Win32:TRATBHO[trj] - Please Help

system · February 6, 2008, 4:28am

Sequence of Sad Events:
-1/31/08 I was alerted by Avast virus was encountered - I was browsing sites offering background for websites.
-The infected file was placed in Avast Chest as directed by Avast.
-Symptoms: Pop-ups every few minutes (pop-up blocker is on)
-After more alerts were encountered, I deleted files from the chest - hoping that would help. It didn’t
-Avast tells me its a Trojan Horse - Win32:TRATBHO[trj].
-The infected files seem to be in System Volume Information or in System32.
-Another website suggested deleting infected files directly from System32 (scary) - some would delete, others would not (file being used by another process)
-Ran Avast scanner multiple time - Sometimes it found infected files other times completed the scan and reported nothing infected.
-The pop-ups continue…
-Followed instructions form another website for clean-up/repair of TRATBHO[trj]:
-Ran: VandoFix , WinPFind35u , & ComboFix, encountered problems and did not run dss as recommended
-The pop-ups continue…
-System ‘seems’ to OK except for the pop-ups
-Ran Avast scanner again (the log is pasted below).
-Joined this form hoping to get some help. Afraid of doing more harm than good by running fix util.
-I am soooo confused and out of options - please help if you can.
-And - the pop-ups continue…

oldman960 · February 6, 2008, 5:10am

Hi, please delete the copy of combofix you have now and download a new one.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

.
You will also need this

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

system · February 6, 2008, 5:57am

Part 1
ComboFix 08-02.05.3 - Irv 2008-02-05 21:29:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.136 [GMT -8:00]Running from: C:\Documents and Settings\Irv\Desktop\ComboFix.exe

Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\HPZipr122.sys
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\HPZipr122.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_HPZIPR122
-------\HPZipr122

((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-04 18:35 . 2008-02-05 21:38 2,148 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-02-04 17:57 . 2008-02-05 08:11 d-------- C:\VundoFix Backups
2008-02-02 14:48 . 2008-02-02 14:48 36,864 --a------ C:\WINDOWS\17PHolmes572.exe
2008-02-01 23:53 . 2008-02-01 23:53 2 --a------ C:\WINDOWS\msoffice.ini
2008-02-01 22:57 . 2008-02-01 22:57 d-------- C:\WINDOWS\SYSTEM32\5A595B5B6160
2008-01-31 22:27 . 2008-01-31 22:28 d-------- C:\Program Files\Dot1XCfg
2008-01-31 22:26 . 2008-01-31 22:26 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-01-31 22:25 . 2008-01-31 22:25 d-------- C:\WINDOWS\SYSTEM32\lis6
2008-01-31 22:25 . 2008-01-31 22:25 d-------- C:\WINDOWS\SYSTEM32\kps5
2008-01-31 22:25 . 2008-01-31 22:25 d-------- C:\WINDOWS\SYSTEM32\hs9
2008-01-31 22:24 . 2008-01-31 22:25 d-------- C:\WINDOWS\SYSTEM32\tip4
2008-01-31 22:24 . 2008-01-31 22:27 36,864 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-01-31 22:23 . 2008-01-31 22:23 d-------- C:\WINDOWS\SYSTEM32\nGpxx01
2008-01-31 22:23 . 2008-02-05 21:33 d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 07:57 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-02-02 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-02 07:53 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-02 06:28 --------- d-----w C:\Program Files\Microsoft Works
2008-01-28 23:25 --------- d-----w C:\Documents and Settings\Irv\Application Data\Road Runner
2008-01-25 15:53 --------- d-----w C:\Program Files\Apple Software Update
2008-01-05 08:06 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-03 18:09 --------- d-----w C:\Program Files\Microsoft LifeCam
2008-01-03 18:03 --------- d-----w C:\Program Files\Windows Live
2008-01-03 18:02 --------- dcsh–w C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-03 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-08 04:45 11,227,616 ----a-w C:\Program Files\setup-ya07mailt.exe
2007-09-14 22:55 7,028,144 ----a-w C:\Documents and Settings\Jay\medic6.exe
2007-08-21 15:18 7,028,144 ----a-w C:\Documents and Settings\Irv\medic6.exe
2006-09-17 18:47 316 —ha-w C:\Documents and Settings\Irv\hpothb07.dat
2006-07-21 22:20 21,290,704 ----a-w C:\Program Files\AdbeRdr708_en_US.exe
2005-05-20 17:22 158 —ha-w C:\Documents and Settings\Jay\hpothb07.dat

system · February 6, 2008, 5:59am

Combo Part II
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{35BE4390-458B-40C2-BA2F-8DADE4F26D4B}]
C:\WINDOWS\system32\mllji.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{623C920E-E83B-43CA-A0FE-6A32092A5EF6}]
C:\Program Files\Windows NT\hoqewixejC:\WINDOWS\system32\lis6\lenamd83122.exe.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{A7F95749-F23A-4064-8FEF-B73F4D567112}]
C:\WINDOWS\system32\vtsqq.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{FE5416C3-DE3A-48F6-B403-FF0D2DDBD4F8}]
C:\Program Files\Windows NT\hoqewixejC:\DOCUME~1\Irv\LOCALS~1\Temp\mst455101.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Sonic RecordNow!”=“”
“msnmsgr”=“C:\Program Files\Windows Live\Messenger\msnmsgr.exe” [2007-10-18 11:34 5724184]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:56 15360]
“Road Runner PhotoShow Media Manager”=“C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe” [2006-01-06 17:56 245760]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-12-23 17:05 143360]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-11-05 11:40 68856]
“Dot1XCfg”=“C:\Program Files\Dot1XCfg\Dot1XCfg.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-06-21 23:48 155648]
“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2005-06-21 23:44 126976]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2003-08-05 22:04 114741]
“StorageGuard”=“C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” [2003-02-12 22:01 155648]
“DVDSentry”=“C:\WINDOWS\System32\DSentry.exe” [2003-08-13 07:27 28672]
“PCMService”=“C:\Program Files\Dell\Media Experience\PCMService.exe” [2003-08-26 16:47 204800]
“SBC Yahoo! Connection Manager”=“C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe” [2003-07-14 11:55 1028096]
“IPInSightMonitor 01”=“C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe” [2003-07-14 11:30 98304]
“MEDIC”=“C:\Program Files\MEDIC\bin\sprtcmd.exe” [2006-07-06 07:45 192512]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 05:00 79224]
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 14:40 155648]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-06-29 05:24 286720]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2007-08-15 19:15 271672]
“medicsp2”=“C:\Program Files\twc\medicsp2\bin\sprtcmd.exe” [2007-03-07 10:53 198184]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-09-10 10:07 185632]
“LifeCam”=“C:\Program Files\Microsoft LifeCam\LifeExp.exe” [2007-05-17 13:45 279912]
“SM_IAN”=“C:\Program Files\AdvancedCleaner Free\ian_monitor.exe”
“09080A0A100F09”=“020103030908.exe”

C:\Documents and Settings\Jay\Start Menu\Programs\Startup
PowerReg Scheduler V3.exe [2004-05-02 08:01:28 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 01:12:18 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 00:06:58 28672]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-10-22 08:34:55 118784]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-04-05 23:37:38 147456]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-08-28 12:09:10 54512]

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
R2 MSCamSvc;MSCamSvc;“C:\Program Files\Microsoft LifeCam\MSCamS32.exe” [2007-05-17 13:45]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);C:\Program Files\twc\medicsp2\bin\sprtsvc.exe /service
R2 Viewpoint Manager Service;Viewpoint Manager Service;“C:\Program Files\Viewpoint\Common\ViewpointService.exe” [2007-01-04 13:38]
R3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;C:\WINDOWS\system32\Drivers\nx6000.sys [2007-04-12 13:46]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-31 15:51:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 21:38:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
.

.
Completion time: 2008-02-05 21:41:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-06 05:41:48
ComboFix2.txt 2008-02-05 04:32:07
.
2008-02-02 18:40:21 — E O F —

system · February 6, 2008, 6:02am

HJT Log Pt I:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:14 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\MEDIC\bin\sprtcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\twc\medicsp2\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Irv\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.mailaka.net/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35BE4390-458B-40C2-BA2F-8DADE4F26D4B} - C:\WINDOWS\system32\mllji.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {623C920E-E83B-43CA-A0FE-6A32092A5EF6} - C:\Program Files\Windows NT\hoqewixejC:\WINDOWS\system32\lis6\lenamd83122.exe.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {A7F95749-F23A-4064-8FEF-B73F4D567112} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FE5416C3-DE3A-48F6-B403-FF0D2DDBD4F8} - C:\Program Files\Windows NT\hoqewixejC:\DOCUME~1\Irv\LOCALS~1\Temp\mst455101.exe.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common

system · February 6, 2008, 6:04am

HJT Log Pt 2

Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [StorageGuard] “C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Dell\Media Experience\PCMService.exe”
O4 - HKLM..\Run: [SBC Yahoo! Connection Manager] “C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe”
O4 - HKLM..\Run: [IPInSightMonitor 01] “C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe”
O4 - HKLM..\Run: [MEDIC] “C:\Program Files\MEDIC\bin\sprtcmd.exe” /P MEDIC
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [lifeCam] “C:\Program Files\Microsoft LifeCam\LifeExp.exe”
O4 - HKLM..\Run: [SM_IAN] C:\Program Files\AdvancedCleaner Free\ian_monitor.exe
O4 - HKLM..\Run: [09080A0A100F09] 020103030908.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://my.sigue.com/sigue/cds/ICAWEB/en/ica32/ica32t.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://xmlsweb.socalmls.com/XMLSearch/XMLCache.CAB
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://ml.sitexdata.com/farm/arview2.cab
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://my.sigue.com/sigue/cds/CGC/en/CSGProxy.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

–
End of file - 12404 bytes

Whew :-\

oldman960 · February 6, 2008, 6:53am

Go to add/remove programs and uninstall these programs if found

Rabio
Cool

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {35BE4390-458B-40C2-BA2F-8DADE4F26D4B} - C:\WINDOWS\system32\mllji.dll (file missing)
O2 - BHO: (no name) - {623C920E-E83B-43CA-A0FE-6A32092A5EF6} - C:\Program Files\Windows NT\hoqewixejC:\WINDOWS\system32\lis6\lenamd83122.exe.dll (file missing)
O2 - BHO: (no name) - {A7F95749-F23A-4064-8FEF-B73F4D567112} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O2 - BHO: (no name) - {FE5416C3-DE3A-48F6-B403-FF0D2DDBD4F8} - C:\Program Files\Windows NT\hoqewixejC:\DOCUME~1\Irv\LOCALS~1\Temp\mst455101.exe.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Close all other browsers/windows, click fix, close HJT.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\17PHolmes572.exe C:\WINDOWS\mrofinu572.exe.tmp
Folder::
C:\WINDOWS\SYSTEM32\lis6
C:\WINDOWS\SYSTEM32\kps5
C:\WINDOWS\SYSTEM32\hs9
C:\WINDOWS\SYSTEM32\tip4
C:\WINDOWS\SYSTEM32\nGpxx01
C:\Documents and Settings\All Users\Application Data\Rabio

DirLook::
C:\WINDOWS\SYSTEM32\5A595B5B6160

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

system · February 6, 2008, 7:54am

ComboFix Log (again)
ComboFix 08-02.05.3 - Irv 2008-02-05 23:26:38.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.164 [GMT -8:00]
Running from: C:\Documents and Settings\Irv\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Irv\Desktop\CFscript.txt

Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\mrofinu572.exe.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\SYSTEM32\hs9
C:\WINDOWS\SYSTEM32\hs9\corab2130.exe
C:\WINDOWS\SYSTEM32\kps5
C:\WINDOWS\SYSTEM32\kps5\covstadcom7.exe
C:\WINDOWS\SYSTEM32\lis6
C:\WINDOWS\SYSTEM32\lis6\lenamd83122.exe
C:\WINDOWS\SYSTEM32\nGpxx01
C:\WINDOWS\SYSTEM32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\SYSTEM32\tip4

.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-05 21:28 . 2004-08-03 23:56 388,608 --a------ C:\kmd.exe
2008-02-04 18:35 . 2008-02-05 21:38 2,148 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-02-04 17:57 . 2008-02-05 08:11 d-------- C:\VundoFix Backups
2008-02-01 23:53 . 2008-02-01 23:53 2 --a------ C:\WINDOWS\msoffice.ini
2008-02-01 22:57 . 2008-02-01 22:57 d-------- C:\WINDOWS\SYSTEM32\5A595B5B6160
2008-01-31 22:27 . 2008-01-31 22:28 d-------- C:\Program Files\Dot1XCfg
2008-01-31 22:23 . 2008-02-05 21:33 d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 07:57 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-02-02 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-02 07:53 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-02 06:28 --------- d-----w C:\Program Files\Microsoft Works
2008-01-28 23:25 --------- d-----w C:\Documents and Settings\Irv\Application Data\Road Runner
2008-01-25 15:53 --------- d-----w C:\Program Files\Apple Software Update
2008-01-05 08:06 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-03 18:09 --------- d-----w C:\Program Files\Microsoft LifeCam
2008-01-03 18:03 --------- d-----w C:\Program Files\Windows Live
2008-01-03 18:02 --------- dcsh–w C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-03 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\SYSTEM32\AVASTSS.scr
2007-11-08 04:45 11,227,616 ----a-w C:\Program Files\setup-ya07mailt.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-09-14 22:55 7,028,144 ----a-w C:\Documents and Settings\Jay\medic6.exe
2007-08-21 15:18 7,028,144 ----a-w C:\Documents and Settings\Irv\medic6.exe
2006-09-17 18:47 316 —ha-w C:\Documents and Settings\Irv\hpothb07.dat
2006-07-21 22:20 21,290,704 ----a-w C:\Program Files\AdbeRdr708_en_US.exe
2005-05-20 17:22 158 —ha-w C:\Documents and Settings\Jay\hpothb07.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\SYSTEM32\5A595B5B6160 ----

2008-02-04 17:53 58 --a------ C:\WINDOWS\SYSTEM32\5A595B5B6160\6A696B6B7170

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Sonic RecordNow!”=“”
“msnmsgr”=“C:\Program Files\Windows Live\Messenger\msnmsgr.exe” [2007-10-18 11:34 5724184]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:56 15360]
“Road Runner PhotoShow Media Manager”=“C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe” [2006-01-06 17:56 245760]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-12-23 17:05 143360]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-11-05 11:40 68856]
“Dot1XCfg”=“C:\Program Files\Dot1XCfg\Dot1XCfg.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-06-21 23:48 155648]
“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2005-06-21 23:44 126976]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2003-08-05 22:04 114741]
“StorageGuard”=“C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” [2003-02-12 22:01 155648]
“DVDSentry”=“C:\WINDOWS\System32\DSentry.exe” [2003-08-13 07:27 28672]
“PCMService”=“C:\Program Files\Dell\Media Experience\PCMService.exe” [2003-08-26 16:47 204800]
“SBC Yahoo! Connection Manager”=“C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe” [2003-07-14 11:55 1028096]
“IPInSightMonitor 01”=“C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe” [2003-07-14 11:30 98304]
“MEDIC”=“C:\Program Files\MEDIC\bin\sprtcmd.exe” [2006-07-06 07:45 192512]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 05:00 79224]
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 14:40 155648]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-06-29 05:24 286720]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2007-08-15 19:15 271672]
“medicsp2”=“C:\Program Files\twc\medicsp2\bin\sprtcmd.exe” [2007-03-07 10:53 198184]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-09-10 10:07 185632]
“LifeCam”=“C:\Program Files\Microsoft LifeCam\LifeExp.exe” [2007-05-17 13:45 279912]
“SM_IAN”=“C:\Program Files\AdvancedCleaner Free\ian_monitor.exe”
“09080A0A100F09”=“020103030908.exe”

C:\Documents and Settings\Jay\Start Menu\Programs\Startup
PowerReg Scheduler V3.exe [2004-05-02 08:01:28 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 01:12:18 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 00:06:58 28672]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-10-22 08:34:55 118784]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-04-05 23:37:38 147456]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-08-28 12:09:10 54512]

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
R2 MSCamSvc;MSCamSvc;“C:\Program Files\Microsoft LifeCam\MSCamS32.exe” [2007-05-17 13:45]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);C:\Program Files\twc\medicsp2\bin\sprtsvc.exe /service
R2 Viewpoint Manager Service;Viewpoint Manager Service;“C:\Program Files\Viewpoint\Common\ViewpointService.exe” [2007-01-04 13:38]
R3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;C:\WINDOWS\system32\Drivers\nx6000.sys [2007-04-12 13:46]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-31 15:51:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 23:30:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-02-05 23:30:57
ComboFix-quarantined-files.txt 2008-02-06 07:30:43
ComboFix2.txt 2008-02-06 05:41:53
ComboFix3.txt 2008-02-05 04:32:07
.
2008-02-02 18:40:21 — E O F —

system · February 6, 2008, 7:58am

HJT Log (again) Part 1
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:38 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\MEDIC\bin\sprtcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\twc\medicsp2\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Irv\Desktop\HiJackThis.exe

system · February 6, 2008, 8:00am

HJT Log (again) Part 2

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.mailaka.net/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [StorageGuard] “C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Dell\Media Experience\PCMService.exe”
O4 - HKLM..\Run: [SBC Yahoo! Connection Manager] “C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe”
O4 - HKLM..\Run: [IPInSightMonitor 01] “C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe”
O4 - HKLM..\Run: [MEDIC] “C:\Program Files\MEDIC\bin\sprtcmd.exe” /P MEDIC
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [lifeCam] “C:\Program Files\Microsoft LifeCam\LifeExp.exe”
O4 - HKLM..\Run: [SM_IAN] C:\Program Files\AdvancedCleaner Free\ian_monitor.exe
O4 - HKLM..\Run: [09080A0A100F09] 020103030908.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://my.sigue.com/sigue/cds/ICAWEB/en/ica32/ica32t.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://xmlsweb.socalmls.com/XMLSearch/XMLCache.CAB
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://ml.sitexdata.com/farm/arview2.cab
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://my.sigue.com/sigue/cds/CGC/en/CSGProxy.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

–
End of file - 11730 bytes

Whew (again) !!! :-\

system · February 6, 2008, 9:24pm

Hi ‘WISE’ Oldman

Things are definitely looking better - no more pop-ups - so far

A question:
It seemed you had me check the files that had ‘no name’. I notice I still have one, is this guy a problem??? This is from the last HTJ Log, see below:

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

Please let me know - And many, many THANKS!!!

polonus · February 6, 2008, 10:56pm

If I were you I fixed the following, the one you mentioned as unnecessary (deactivated) entry that can be fixed. And if you do not like unsolicited adware on your machine also the Viewpoint BHO adware.

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Fire up Hijackthis, tag the above, then fix with giving enter,

polonus

oldman960 · February 7, 2008, 3:02am

The 03 line you mentioned is an empty key. Usually removed as a housekeeping item, makes it easier to see the rest of the items. They are harmless.

The viewpoint toolbar, your choice. Let me know and we can deal with it if you want. (foistware, something you didn’t install.)

http://www.castlecops.com/o23list-2430.html

Please submit these files for analysis

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\WINDOWS\SYSTEM32\5A595B5B6160\6A696B6B7170

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

You have a rogue that we will take care of.

Open HJT, run a system scan only, check mark these lines if present

[b]O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O4 - HKLM..\Run: [SM_IAN] C:\Program Files\AdvancedCleaner Free\ian_monitor.exe [/b]

Close all other browsers/windows, click fix, close HJT.

Go to add/remove programs and uninstall this program

AdvancedCleaner Free

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Folder:: C:\Program Files\AdvancedCleaner Free

This will start ComboFix again.Close all browser/windows first.

system · February 7, 2008, 6:15am

Hi Oldman ~ glad UR back,

Virustoal Scans:

C:\Program Files\Dot1XCfg\Dot1XCfg.exe
Results:
0 bytes size received / Se ha recibido un archivo vacio

C:\WINDOWS\SYSTEM32\5A595B5B6160\6A696B6B7170
Results:
File 6A696B6B7170 received on 02.07.2008 07:04:59 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information…
Your file is queued in position: 2.
Estimated start time is between 41 and 59 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.2.6.10 2008.02.05 -
AntiVir 7.6.0.62 2008.02.06 -
Authentium 4.93.8 2008.02.06 -
Avast 4.7.1098.0 2008.02.06 -
AVG 7.5.0.516 2008.02.06 -
BitDefender 7.2 2008.02.07 -
CAT-QuickHeal 9.00 2008.02.04 -
ClamAV 0.92 2008.02.07 -
DrWeb 4.44.0.09170 2008.02.06 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5518 2008.02.07 -
Ewido 4.0 2008.02.06 -
FileAdvisor 1 2008.02.07 -
Fortinet 3.14.0.0 2008.02.06 -
F-Prot 4.4.2.54 2008.02.06 -
F-Secure 6.70.13260.0 2008.02.07 -
Ikarus T3.1.1.20 2008.02.07 -
Kaspersky 7.0.0.125 2008.02.07 -
McAfee 5224 2008.02.06 -
Microsoft 1.3204 2008.02.06 -
NOD32v2 2854 2008.02.06 -
Norman 5.80.02 2008.02.06 -
Panda 9.0.0.4 2008.02.07 -
Prevx1 V2 2008.02.07 -
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.07 -
Sunbelt 2.2.907.0 2008.02.07 -
Symantec 10 2008.02.07 -
TheHacker 6.2.9.211 2008.02.06 -
VBA32 3.12.6.0 2008.02.07 -
VirusBuster 4.3.26:9 2008.02.06 -
Webwasher-Gateway 6.6.2 2008.02.07 -
Additional information
File size: 58 bytes
MD5: f3e57bdfa0b459d2ced6957c39404062
SHA1: 758d85e2ecab506061058d50514ec8a3b066fc4d
PEiD: -

Will now run HJT as directed…

system · February 7, 2008, 7:03am

Hi Oldman ~ Here’s my status,

Sent you results from Virustotal in the last post

Continued on
Ran HJT scan
Checked both items you indicated (no name & AdvancedCleaner)
Ran HJT fix - then closed HJT

Did not find AdvancedCleaner Free to uninstall???
(possibly removed by HJT???)

Continued on
Copied & pasted quote into ComboFix
Ran ComboFix

Do you want the log???
And - what about viewpoint? I’d rather just get rid of it

oldman960 · February 7, 2008, 7:13am

No, I don’t need the combofix log this time. It’s late here, I’ll put up the viewpoint instructions in the morning. We have one file to get rid of. We might as well do that now, before it causes problems.

Open HJT, run a system scan only, check mark these lines if present

O4 - HKCU..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe

Close all other browsers/windows, click fix, close HJT.

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Program Files\Dot1XCfg\Dot1XCfg.exe

Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)

system · February 7, 2008, 7:30am

Here you go - results from OTMoveIt2

File/Folder C:\Program Files\Dot1XCfg\Dot1XCfg.exe not found.

OTMoveIt2 v1.0.18 log created on 02062008_232758

How are we doing???

oldman960 · February 7, 2008, 1:48pm

Right-click on the clock in your taskbar and choose Task Manager
Click on the Processes tab and search for VIEWMGR.EXE,ViewpointService.exe or similar if its found, click on it and then click End Task to close it
Click on Start, Control Panel, Add/Remove Programs
Uninstall any of the following programs associated with Viewpoint

Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar

Close the Add/Remove Programs and Control Panel
Open HJT, run a system scan only, check mark these lines if present

[b]O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

[/b]

Close all other browsers/windows, click fix, close HJT.

Restart your computer

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Folder:: C:\Program Files\Viewpoint C:\Program Files\Dot1XCfg
DirLook::
C:\Temp

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

system · February 8, 2008, 1:19am

Here we go again…

Here’s the Combofix text (part 1):

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Dot1XCfg
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305001C.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AtmoHWConfig.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\atmosphere.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AvatarsDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\BlueStreak.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\BookmarksDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\DefaultAvatarIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\DefaultWorldIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ExtremeShot.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\InternetChatHelp.url
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts2Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ServiceComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VectorView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VETsdk.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\AtmoHWConfig.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\AvatarsDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\BookmarksDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\DefaultAvatarIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\DefaultWorldIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\InternetChatHelp.url
C:\Program Files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\AtmoHWConfig.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\AvatarsDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\BookmarksDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\DefaultAvatarIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\DefaultWorldIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\InternetChatHelp.url
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt

system · February 8, 2008, 1:20am

ComboFix text (Part 2)

.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-06 23:27 . 2008-02-06 23:27 d-------- C:_OTMoveIt
2008-02-06 22:27 . 2004-08-03 23:56 388,608 --a------ C:\kmd.exe
2008-02-04 18:35 . 2008-02-07 16:56 2,148 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-02-04 17:57 . 2008-02-05 08:11 d-------- C:\VundoFix Backups
2008-02-01 23:53 . 2008-02-01 23:53 2 --a------ C:\WINDOWS\msoffice.ini
2008-02-01 22:57 . 2008-02-01 22:57 d-------- C:\WINDOWS\SYSTEM32\5A595B5B6160
2008-01-31 22:23 . 2008-02-07 11:00 d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-07 19:00 --------- d-----w C:\Program Files\microsoft frontpage
2008-02-02 07:57 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-02-02 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-02 07:53 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-02 06:28 --------- d-----w C:\Program Files\Microsoft Works
2008-01-28 23:25 --------- d-----w C:\Documents and Settings\Irv\Application Data\Road Runner
2008-01-25 15:53 --------- d-----w C:\Program Files\Apple Software Update
2008-01-05 08:06 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-03 18:09 --------- d-----w C:\Program Files\Microsoft LifeCam
2008-01-03 18:03 --------- d-----w C:\Program Files\Windows Live
2008-01-03 18:02 --------- dcsh–w C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-03 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\SYSTEM32\AVASTSS.scr
2007-11-08 04:45 11,227,616 ----a-w C:\Program Files\setup-ya07mailt.exe
2007-09-14 22:55 7,028,144 ----a-w C:\Documents and Settings\Jay\medic6.exe
2007-08-21 15:18 7,028,144 ----a-w C:\Documents and Settings\Irv\medic6.exe
2006-09-17 18:47 316 —ha-w C:\Documents and Settings\Irv\hpothb07.dat
2006-07-21 22:20 21,290,704 ----a-w C:\Program Files\AdbeRdr708_en_US.exe
2005-05-20 17:22 158 —ha-w C:\Documents and Settings\Jay\hpothb07.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp ----

2008-02-07 11:41 420 --a------ C:\Temp\debug.txt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Sonic RecordNow!”=“”
“msnmsgr”=“C:\Program Files\Windows Live\Messenger\msnmsgr.exe” [2007-10-18 11:34 5724184]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:56 15360]
“Road Runner PhotoShow Media Manager”=“C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe” [2006-01-06 17:56 245760]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-12-23 17:05 143360]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-11-05 11:40 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-06-21 23:48 155648]
“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2005-06-21 23:44 126976]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2003-08-05 22:04 114741]
“StorageGuard”=“C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” [2003-02-12 22:01 155648]
“DVDSentry”=“C:\WINDOWS\System32\DSentry.exe” [2003-08-13 07:27 28672]
“PCMService”=“C:\Program Files\Dell\Media Experience\PCMService.exe” [2003-08-26 16:47 204800]
“SBC Yahoo! Connection Manager”=“C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe” [2003-07-14 11:55 1028096]
“IPInSightMonitor 01”=“C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe” [2003-07-14 11:30 98304]
“MEDIC”=“C:\Program Files\MEDIC\bin\sprtcmd.exe” [2006-07-06 07:45 192512]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 05:00 79224]
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 14:40 155648]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-06-29 05:24 286720]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2007-08-15 19:15 271672]
“medicsp2”=“C:\Program Files\twc\medicsp2\bin\sprtcmd.exe” [2007-03-07 10:53 198184]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-09-10 10:07 185632]
“LifeCam”=“C:\Program Files\Microsoft LifeCam\LifeExp.exe” [2007-05-17 13:45 279912]
“09080A0A100F09”=“020103030908.exe”

C:\Documents and Settings\Jay\Start Menu\Programs\Startup
PowerReg Scheduler V3.exe [2004-05-02 08:01:28 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 01:12:18 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 00:06:58 28672]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-10-22 08:34:55 118784]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-04-05 23:37:38 147456]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-08-28 12:09:10 54512]

R3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;C:\WINDOWS\system32\Drivers\nx6000.sys [2007-04-12 13:46]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-31 15:51:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 17:05:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-02-07 17:06:55
ComboFix-quarantined-files.txt 2008-02-08 01:06:40
ComboFix2.txt 2008-02-07 06:38:49
ComboFix3.txt 2008-02-06 07:30:58
ComboFix4.txt 2008-02-06 05:41:53
ComboFix5.txt 2008-02-05 04:32:07
.
2008-02-02 18:40:21 — E O F —

Win32:TRATBHO[trj] - Please Help

Announcements