Cookies\SJE9D6~1.SH! C:\DOCUME~1\userid\Cookies\SJ7586~1.SH! C:\DOCUME~1\userid\Cookies\SJ6997~1.SH! C:\DOCUME~1\userid\Cookies\SJF54C~1.SH! C:\DOCUME~1\userid\Cookies\SJAC43~1.SH! C:\DOCUME~1\userid\Cookies\SJ4701~1.SH! C:\DOCUME~1\userid\Cookies\SJ9FC0~1.SH! C:\DOCUME~1\userid\Cookies\SJBFB2~1.SH! C:\DOCUME~1\userid\Cookies\SJ05CB~1.SH! C:\DOCUME~1\userid\Cookies\SJF180~1.SH! C:\DOCUME~1\userid\Cookies\SJC46B~1.SH! C:\DOCUME~1\userid\Cookies\SJ5B66~1.SH! C:\DOCUME~1\userid\Cookies\SJ2B65~1.SH! C:\DOCUME~1\userid\Cookies\SJ26C2~1.SH! C:\DOCUME~1\userid\Cookies\SJ3100~1.SH! C:\DOCUME~1\userid\Cookies\SJ17B7~1.SH! C:\DOCUME~1\userid\Cookies\SJ4930~1.SH! C:\DOCUME~1\userid\Cookies\SJE52B~1.SH! C:\DOCUME~1\userid\Cookies\SJ7995~1.SH! C:\DOCUME~1\userid\Cookies\SJE7A3~1.SH! C:\DOCUME~1\userid\Cookies\SJAEF5~1.SH! C:\DOCUME~1\userid\Cookies\SJ8F68~1.SH! C:\DOCUME~1\userid\Cookies\SJ5714~1.SH! C:\DOCUME~1\userid\Cookies\SJ9CA0~1.SH! C:\DOCUME~1\userid\Cookies\SJE66A~1.SH! C:\DOCUME~1\userid\Cookies\SJA659~1.SH! C:\DOCUME~1\userid\Cookies\SJC400~1.SH! C:\DOCUME~1\userid\Cookies\SJE9F8~1.SH! C:\DOCUME~1\userid\Cookies\SJCDEE~1.SH! C:\DOCUME~1\userid\Cookies\SJA95D~1.SH! C:\DOCUME~1\userid\Cookies\SJ91FA~1.SH! C:\DOCUME~1\userid\Cookies\SJ4A7B~1.SH! C:\DOCUME~1\userid\Cookies\SJE3D6~1.SH! C:\DOCUME~1\userid\Cookies\SJ7A95~1.SH! C:\DOCUME~1\userid\Cookies\SJ34D5~1.SH! C:\DOCUME~1\userid\Cookies\SJ1600~1.SH! C:\DOCUME~1\userid\Cookies\SJ830E~1.SH! C:\DOCUME~1\userid\Cookies\SJ03B8~1.SH! C:\DOCUME~1\userid\Cookies\SJ6D84~1.SH! C:\DOCUME~1\userid\Cookies\SJD1E0~1.SH! C:\DOCUME~1\userid\Cookies\SJ14C4~1.SH! C:\DOCUME~1\userid\Cookies\SJFEE0~1.SH! C:\DOCUME~1\userid\Cookies\SJ7E3A~1.SH! C:\DOCUME~1\userid\Cookies\SJAE33~1.SH! C:\DOCUME~1\userid\Cookies\SJ0FBF~1.SH! C:\DOCUME~1\userid\Cookies\SJ4B4D~1.SH! C:\DOCUME~1\userid\Cookies\SJFF91~1.SH! C:\DOCUME~1\userid\Cookies\SJ3CEB~1.SH! C:\DOCUME~1\userid\Cookies\SJD006~1.SH! C:\DOCUME~1\userid\Cookies\SJ9D10~1.SH! C:\DOCUME~1\userid\Cookies\SJ330F~1.SH! C:\DOCUME~1\userid\Cookies\SJ385D~1.SH! C:\DOCUME~1\userid\Cookies\SJ9E6A~1.SH! C:\DOCUME~1\userid\Cookies\SJ06BA~1.SH! C:\DOCUME~1\userid\Cookies\SJ9A95~1.SH! C:\DOCUME~1\userid\Cookies\SJ1E34~1.SH! C:\DOCUME~1\userid\Cookies\SJ41EF~1.SH! C:\DOCUME~1\userid\Cookies\SJ37D0~1.SH! C:\DOCUME~1\userid\Cookies\SJ8830~1.SH! C:\DOCUME~1\userid\Cookies\SJ90C5~1.SH! C:\DOCUME~1\userid\Cookies\SJE711~1.SH! C:\DOCUME~1\userid\Cookies\SJDD31~1.SH! C:\DOCUME~1\userid\Cookies\SJB292~1.SH! C:\DOCUME~1\userid\Cookies\SJ80AB~1.SH! C:\DOCUME~1\userid\Cookies\SJEA85~1.SH! C:\DOCUME~1\userid\Cookies\SJ2229~1.SH! C:\DOCUME~1\userid\Cookies\SJ148E~1.SH! C:\DOCUME~1\userid\Cookies\SJE1C5~1.SH! C:\DOCUME~1\userid\Cookies\SJ5466~1.SH! C:\DOCUME~1\userid\Cookies\SJ3300~1.SH! C:\DOCUME~1\userid\Cookies\SJ3E43~1.SH! C:\DOCUME~1\userid\Cookies\SJ23C5~1.SH! C:\DOCUME~1\userid\Cookies\SJ70CB~1.SH! C:\DOCUME~1\userid\Cookies\SJF2F0~1.SH! C:\DOCUME~1\userid\Cookies\SJC01E~1.SH! C:\DOCUME~1\userid\Cookies\SJE885~1.SH! C:\DOCUME~1\userid\Cookies\SJ31BD~1.SH! C:\DOCUME~1\userid\Cookies\SJ6936~1.SH! C:\DOCUME~1\userid\Cookies\SJC39E~1.SH! C:\DOCUME~1\userid\Cookies\SJ6873~1.SH! C:\DOCUME~1\userid\Cookies\SJ9E7E~1.SH! C:\DOCUME~1\userid\Cookies\SJACB5~1.SH! C:\DOCUME~1\userid\Cookies\SJ63D4~1.SH! C:\DOCUME~1\userid\Cookies\SJ3C03~1.SH! C:\DOCUME~1\userid\Cookies\SJ6FE0~1.SH! C:\DOCUME~1\userid\Cookies\SJC25E~1.SH! C:\DOCUME~1\userid\Cookies\SJ823D~1.SH! C:\DOCUME~1\userid\Cookies\SJB9A5~1.SH! C:\DOCUME~1\userid\Cookies\SJ4D98~1.SH! C:\DOCUME~1\userid\Cookies\SJC2A3~1.SH! C:\DOCUME~1\userid\Cookies\SJ8595~1.SH! C:\DOCUME~1\userid\Cookies\SJ9AA5~1.SH! C:\DOCUME~1\userid\Cookies\SJ90E1~1.SH! C:\DOCUME~1\userid\Cookies\SJC29C~1.SH! C:\DOCUME~1\userid\Cookies\SJ0BA3~1.SH! C:\DOCUME~1\userid\Cookies\SJ06BF~1.SH! C:\DOCUME~1\userid\Cookies\SJA4FF~1.SH! C:\DOCUME~1\userid\Cookies\SJ2272~1.SH! C:\DOCUME~1\userid\Cookies\SJDF0C~1.SH! C:\DOCUME~1\userid\Cookies\SJ3DD6~1.SH! C:\DOCUME~1\userid\Cookies\SJD4AF~1.SH! C:\DOCUME~1\userid\Cookies\SJC321~1.SH! C:\DOCUME~1\userid\Cookies\SJ34E8~1.SH! C:\DOCUME~1\userid\Cookies\SJB212~1.SH! C:\DOCUME~1\userid\Cookies\SJ7DED~1.SH! C:\DOCUME~1\userid\Cookies\SJ3EF4~1.SH! C:\DOCUME~1\userid\Cookies\SJ99AC~1.SH! C:\DOCUME~1\userid\Cookies\SJ48DA~1.SH! C:\DOCUME~1\userid\Cookies\SJB32E~1.SH! C:\DOCUME~1\userid\Cookies\SJDBD6~1.SH! C:\DOCUME~1\userid\LOCALS~1\TEMPOR~1\Content.IE5\RMKL8O2L\TO_1_~1.SH! C:\DOCUME~1\userid\LOCALS~1\TEMPOR~1\Content.IE5\O1MJ852F\CLIPCO~1.SH! C:\DOCUME~1\userid\Cookies\SJE66B~1.SH! C:\DOCUME~1\userid\Cookies\SJ9A4E~1.SH! C:\DOCUME~1\userid\Cookies\SJEF98~1.SH! C:\DOCUME~1\userid\LOCALS~1\TEMPOR~1\Content.IE5\RMKL8O2L\83122_~1.SH! C:\DOCUME~1\userid\LOCALS~1\TEMPOR~1\Content.IE5\O1MJ852F\ADBRAD~1.SH! C:\DOCUME~1\userid\LOCALS~1\TEMPOR~1\Content.IE5\G2H4RIVZ\INDEX_~2.SH! C:\DOCUME~1\userid\LOCALS~1\TEMPOR~1\Content.IE5\G2H4RIVZ\ADBRAD~1.SH! C:\DOCUME~1\userid\LOCALS~1\TEMPOR~1\Content.IE5\O1MJ852F\BANCON~1.SH!

C:\Documents and Settings\userid\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-04-15 22:56:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=0 (0x0)
"NoSharedDocuments"=00000000
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN\profsy.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqqrrq] 
ssqqrrq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\System32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\System32\drivers\Cdralw2k.sys
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\drivers\IBMBLDID.SYS
R1 MPFP;MPFP;C:\WINDOWS\System32\Drivers\Mpfp.sys
R1 TPHKDRV;TPHKDRV;C:\WINDOWS\System32\drivers\TPHKDRV.sys
R1 TPPWR;TPPWR;C:\WINDOWS\System32\drivers\Tppwr.sys
R2 LxrJD31d;LxrJD31d;\??\C:\WINDOWS\System32\Drivers\LxrJD31d.sys
R2 PMEM;PMEM;\??\C:\WINDOWS\system32\drivers\PMEMNT.SYS
R2 WebDriveFSD;WebDrive File System Driver;\??\C:\Program Files\WebDrive\rffsd.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\System32\DRIVERS\e100b325.sys
R3 gv3;Intel GV3 Processor Driver;C:\WINDOWS\System32\DRIVERS\gv3.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\System32\DRIVERS\SynTP.sys
R3 WscNetDr;MWL Filter Miniport;C:\WINDOWS\System32\DRIVERS\WscNetDr.sys
S3 ApiMon;ApiMon;\??\C:\WINDOWS\System32\drivers\ApiMon.sys
S3 BTWDNDIS;Bluetooth LAN Access Server;C:\WINDOWS\System32\DRIVERS\btwdndis.sys
S3 E1000;Intel(R) PRO/1000 Adapter Driver;C:\WINDOWS\System32\DRIVERS\e1000325.sys
S3 EL3C589;3Com Megahertz LAN PC Card Driver;C:\WINDOWS\System32\DRIVERS\el589nd5.sys
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\System32\DRIVERS\el575nd5.sys
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;C:\WINDOWS\System32\DRIVERS\fa410nd5.sys
S3 PalmUSBD;PalmUSBD;C:\WINDOWS\System32\drivers\PalmUSBD.sys
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys
S3 PcdrNt;PcdrNt;C:\WINDOWS\System32\drivers\PcdrNt.sys
S3 psadd;IBM PSA Access Driver;\??\C:\WINDOWS\system32\Drivers\psadd.sys
S3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\System32\Drivers\RootMdm.sys
S3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver;C:\WINDOWS\System32\DRIVERS\w70n51.sys

Contents of the 'Scheduled Tasks' folder
2003-04-23 22:52:04 C:\WINDOWS\Tasks\BMMTask.job 
2007-07-21 13:27:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-07-30 18:06:10 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job 
2007-07-26 01:21:36 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-07-26 01:21:38 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 11:11:31
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-30 11:13:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-30 11:13

--- E O F ---

I will post the HiackThis log in the next post.

I will perform the Superantispyware task later this afternoon and send you an updated HijackThis report.

Thanks,
-Sandjosh


----------



## sandjosh (Jul 30, 2007)

Hi MFDnNC,

HijackThis after running ComboFix:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:44 AM, on 7/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee\VIRUSS~2\mcvsshld.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Data\Palm\Hotsync.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Mcafee\MWL\MwlGui.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {24C934A9-D6F7-4B27-A52D-6C0DB90BD0AD} - C:\Program Files\Online Services\hokeqobi83122.dll (file missing)
O2 - BHO: (no name) - {4aa26317-3c88-4837-af48-fea34360582f} - C:\WINDOWS\System32\fyjmrta.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {636E46D9-A743-A8CC-1A10-FE8DB156D5C1} - C:\WINDOWS\System32\vxamgig.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Esar] "C:\PROGRA~1\COMMON~1\CROSOF~1.NET\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [Qxkb] C:\WINDOWS\F?nts\dllhost.exe
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\userid\Cookies\SJAC82~1.SH! C:\DOCUME~1\userid\Cookies\SJ7FD0~1.SH! C:\DOCUME~1\userid\Cookies\SJ7B99~1.SH! C:\DOCUME~1\userid\Cookies\SJ8D92~1.SH! C:\DOCUME~1\userid\Cookies\SJCCC0~1.SH! C:\DOCUME~1\userid\Cookies\SJE08F~1.SH! C:\DOCUME~1\userid\Cookies\SJ8137~1.SH! C:\DOCUME~1\userid\Cookies\SJ9F3E~1.SH! C:\DOCUME~1\userid\Cookies\SJE9D6~1.SH! C:\DOCUME~1\userid\Cookies\SJ7586~1.SH! C:\DOCUME~1\userid\Cookies\SJ6997~1.SH! C:\DOCUME~1\userid\Cookies\SJF54C~1.SH! C:\DOCUME~1\userid\Cookies\SJAC43~1.SH! C:\DOCUME~1\userid\Cookies\SJ4701~1.SH! C:\DOCUME~1\userid\Cookies\SJ9FC0~1.SH! C:\DOCUME~1\userid\Cookies\SJBFB2~1.SH! C:\DOCUME~1\userid\Cookies\SJ05CB~1.SH! C:\DOCUME~1\userid\Cookies\SJF180~1.SH! C:\DOCUME~1\userid\Cookies\SJC46B~1.SH! C:\DOCUME~1\userid\Cookies\SJ5B66~1.SH! C:\DOCUME~1\userid\Cookies\SJ2B65~1.SH! C:\DOCUME~1\userid\Cookies\SJ26C2~1.SH! C:\DOCUME~1\userid\Cookies\SJ3100~1.SH! C:\DOCUME~1\userid\Co
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: palmOne Registration.lnk = D:\Data\Palm\register.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = D:\Data\Palm\Hotsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ssqqrrq - ssqqrrq.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\profsy.html

--
End of file - 14199 bytes

Thanks,
-Sandjosh


----------



## MFDnNC (Sep 7, 2004)

Will wait on SuperAnti


----------



## sandjosh (Jul 30, 2007)

SUPERAntiSpyware Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/30/2007 at 01:17 PM

Application Version : 3.9.1008

Core Rules Database Version : 3275
Trace Rules Database Version: 1286

Scan type : Complete Scan
Total Scan Time : 01:52:29

Memory items scanned : 559
Memory threats detected : 0
Registry items scanned : 6749
Registry threats detected : 6
File items scanned : 99547
File threats detected : 77

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{4aa26317-3c88-4837-af48-fea34360582f}
HKCR\CLSID\{4AA26317-3C88-4837-AF48-FEA34360582F}
HKCR\CLSID\{4AA26317-3C88-4837-AF48-FEA34360582F}\InprocServer32
HKCR\CLSID\{4AA26317-3C88-4837-AF48-FEA34360582F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\FYJMRTA.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4aa26317-3c88-4837-af48-fea34360582f}
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ONLINE SERVICES\HOKEQOBI83122.DLL.VIR

Adware.Tracking Cookie
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][3].txt
C:\Documents and Settings\userid\Cookies\[email protected][3].txt
C:\Documents and Settings\userid\Cookies\[email protected][2].txt
C:\Documents and Settings\userid\Cookies\[email protected][3].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][4].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][3].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\sjos[email protected][2].txt
C:\Documents and Settings\userid\Cookies\[email protected][2].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][2].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][2].txt
C:\Documents and Settings\userid\Cookies\[email protected][3].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][2].txt
C:\Documents and Settings\userid\Cookies\[email protected][2].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][2].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][2].txt
C:\Documents and Settings\userid\Cookies\[email protected][2].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][1].txt
C:\Documents and Settings\userid\Cookies\[email protected][3].txt
C:\Documents and Settings\userid\Cookies\[email protected][2].txt
C:\Documents and Settings\userid\Cookies\[email protected][2].txt
C:\Documents and Settings\userid\Cookies\[email protected][2].txt
C:\Documents and Settings\userid\Cookies\[email protected][4].txt
C:\Documents and Settings\userid\Cookies\[email protected][3].txt
C:\Documents and Settings\userid\Cookies\[email protected][3].txt
C:\Documents and Settings\userid\Cookies\[email protected][3].txt
C:\Documents and Settings\userid\Cookies\[email protected][4].txt
C:\Documents and Settings\userid\Cookies\[email protected][3].txt
C:\Documents and Settings\userid\Cookies\[email protected][5].txt

Trojan.Security Toolbar
D:\Data\Mail\IE\Favorites\Antivirus Test Online.url

Adware.ClickSpring/Outer Info Network
C:\Documents and Settings\userid\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\userid\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\userid\Start Menu\Programs\Outerinfo

Adware.Web Buying
HKU\S-1-5-21-1220945662-1580436667-1343024091-1003\Software\WebBuying

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\TS.ICO
C:\WINDOWS\SYSTEM32\OT.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{11B4E4F0-AB2A-4C6B-89B8-2F798651CE54}\RP729\A0140722.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WAPIICOM.EXE.VIR

Adware.ClickSpring/Resident
C:\SYSTEM VOLUME INFORMATION\_RESTORE{11B4E4F0-AB2A-4C6B-89B8-2F798651CE54}\RP729\A0140731.DLL
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VXAMGIG.DLL.VIR

Trojan.ZQuest
C:\SYSTEM VOLUME INFORMATION\_RESTORE{11B4E4F0-AB2A-4C6B-89B8-2F798651CE54}\RP729\A0140732.DLL

Adware.WebBuying Assistant-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{11B4E4F0-AB2A-4C6B-89B8-2F798651CE54}\RP729\A0140735.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{11B4E4F0-AB2A-4C6B-89B8-2F798651CE54}\RP729\A0140736.EXE
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WEB BUYING\V1.8.0\WBUNINST.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WEB BUYING\V1.8.0\WEBBUYING.EXE.VIR

Adware.ClickSpring
C:\SYSTEM VOLUME INFORMATION\_RESTORE{11B4E4F0-AB2A-4C6B-89B8-2F798651CE54}\RP729\A0140739.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\FNTS~1\DLLHOST.EXE.VIR

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{11B4E4F0-AB2A-4C6B-89B8-2F798651CE54}\RP729\A0140743.DLL

Trojan.Downloader-Gen/TStamp
C:\SYSTEM VOLUME INFORMATION\_RESTORE{11B4E4F0-AB2A-4C6B-89B8-2F798651CE54}\RP729\A0140746.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PQBTMEBB.EXE.VIR

Adware.Vundo/Traff-2
C:\SYSTEM VOLUME INFORMATION\_RESTORE{11B4E4F0-AB2A-4C6B-89B8-2F798651CE54}\RP729\A0140747.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\UCVKSYNP.EXE.VIR

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1549OINUNINSTALLER.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\POOLSV\YAZZLEBUNDLE-1549.EXE.VIR

Adware.k8l
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN\PROFSY.HTML.VIR

Thanks,
-Sandjosh


----------



## sandjosh (Jul 30, 2007)

HijackThis after SUPERAntiSpyware

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:51 PM, on 7/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Data\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mcafee\MWL\MwlGui.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {24C934A9-D6F7-4B27-A52D-6C0DB90BD0AD} - C:\Program Files\Online Services\hokeqobi83122.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {636E46D9-A743-A8CC-1A10-FE8DB156D5C1} - C:\WINDOWS\System32\vxamgig.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Esar] "C:\PROGRA~1\COMMON~1\CROSOF~1.NET\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [Qxkb] C:\WINDOWS\F?nts\dllhost.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\userid\Cookies\SJAC82~1.SH! C:\DOCUME~1\userid\Cookies\SJ7FD0~1.SH! C:\DOCUME~1\userid\Cookies\SJ7B99~1.SH! C:\DOCUME~1\userid\Cookies\SJ8D92~1.SH! C:\DOCUME~1\userid\Cookies\SJCCC0~1.SH! C:\DOCUME~1\userid\Cookies\SJE08F~1.SH! C:\DOCUME~1\userid\Cookies\SJ8137~1.SH! C:\DOCUME~1\userid\Cookies\SJ9F3E~1.SH! C:\DOCUME~1\userid\Cookies\SJE9D6~1.SH! C:\DOCUME~1\userid\Cookies\SJ7586~1.SH! C:\DOCUME~1\userid\Cookies\SJ6997~1.SH! C:\DOCUME~1\userid\Cookies\SJF54C~1.SH! C:\DOCUME~1\userid\Cookies\SJAC43~1.SH! C:\DOCUME~1\userid\Cookies\SJ4701~1.SH! C:\DOCUME~1\userid\Cookies\SJ9FC0~1.SH! C:\DOCUME~1\userid\Cookies\SJBFB2~1.SH! C:\DOCUME~1\userid\Cookies\SJ05CB~1.SH! C:\DOCUME~1\userid\Cookies\SJF180~1.SH! C:\DOCUME~1\userid\Cookies\SJC46B~1.SH! C:\DOCUME~1\userid\Cookies\SJ5B66~1.SH! C:\DOCUME~1\userid\Cookies\SJ2B65~1.SH! C:\DOCUME~1\userid\Cookies\SJ26C2~1.SH! C:\DOCUME~1\userid\Cookies\SJ3100~1.SH! C:\DOCUME~1\userid\Co
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: palmOne Registration.lnk = D:\Data\Palm\register.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = D:\Data\Palm\Hotsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqqrrq - ssqqrrq.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\profsy.html

--
End of file - 14299 bytes

Thanks,
-Sandjosh


----------



## MFDnNC (Sep 7, 2004)

Fix these with HiJackThis  mark them, close IE, click fix checked

O2 - BHO: (no name) - {24C934A9-D6F7-4B27-A52D-6C0DB90BD0AD} - C:\Program Files\Online Services\hokeqobi83122.dll (file missing)

O2 - BHO: (no name) - {636E46D9-A743-A8CC-1A10-FE8DB156D5C1} - C:\WINDOWS\System32\vxamgig.dll (file missing)

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O4 - HKCU\..\Run: [Esar] "C:\PROGRA~1\COMMON~1\CROSOF~1.NET\wuaclt.exe" -vt yazb

O4 - HKCU\..\Run: [Qxkb] C:\WINDOWS\F?nts\dllhost.exe

O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\userid\Cookies\SJAC82~1.SH! C:\DOCUME~1\userid\Cookies\SJ7FD0~1.SH! C:\DOCUME~1\userid\Cookies\SJ7B99~1.SH! C:\DOCUME~1\userid\Cookies\SJ8D92~1.SH! C:\DOCUME~1\userid\Cookies\SJCCC0~1.SH! C:\DOCUME~1\userid\Cookies\SJE08F~1.SH! C:\DOCUME~1\userid\Cookies\SJ8137~1.SH! C:\DOCUME~1\userid\Cookies\SJ9F3E~1.SH! C:\DOCUME~1\userid\Cookies\SJE9D6~1.SH! C:\DOCUME~1\userid\Cookies\SJ7586~1.SH! C:\DOCUME~1\userid\Cookies\SJ6997~1.SH! C:\DOCUME~1\userid\Cookies\SJF54C~1.SH! C:\DOCUME~1\userid\Cookies\SJAC43~1.SH! C:\DOCUME~1\userid\Cookies\SJ4701~1.SH! C:\DOCUME~1\userid\Cookies\SJ9FC0~1.SH! C:\DOCUME~1\userid\Cookies\SJBFB2~1.SH! C:\DOCUME~1\userid\Cookies\SJ05CB~1.SH! C:\DOCUME~1\userid\Cookies\SJF180~1.SH! C:\DOCUME~1\userid\Cookies\SJC46B~1.SH! C:\DOCUME~1\userid\Cookies\SJ5B66~1.SH! C:\DOCUME~1\userid\Cookies\SJ2B65~1.SH! C:\DOCUME~1\userid\Cookies\SJ26C2~1.SH! C:\DOCUME~1\userid\Cookies\SJ3100~1.SH! C:\DOCUME~1\userid\Co

O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\profsy.html

START  RUN  type in %temp% - OK - Edit  Select all  File  Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

*Please give feedback on what worked/didnt work and the current status of your system*


----------



## sandjosh (Jul 30, 2007)

Latest HijackThis, after fixing selected items:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:10 PM, on 7/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Data\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mcafee\MWL\MwlGui.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: palmOne Registration.lnk = D:\Data\Palm\register.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = D:\Data\Palm\Hotsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqqrrq - ssqqrrq.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdService.exe

--
End of file - 12695 bytes

Thanks,
-Sandjosh


----------



## MFDnNC (Sep 7, 2004)

Fix this

O20 - Winlogon Notify: ssqqrrq - ssqqrrq.dll (file missing)

Clean








If you feel its is fixed mark it solved via Thread Tools above

Turn off restore points, boot, turn them back on  heres how

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

This clears infected restore points and sets a new, clean one.


----------



## sandjosh (Jul 30, 2007)

Things look pretty good! Thanks a bunch!! You guys are awesome!!!

Thanks,
-Sandjosh


----------



## sandjosh (Jul 30, 2007)

What do I do with all the diagnostic programs that I had installed to fix this problem? Would you actually I continue to use them to monitor trojan/malware activity on my laptop? Can I conclude that McAfee is not as good as they make it sound since it was unable to detect and clean completely?

Thanks,
-Sandjosh


----------



## MFDnNC (Sep 7, 2004)

McAfee is an antivirus not antispyware - you can remove HiJack and Combo, but I'd keep SAS


----------



## sandjosh (Jul 30, 2007)

Thanks for your help. McAfee does say that one of the things it does is "blocks spyware before it installs on your computer, and removes existing spyware...". Anyway, no worries. I will keep SAS.

Thanks again,
-Sandjosh


----------

