Virus and Pop Up Issues

system · 2007-12-08T21:08:54.000Z

Thank you for making things easier for me Oldman, appreciated. Hope this is what you are looking for. In my last two rebootings, I have not had any files or links missing when opening. And I also am not getting pop ups, so far!!!

ComboFix 07-12-07.3 - Owner 2007-12-07 21:05:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.134 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\WINDOWS\cookies.ini
C:\WINDOWS\ms042771381691.exe
C:\WINDOWS\system32\bccdd.ini
C:\WINDOWS\system32\bccdd.ini2
C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rev1
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\t21
C:\WINDOWS\system32\v2
D:\Autorun.inf

system · 2007-12-08T21:09:54.000Z

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.

2007-12-07 18:22 . 2007-12-07 18:22 d-------- C:\Deckard
2007-12-07 16:49 . 2007-12-07 16:49 d-------- C:\Program Files\Trend Micro
2007-12-06 23:10 . 2007-12-07 05:41 832,875 --ahs---- C:\WINDOWS\system32\ioftvujv.ini
2007-12-06 23:02 . 2007-12-06 23:34 d-------- C:\Program Files\XoftSpySE
2007-12-05 09:02 . 2007-12-05 09:02 d-------- C:\Program Files\Windows Defender
2007-12-04 19:03 . 2007-12-06 07:50 804,720 --ahs---- C:\WINDOWS\system32\oyypgmcg.ini
2007-12-03 17:39 . 2007-12-03 17:40 d-------- C:\WINDOWS\system32\bmv2
2007-12-03 17:29 . 2007-12-03 17:29 d-------- C:\WINDOWS\system32\daSgo06
2007-12-03 17:29 . 2007-12-03 17:33 d-------- C:\temp\bkR11
2007-12-03 17:23 . 2007-12-03 16:28 801,367 --ahs---- C:\WINDOWS\system32\npmfetef.ini
2007-12-03 16:08 . 2007-12-03 16:08 801,367 --ahs---- C:\WINDOWS\system32\npmfetef.tmp
2007-12-03 13:32 . 2007-12-03 08:42 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-12-02 14:29 . 2007-12-03 14:32 801,306 --ahs---- C:\WINDOWS\system32\pqpycxtv.ini
2007-12-01 14:42 . 2007-12-01 21:01 800,861 --ahs---- C:\WINDOWS\system32\tedqcoyv.ini
2007-11-30 14:31 . 2007-12-01 07:35 800,768 --ahs---- C:\WINDOWS\system32\evseffuq.ini
2007-11-30 10:46 . 2007-11-30 10:46 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-30 10:45 . 2007-12-07 21:15 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-30 10:45 . 2007-11-30 10:45 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-30 10:45 . 2007-11-30 10:45 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-11-30 08:49 . 2007-11-30 13:10 800,570 --ahs---- C:\WINDOWS\system32\oclyfepm.ini
2007-11-29 08:45 . 2007-11-30 07:48 793,760 --ahs---- C:\WINDOWS\system32\poxvlnmh.ini
2007-11-28 18:52 . 2007-11-29 08:41 789,960 --ahs---- C:\WINDOWS\system32\fmwokixo.ini

system · 2007-12-08T21:10:55.000Z

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 05:33 --------- d-----w C:\Program Files\Yahoo!
2007-12-05 05:33 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-03 18:47 --------- d-----w C:\Program Files\Google
2007-12-03 07:05 --------- d-----w C:\Program Files\IncrediGames
2007-12-02 22:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-29 14:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-25 01:13 --------- d-----w C:\Program Files\Microsoft Home Publishing 2000
2007-11-07 20:33 --------- d-----w C:\Program Files\Microsoft Picture It! 7
2007-10-27 02:34 --------- d—a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-12 18:52 53,248 ----a-w C:\WINDOWS\hg173.exe

system · 2007-12-08T21:11:53.000Z

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{24A41A0B-4D59-4FA3-86F6-A5EE3C482313}]
C:\Program Files\Windows NT\mevojuliC:\WINDOWS\system32\v2\swdrv83122.exe.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{62179339-1920-4AED-A272-A889231DE4A5}]
C:\Program Files\Windows NT\mevojuliC:\DOCUME~1\Owner\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:56]
“DW4”=“”
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 03:06]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2005-12-06 05:43]
“FLMOFFICE4DMOUSE”=“C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe” [2006-06-21 19:30]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 02:41]
“QuickFinder Scheduler”=“c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE” [1996-10-16 00:02]
“RCSystemTray”=“C:\Program Files\Registry Cleaner\RCSystemTray.exe” [2006-11-28 15:18]
“KBD”=“C:\HP\KBD\KBD.EXE” [2005-02-02 16:44]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-02-17 13:58]
“NI.UGDC_0001_N122M2610”=“c:\documents and settings\owner\application data\installer_en[1].exe”
“TMT”=“C:\WINDOWS\Gwang.exe”
“64ced7fd”=“C:\WINDOWS\system32\vjuvtfoi.dll”
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 19:20]

system · 2007-12-08T21:12:35.000Z

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
PerfectPrint.LNK - C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE [2006-11-17 12:51:26]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
Instant Update.lnk - C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe [2007-09-12 12:00:22]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
2007-09-06 03:06 79224 --a------ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 00:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
1999-10-10 10:00 41984 -----c— C:\WINDOWS\CTRegRun.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
2005-11-07 15:49 601200 --a------ C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-03-27 02:34 172032 --a–c— C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 17:04 52736 --a–c— c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 16:44 61440 --a------ C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2003-09-12 20:13 98304 --a–c— C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2003-11-03 17:50 221184 --a–c— C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-01-26 03:24 32881 --a–c— C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
2003-10-29 10:17 135168 --a–c— C:\Program Files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinMX]
C:\Program Files\WinMX\WinMX.exe -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XoftSpy]
C:\Program Files\XoftSpy\XoftSpy.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

R1 UdfReadr;UdfReadr;C:\WINDOWS\system32\drivers\UdfReadr.sys
S3 SNDP610;Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\sndp610.sys

system · 2007-12-08T21:13:19.000Z

Contents of the ‘Scheduled Tasks’ folder
“2007-12-07 23:30:03 C:\WINDOWS\Tasks\MP Scheduled Scan.job”

C:\Program Files\Windows Defender\MpCmdRun.exe
“2005-04-15 21:04:29 C:\WINDOWS\Tasks\XoftSpy.job”
C:\Program Files\XoftSpy\XoftSpy.exe
.

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-07 21:15:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2007-12-07 21:16:57 - machine was rebooted
.
— E O F —

system · 2007-12-08T21:18:05.000Z

Rescanned HJT again:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:05 PM, on 12/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Registry Cleaner\RCSystemTray.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

system · 2007-12-08T21:18:46.000Z

–
End of file - 9081 bytes

oldman960 · 2007-12-08T21:31:15.000Z

Looking better, but I need a new DSS log. (Deckards)

system · 2007-12-08T21:46:45.000Z

Deckard’s System Scanner v20071014.68
Run by Owner on 2007-12-08 14:44:53
Computer is in Normal Mode.

Total Physical Memory: 448 MiB (512 MiB recommended).

– HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:55 PM, on 12/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

system · 2007-12-08T21:47:22.000Z

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Registry Cleaner\RCSystemTray.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

system · 2007-12-08T21:47:55.000Z

–
End of file - 9169 bytes

system · 2007-12-08T21:48:45.000Z

– Files created between 2007-11-08 and 2007-12-08 -----------------------------

2007-12-07 16:49:09 0 d-------- C:\Program Files\Trend Micro
2007-12-06 23:02:02 0 d-------- C:\Program Files\XoftSpySE
2007-12-05 09:02:41 0 d-------- C:\Program Files\Windows Defender
2007-12-03 13:32:44 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2007-11-30 10:46:06 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-30 10:45:41 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-30 10:45:41 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-11-30 10:45:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

– Find3M Report ---------------------------------------------------------------

2007-12-08 12:09:09 18 --a------ C:\AUTOEXEC.BAT
2007-12-05 11:57:30 0 d-------- C:\Program Files\Common Files
2007-12-04 22:33:26 0 d-------- C:\Program Files\Yahoo!
2007-12-04 22:33:23 0 d-------- C:\Program Files\Common Files\Scanner
2007-12-03 11:47:29 0 d-------- C:\Program Files\Google
2007-12-03 00:09:39 0 d-------- C:\Program Files\MSN Gaming Zone
2007-12-03 00:05:14 0 d-------- C:\Program Files\IncrediGames
2007-11-24 18:13:41 0 d-------- C:\Program Files\Microsoft Home Publishing 2000
2007-11-07 13:33:46 0 d-------- C:\Program Files\Microsoft Picture It! 7

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{24A41A0B-4D59-4FA3-86F6-A5EE3C482313}]
C:\Program Files\Windows NT\mevojuliC:\WINDOWS\system32\v2\swdrv83122.exe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [09/06/2007 03:06 AM]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [12/06/2005 05:43 AM]
“FLMOFFICE4DMOUSE”=“C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe” [06/21/2006 07:30 PM]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [02/19/2006 02:41 AM]
“RCSystemTray”=“C:\Program Files\Registry Cleaner\RCSystemTray.exe” [11/28/2006 03:18 PM]
“KBD”=“C:\HP\KBD\KBD.EXE” [02/02/2005 04:44 PM]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [02/17/2007 01:58 PM]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/04/2004 12:56 AM]
“DW4”=“”
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [06/21/2007 02:06 PM]

essexboy · 2007-12-08T21:48:58.000Z

O2 - BHO: (no name) - {24A41A0B-4D59-4FA3-86F6-A5EE3C482313} - C:\Program Files\Windows NT\mevojuliC:\WINDOWS\system32\v2\swdrv83122.exe.dll (file missing)

This little beastie need to go …Never did like double extensions

system · 2007-12-08T21:50:00.000Z

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 4:21:22 AM]
Instant Update.lnk - C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe [9/12/2007 12:00:22 PM]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2/13/2004 2:12:08 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=“Volume shadow copy”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

system · 2007-12-08T21:51:00.000Z

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
“C:\Program Files\BearShare\BearShare.exe” /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
C:\WINDOWS\CTRegRun.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
“C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
“C:\Program Files\QuickTime\qttask.exe” -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
C:\Program Files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
“C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinMX]
C:\Program Files\WinMX\WinMX.exe -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XoftSpy]
C:\Program Files\XoftSpy\XoftSpy.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
“C:\Program Files\Yahoo!\Messenger\ypager.exe” -quiet

– End of Deckard’s System Scanner: finished at 2007-12-08 14:45:17 ------------

oldman960 · 2007-12-08T22:00:03.000Z

Open HJT and run a system scan only, place a check mark next to the following line(s)

O2 - BHO: (no name) - {24A41A0B-4D59-4FA3-86F6-A5EE3C482313} - C:\Program Files\Windows NT\mevojuliC:\WINDOWS\system32\v2\swdrv83122.exe.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)

Please submit the following to virustotal. I’m not certain what they are.

To submit a file to virustotal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\ioftvujv.ini
C:\WINDOWS\system32\npmfetef.tmp

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

oldman960 · 2007-12-08T22:37:36.000Z

Ok, I got confirmation that they are bad files. We’ll run a new combofix fix to make sure they are gone for sure.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\fmwokixo.ini C:\WINDOWS\system32\poxvlnmh.ini C:\WINDOWS\system32\oclyfepm.ini C:\WINDOWS\system32\evseffuq.ini C:\WINDOWS\system32\tedqcoyv.ini C:\WINDOWS\system32\npmfetef.tmp C:\WINDOWS\system32\npmfetef.ini C:\WINDOWS\system32\oyypgmcg.ini C:\WINDOWS\system32\ioftvujv.ini

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DSS log.

One more line to fix in HJT

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)

system · 2007-12-09T02:13:04.000Z

this is marians daughter to tell u that her modem died. Everything seems to be working fine, will continue when her satallite gets installed sometime next. Hopefully. Thank you

oldman960 · 2007-12-09T02:18:16.000Z

Ok, thanks for letting me know. I’’ be lookin for her. We are sooo close to being clean, I’d hate to loose it now.

If you could talk her through clearing out the old restore points, it would help.

I’ll post the instuctions here

Go to Start - All Programs - Accessories - System Tools System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

Remove old restore points

Disk Cleanup

Go to Start - All Programs - Accessories, Launch the Disk Cleanup tool let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Announcements