[xalice15x]

Hey guys,
Um. Every time I start up my computer, the iexplore.exe (In task manger) comes up all by itself. I don't ever use internet explorer, I use firefox. but this comes up on its own. It's also using most of my memory. I'm also getting a billion popups which I'm willing to bet are from this. whenever I end the process it comes back up 3 or 4 times, then it usually goes away after the 5th time i end it. but this is only for around 5min then its back again. does someone know whats going on? I've run scans with Ad-Aware, Norton, etc, but they haven't found anything.
Additional Info :
I have Window's XP
&& Also there are voices fcoming from the ads. I tried everything. Thanks in advance ^__^

I'm kind of new at this. So erm. Can someone tell me how to remove it? In a simple-ish way? =P





Logfile of HijackThis v1.99.1
Scan saved at 6:14:25 PM, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\0LFlxR4x.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3615EE58-6F38-47BA-9DD9-C99BD611C6A6} - C:\WINDOWS\system32\efcdbxx.dll (file missing)
O2 - BHO: (no name) - {4715C8BC-0204-06D4-0A62-2E00BBB78BBD} - C:\WINDOWS\system32\izf.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {843B515A-BBC4-4AF2-916D-69E9F7DD8F9D} - C:\WINDOWS\system32\vtsqo.dll (file missing)
O2 - BHO: {684a8728-dd11-3ef9-b3e4-ea3410654e7c} - {c7e45601-43ae-4e3b-9fe3-11dd8278a486} - C:\WINDOWS\system32\ikwijhuy.dll (file missing)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Administrator"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Administrator"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: efcdbxx - efcdbxx.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

[evilfantasy]

Welcome to CJ.

Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
• DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Copy and paste the contents of the results file Report.txt in your next reply.

----------

Also install the new version of HijackThis and post a new log from it in Normal boot mode after SDFix has completed.

Download TrendMicro HijackThis.exe (HJT) to the Desktop.

• Double-click on HJTInstall.
• Click on the Install button.
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
• Upon install, HijackThis should open for you.
• Click on the Do a system scan and save a log file button
• HijackThis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
• Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

[xalice15x]

SDFix Report


SDFix: Version 1.240
Run by Administrator on Tue 11/11/2008 at 08:39 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Program Files\nvcoi\mst.stt - Deleted



Folder C:\Program Files\nvcoi - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Temp\sanR24 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 08:47:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 14 Nov 2007 204 A.SHR --- "C:\BOOT.BAK"
Fri 22 Aug 2008 635,848 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Thu 15 Jul 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.SYS"
Thu 10 Jan 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 10 Jan 2008 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Wed 29 Oct 2008 3,442 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE3.tmp"

Finished!



------------------------------------------




HijackThis Log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:16 AM, on 11/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4715C8BC-0204-06D4-0A62-2E00BBB78BBD} - C:\WINDOWS\system32\izf.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {843B515A-BBC4-4AF2-916D-69E9F7DD8F9D} - C:\WINDOWS\system32\vtsqo.dll (file missing)
O2 - BHO: {684a8728-dd11-3ef9-b3e4-ea3410654e7c} - {c7e45601-43ae-4e3b-9fe3-11dd8278a486} - C:\WINDOWS\system32\ikwijhuy.dll (file missing)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKUS\S-1-5-18\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9268 bytes

[evilfantasy]

Download Disable/Remove Windows Messenger to the Desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the Desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the Desktop.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
- O2 - BHO: (no name) - {4715C8BC-0204-06D4-0A62-2E00BBB78BBD} - C:\WINDOWS\system32\izf.dll (file missing)
- O2 - BHO: (no name) - {843B515A-BBC4-4AF2-916D-69E9F7DD8F9D} - C:\WINDOWS\system32\vtsqo.dll (file missing)
- O2 - BHO: {684a8728-dd11-3ef9-b3e4-ea3410654e7c} - {c7e45601-43ae-4e3b-9fe3-11dd8278a486} - C:\WINDOWS\system32\ikwijhuy.dll (file missing)
- O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------


Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"AlcxMonitor"=-

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

Also let me know how the computer is running now.

[xalice15x]

ComboFix log


ComboFix 08-11-10.01 - Administrator 2008-11-11 11:39:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.176 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\My Documents\TSKS~1
c:\program files\Common Files\racle~1
c:\program files\stem32~1
c:\program files\wnsxs~1
c:\windows\BMf3ec611b.txt
c:\windows\system32\0LFlxR4x.exe.a_a
c:\windows\system32\epljwqgq.ini
c:\windows\system32\fj8wNOvc.exe.a_a
c:\windows\system32\icidbcft.ini
c:\windows\system32\iDlo01
c:\windows\system32\jrjvfibu.ini
c:\windows\system32\jryeuaqx.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\MSINET.oca
c:\windows\system32\mvmqocpc.ini
c:\windows\system32\oqstv.ini
c:\windows\system32\oqstv.ini2
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-11 08:54 . 2008-11-11 08:54 <DIR> d-------- c:\program files\Trend Micro
2008-11-11 08:38 . 2008-11-11 08:38 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-11 08:29 . 2008-11-11 08:29 <DIR> d-------- c:\windows\ERUNT
2008-11-11 08:23 . 2008-11-11 08:51 <DIR> d-------- C:\SDFix
2008-11-02 09:12 . 2008-11-10 14:10 41,474 --a------ c:\windows\system32\0LFlxR4x.exe_
2008-11-02 09:12 . 2008-11-11 09:12 40,450 --a------ c:\windows\system32\0LFlxR4x.exe
2008-10-31 18:00 . 2008-10-31 18:00 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Yahoo!
2008-10-31 16:40 . 2008-10-31 16:40 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Yahoo!
2008-10-31 16:39 . 2008-11-10 17:27 <DIR> d-------- c:\program files\Yahoo!
2008-10-29 17:23 . 2008-10-29 17:23 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-10-29 17:23 . 2008-09-08 03:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-29 17:23 . 2008-06-13 04:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-10-29 17:23 . 2008-08-14 03:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-10-29 17:22 . 2008-08-14 03:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-29 17:22 . 2008-08-14 03:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-29 17:22 . 2008-08-14 02:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-29 17:22 . 2008-08-14 02:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-29 17:22 . 2008-09-15 05:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-29 17:22 . 2008-04-11 12:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-10-29 17:22 . 2008-05-08 07:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-10-28 18:39 . 2008-10-28 18:39 10 --a------ c:\windows\WININIT.INI
2008-10-23 14:45 . 2008-10-15 09:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 18:38 . 2008-10-29 15:26 <DIR> d-------- c:\windows\system32\scripting
2008-10-15 18:38 . 2008-10-29 15:26 <DIR> d-------- c:\windows\system32\en
2008-10-15 18:38 . 2008-10-29 15:26 <DIR> d-------- c:\windows\system32\bits
2008-10-15 18:38 . 2008-10-29 15:26 <DIR> d-------- c:\windows\l2schemas
2008-10-15 18:23 . 2007-06-13 03:23 1,033,216 --a------ c:\windows\SET25A.tmp
2008-10-15 18:22 . 2008-08-14 03:09 2,145,280 --a------ c:\windows\system32\ntoskrnl.exe
2008-10-15 16:09 . 2008-10-15 16:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Motive
2008-10-12 17:26 . 2008-10-12 17:25 30,272 --a------ c:\windows\system32\fj8wNOvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-11-11 18:38 --------- d-----w c:\program files\Symantec AntiVirus
2008-11-10 22:05 --------- d-----w c:\program files\DivX
2008-11-10 22:03 --------- d-----w c:\program files\Java
2008-11-10 01:37 --------- d-----w c:\program files\Microsoft Plus! Digital Media Edition
2008-11-10 01:35 --------- d-----w c:\program files\Microsoft Works
2008-11-08 02:37 90,112 ----a-w c:\windows\DUMP3a98.tmp
2008-11-08 01:26 30 ----a-w c:\documents and settings\Administrator\jagex_runescape_preferences .dat
2008-10-29 22:21 77,824 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABP4EN\ plugin\bin\FDIWrapper.dll
2008-10-29 22:21 69,632 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABP4EN\ plugin\bin\jsharpde\msxmlwrapper.dll
2008-10-29 22:21 5,632 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABP4EN\ plugin\bin\jsharpde\GUI.dll
2008-10-29 22:21 49,152 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABP4EN\ plugin\bin\PCHI18N.dll
2008-10-29 22:21 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABP4EN\ plugin\bin\jsharpde\pchapi.dll
2008-10-29 22:21 26,572 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABP4EN\ plugin\bin\jsharpde\INV16.dll
2008-10-29 22:21 213,089 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABP4EN\ plugin\bin\jsharpde\motive.zip
2008-10-29 22:21 139,264 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABP4EN\ plugin\bin\ContentUpdater.exe
2008-10-29 22:21 114,688 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABP4EN\ plugin\bin\jsharpde\ZipLib.dll
2008-10-29 22:21 114,688 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABP4EN\ plugin\bin\jsharpde\asst_ui.dll
2008-10-29 22:11 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 22:11 --------- d-----w c:\program files\ATI Technologies
2008-10-25 01:16 --------- d-----w c:\documents and settings\Administrator\Application Data\Move Networks
2008-10-16 22:05 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-10-16 01:06 --------- d-----w c:\program files\Google
2008-09-28 22:59 --------- d-----w c:\program files\Common Files\AOL
2008-09-22 21:29 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2008-09-22 21:29 --------- d-----w c:\documents and settings\Administrator\Application Data\acccore
2008-09-22 21:27 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-09-17 01:24 --------- d-----w c:\documents and settings\Administrator\Application Data\Vso
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-12-28 00:53 79,738 ----a-w c:\documents and settings\Fonts\broken_ghost.zip
2007-11-23 01:25 81,920 ----a-w c:\documents and settings\Administrator\Application Data\ezpinst.exe
2007-11-23 01:25 47,360 ----a-w c:\documents and settings\Administrator\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2005-03-08 910336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-04 50176]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-10-02 118784]
"CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-12-17 151597]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 139264]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 c:\windows\system32\Ati2mdxx.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-22 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 CX88XBAR;Conexant 2388x Crossbar Dual Input;c:\windows\system32\drivers\CX88XBARDUAL.sys [2003-12-10 7040]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-30 c:\windows\Tasks\At1.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-11-11 c:\windows\Tasks\At10.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-11-02 c:\windows\Tasks\At100.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 c:\windows\Tasks\At101.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 c:\windows\Tasks\At102.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 c:\windows\Tasks\At103.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 c:\windows\Tasks\At104.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 c:\windows\Tasks\At105.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-11 c:\windows\Tasks\At106.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-11 c:\windows\Tasks\At107.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-09 c:\windows\Tasks\At108.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-09 c:\windows\Tasks\At109.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-11 c:\windows\Tasks\At11.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-11-09 c:\windows\Tasks\At110.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-10 c:\windows\Tasks\At111.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-10 c:\windows\Tasks\At112.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-06 c:\windows\Tasks\At113.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-09 c:\windows\Tasks\At114.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-11 c:\windows\Tasks\At115.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-11 c:\windows\Tasks\At116.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-09 c:\windows\Tasks\At117.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 c:\windows\Tasks\At118.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 c:\windows\Tasks\At119.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-09 c:\windows\Tasks\At12.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-11-02 c:\windows\Tasks\At120.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-09 c:\windows\Tasks\At13.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-11-09 c:\windows\Tasks\At14.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-11-10 c:\windows\Tasks\At15.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-11-10 c:\windows\Tasks\At16.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-11-06 c:\windows\Tasks\At17.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-11-09 c:\windows\Tasks\At18.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-11-11 c:\windows\Tasks\At19.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 c:\windows\Tasks\At2.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-11-11 c:\windows\Tasks\At20.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-11-09 c:\windows\Tasks\At21.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 c:\windows\Tasks\At22.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 c:\windows\Tasks\At23.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 c:\windows\Tasks\At24.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 c:\windows\Tasks\At3.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 c:\windows\Tasks\At4.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 c:\windows\Tasks\At5.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 c:\windows\Tasks\At6.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-10-31 c:\windows\Tasks\At7.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-10-30 c:\windows\Tasks\At8.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-11-01 c:\windows\Tasks\At9.job
- c:\windows\system32\fj8wNOvc.exe [2008-10-12 17:25]

2008-11-02 c:\windows\Tasks\At97.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 c:\windows\Tasks\At98.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]

2008-11-02 c:\windows\Tasks\At99.job
- c:\windows\system32\0LFlxR4x.exe [2008-11-11 09:12]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
HKCU-Run-RecordNow! - (no file)
HKLM-Run-HPHUPD05 - c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HKLM-Run-AutoTKit - c:\hp\bin\AUTOTKIT.EXE
HKLM-Run-UpdateManager - c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
HKLM-Run-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0rews22y.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0rews22y.default\extensions\moveplayer@movenetworks .com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npPxPlay.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF -: plugin - c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF -: plugin - c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 11:44:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


************************************************** ************************
.
Completion time: 2008-11-11 11:47:43
ComboFix-quarantined-files.txt 2008-11-11 18:46:39

Pre-Run: 89,004,101,632 bytes free
Post-Run: 89,081,098,240 bytes free

272 --- E O F --- 2008-10-30 03:01:59


~~
So far iexplore.exe hasnt popped up ^_^
Is there anyway to make sure that's it's gone?
&& Is it alright if I delete the things that I download?

[evilfantasy]

We will clean everything up before we are done. There is still more to be done but I have to run for a while. Be back later.

[xalice15x]

More steps? I thought we were done D:
Quick question; Is any of this going to affect the programs that are installed into my computer?
Alrightie, I have to go for a bit as well xP

[xalice15x]

iexplore.exe's still here ;-;

[evilfantasy]

No we aren't done. I'll give the all clear when it's over

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

File::
c:\windows\system32\0LFlxR4x.exe_
c:\windows\system32\0LFlxR4x.exe
c:\windows\SET25A.tmp
c:\windows\system32\fj8wNOvc.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At100.job
c:\windows\Tasks\At101.job
c:\windows\Tasks\At102.job
c:\windows\Tasks\At103.job
c:\windows\Tasks\At104.job
c:\windows\Tasks\At105.job
c:\windows\Tasks\At106.job
c:\windows\Tasks\At107.job
c:\windows\Tasks\At108.job
c:\windows\Tasks\At109.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At110.job
c:\windows\Tasks\At111.job
c:\windows\Tasks\At112.job
c:\windows\Tasks\At113.job
c:\windows\Tasks\At114.job
c:\windows\Tasks\At115.job
c:\windows\Tasks\At116.job
c:\windows\Tasks\At117.job
c:\windows\Tasks\At118.job
c:\windows\Tasks\At119.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At120.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\At97.job
c:\windows\Tasks\At98.job
c:\windows\Tasks\At99.job

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[xalice15x]

Okay ^__^

Combofix Log



ComboFix 08-11-10.01 - Administrator 2008-11-11 17:21:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.153 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\SET25A.tmp
c:\windows\system32\0LFlxR4x.exe
c:\windows\system32\0LFlxR4x.exe_
c:\windows\system32\fj8wNOvc.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At100.job
c:\windows\Tasks\At101.job
c:\windows\Tasks\At102.job
c:\windows\Tasks\At103.job
c:\windows\Tasks\At104.job
c:\windows\Tasks\At105.job
c:\windows\Tasks\At106.job
c:\windows\Tasks\At107.job
c:\windows\Tasks\At108.job
c:\windows\Tasks\At109.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At110.job
c:\windows\Tasks\At111.job
c:\windows\Tasks\At112.job
c:\windows\Tasks\At113.job
c:\windows\Tasks\At114.job
c:\windows\Tasks\At115.job
c:\windows\Tasks\At116.job
c:\windows\Tasks\At117.job
c:\windows\Tasks\At118.job
c:\windows\Tasks\At119.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At120.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\At97.job
c:\windows\Tasks\At98.job
c:\windows\Tasks\At99.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SET25A.tmp
c:\windows\system32\0LFlxR4x.exe
c:\windows\system32\0LFlxR4x.exe.a_a
c:\windows\system32\fj8wNOvc.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At100.job
c:\windows\Tasks\At101.job
c:\windows\Tasks\At102.job
c:\windows\Tasks\At103.job
c:\windows\Tasks\At104.job
c:\windows\Tasks\At105.job
c:\windows\Tasks\At106.job
c:\windows\Tasks\At107.job
c:\windows\Tasks\At108.job
c:\windows\Tasks\At109.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At110.job
c:\windows\Tasks\At111.job
c:\windows\Tasks\At112.job
c:\windows\Tasks\At113.job
c:\windows\Tasks\At114.job
c:\windows\Tasks\At115.job
c:\windows\Tasks\At116.job
c:\windows\Tasks\At117.job
c:\windows\Tasks\At118.job
c:\windows\Tasks\At119.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At120.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\At97.job
c:\windows\Tasks\At98.job
c:\windows\Tasks\At99.job

.
((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.

2008-11-11 08:54 . 2008-11-11 08:54 <DIR> d-------- c:\program files\Trend Micro
2008-11-11 08:38 . 2008-11-11 08:38 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-11 08:29 . 2008-11-11 08:29 <DIR> d-------- c:\windows\ERUNT
2008-11-11 08:23 . 2008-11-11 08:51 <DIR> d-------- C:\SDFix
2008-10-31 18:00 . 2008-10-31 18:00 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Yahoo!
2008-10-31 16:40 . 2008-10-31 16:40 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Yahoo!
2008-10-31 16:39 . 2008-11-10 17:27 <DIR> d-------- c:\program files\Yahoo!
2008-10-29 17:23 . 2008-10-29 17:23 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-10-29 17:23 . 2008-09-08 03:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-29 17:23 . 2008-06-13 04:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-10-29 17:23 . 2008-08-14 03:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-10-29 17:22 . 2008-08-14 03:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-29 17:22 . 2008-08-14 03:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-29 17:22 . 2008-08-14 02:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-29 17:22 . 2008-08-14 02:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-29 17:22 . 2008-09-15 05:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-29 17:22 . 2008-04-11 12:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-10-29 17:22 . 2008-05-08 07:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-10-28 18:39 . 2008-10-28 18:39 10 --a------ c:\windows\WININIT.INI
2008-10-23 14:45 . 2008-10-15 09:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 18:38 . 2008-10-29 15:26 <DIR> d-------- c:\windows\system32\scripting
2008-10-15 18:38 . 2008-10-29 15:26 <DIR> d-------- c:\windows\system32\en
2008-10-15 18:38 . 2008-10-29 15:26 <DIR> d-------- c:\windows\system32\bits
2008-10-15 18:38 . 2008-10-29 15:26 <DIR> d-------- c:\windows\l2schemas
2008-10-15 18:23 . 2006-09-23 14:12 1,022,976 --a------ c:\windows\system32\SETA0B.tmp
2008-10-15 18:22 . 2008-08-14 03:09 2,145,280 --a------ c:\windows\system32\ntoskrnl.exe
2008-10-15 16:09 . 2008-10-15 16:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-11-12 00:29 --------- d-----w c:\program files\Symantec AntiVirus
2008-11-10 22:05 --------- d-----w c:\program files\DivX
2008-11-10 22:03 --------- d-----w c:\program files\Java
2008-11-10 01:37 --------- d-----w c:\program files\Microsoft Plus! Digital Media Edition
2008-11-10 01:35 --------- d-----w c:\program files\Microsoft Works
2008-11-08 02:37 90,112 ----a-w c:\windows\DUMP3a98.tmp
2008-11-08 01:26 30 ----a-w c:\documents and settings\Administrator\jagex_runescape_preferences .dat
2008-10-29 22:11 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 22:11 --------- d-----w c:\program files\ATI Technologies
2008-10-25 01:16 --------- d-----w c:\documents and settings\Administrator\Application Data\Move Networks
2008-10-16 22:05 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-10-16 01:06 --------- d-----w c:\program files\Google
2008-09-28 22:59 --------- d-----w c:\program files\Common Files\AOL
2008-09-22 21:29 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2008-09-22 21:29 --------- d-----w c:\documents and settings\Administrator\Application Data\acccore
2008-09-22 21:27 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-09-17 01:24 --------- d-----w c:\documents and settings\Administrator\Application Data\Vso
2007-12-28 00:53 79,738 ----a-w c:\documents and settings\Fonts\broken_ghost.zip
2007-11-23 01:25 81,920 ----a-w c:\documents and settings\Administrator\Application Data\ezpinst.exe
2007-11-23 01:25 47,360 ----a-w c:\documents and settings\Administrator\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2005-03-08 910336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-04 50176]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-10-02 118784]
"CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-12-17 151597]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 139264]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 c:\windows\system32\Ati2mdxx.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-22 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 CX88XBAR;Conexant 2388x Crossbar Dual Input;c:\windows\system32\drivers\CX88XBARDUAL.sys [2003-12-10 7040]
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 17:26:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Photodex\ProShowGold\scsiaccess.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe
c:\windows\system32\hpzipm12.exe
.
************************************************** ************************
.
Completion time: 2008-11-11 17:34:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-12 00:34:22
ComboFix2.txt 2008-11-11 18:47:44

Pre-Run: 89,064,681,472 bytes free
Post-Run: 89,055,629,312 bytes free

239 --- E O F --- 2008-10-30 03:01:59