Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something's Wrong


  • This topic is locked This topic is locked
15 replies to this topic

#1 jamy1224

jamy1224

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 21 September 2007 - 09:44 PM

I can't get past my windows XP logon screen, it blibks, moves icons around and eventually boots me out; here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:44 PM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe"
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\ActSage.exe" -preload
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\RunOnce: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servlet/P...000000D8.DMTemp
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: HomeNet Manager.lnk = C:\Program Files\SingleClick Systems\HomeNet Manager\ezi_hnm2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129773528234
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-ps...bex/ieatgpc.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...120/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 8439 bytes
I would appreciate any assistance.

Thx

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 02 October 2007 - 11:07 AM

I assume you attempted to run sdfix on your own at one point?

Also did you specifically set it up so that Internet Explorer starts automatically when you login?

#3 jamy1224

jamy1224
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 05 October 2007 - 12:49 AM

I didn't use sdfix onmy own, I was trying to get help from someone else who suggested that I run it, however they weren't able to help me.
As to the IE question, no I did not set it up to start automatically when I login.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 05 October 2007 - 10:42 AM

Close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE

Reboot your computer to go back to normal mode.

Then,
  • Download Combofix to your desktop.

  • Doubleclick combofix.exe

  • Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, and after reboot if it asks for one, combofix will open again to gather the necessary information for the log. This may take a while so please be patient. When done, Combofix will close and a log should open called combofix.txt.

Post the contents of this log in your next reply along with a new hijackthislog.

Please do not post the ComboFix-quarantined-files.txt unless I ask you to.

#5 jamy1224

jamy1224
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 08 October 2007 - 01:57 AM

Can't login in normal mode so I can only run combofix in safe mode. Here are the logs you requested:
Hijack this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:33 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Amy\My Documents\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe"
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\ActSage.exe" -preload
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: HomeNet Manager.lnk = C:\Program Files\SingleClick Systems\HomeNet Manager\ezi_hnm2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129773528234
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-ps...bex/ieatgpc.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...120/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7664 bytes

Combofix:

ComboFix 07-09-17.2 - "Amy" 2007-10-07 23:53:55.4 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.750 [GMT -7:00]
.

((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-07 19:11 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\APPLIC~1\GTek
2007-10-07 19:00 7,882 --a------ C:\WINDOWS\system32\GTKCMOS.sys
2007-10-07 19:00 7,626 --a------ C:\WINDOWS\system32\GPCIEnum.sys
2007-10-07 19:00 7,168 --a------ C:\WINDOWS\system32\DLPT64.sys
2007-10-07 19:00 5,632 --a------ C:\WINDOWS\system32\GPCIEn64.sys
2007-10-07 19:00 5,120 --a------ C:\WINDOWS\system32\GTKCMO64.sys
2007-10-07 19:00 4,608 --a------ C:\WINDOWS\system32\DDMI64.sys
2007-10-05 20:39 <DIR> d-------- C:\WINDOWS\LastGood
2007-09-25 23:22 <DIR> d-------- C:\DOCUME~1\Amy\APPLIC~1\Uniblue
2007-09-25 22:34 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-24 23:25 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-09-21 19:41 <DIR> d-------- C:\Program Files\Hijack This
2007-09-21 08:04 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-19 06:02 <DIR> d-------- C:\Deckard
2007-09-17 19:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-17 19:31 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-16 22:17 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-09-16 20:41 <DIR> d-------- C:\Program Files\PCPitstop
2007-09-16 18:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-16 18:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-15 15:38 <DIR> d-------- C:\THE CONTRACT
2007-09-15 14:45 <DIR> d-------- C:\THE_CONTRACT
2007-09-15 14:10 <DIR> d-------- C:\DOCUME~1\Amy\APPLIC~1\dvdcss
2007-09-15 13:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-09-15 13:49 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-08 15:57 <DIR> d-------- C:\Program Files\CyberLink
2007-09-08 15:51 <DIR> d-------- C:\Program Files\ffdshow
2007-09-08 15:10 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-09-08 15:09 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-09-08 14:58 <DIR> d-------- C:\Program Files\InterActual
2007-09-08 00:04 <DIR> d-------- C:\WINDOWS\DSL
2007-09-08 00:04 <DIR> d-------- C:\Program Files\Verizon
2007-09-07 23:24 <DIR> d-------- C:\Program Files\Common Files\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 19:00 --------- d--h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GTek
2007-09-28 19:43 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-26 00:07 --------- d-------- C:\Program Files\HP
2007-09-25 21:20 --------- d-------- C:\Program Files\ewido anti-malware
2007-09-21 07:21 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-20 19:02 --------- d-------- C:\Program Files\True Sword 4
2007-09-17 15:22 --------- d-------- C:\Program Files\ProcessGuard
2007-09-09 10:05 --------- d-------- C:\DOCUME~1\Amy\APPLIC~1\AdobeUM
2007-09-04 23:14 --------- d-------- C:\DOCUME~1\Jady\APPLIC~1\ACT
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-28 14:36 401720 --a------ C:\Program Files\HijackThis.exe
2007-02-22 09:28 260648470 --a------ C:\Program Files\ACTS2007trial.exe
2006-10-30 12:34 15520048 --a------ C:\Program Files\IE7-WindowsXP-x86-enu.exe
2006-05-17 08:01 33408 --a------ C:\DOCUME~1\Amy\g2mdlhlpx.exe
2005-02-04 11:13 2449408 --a------ C:\DOCUME~1\Jady\gosetup.exe
2004-05-04 21:09 99368 --a------ C:\Program Files\10632-630.pdf
2004-04-27 19:46 22883472 --a------ C:\Program Files\ExAllTools.EXE
2004-03-27 19:57 488032 --a------ C:\Program Files\PopUpStopper.exe
2004-03-27 17:08 219328 --a------ C:\Program Files\MSNToolbarSetup_en-us.exe
2004-01-06 20:41 616631 --a------ C:\Program Files\Popup_Blocker.exe
2004-01-04 22:47 424960 --a------ C:\Program Files\cookiecheck.doc
2003-12-15 10:58 16251072 --a------ C:\Program Files\AdbeRdr60_enu_full.exe
2003-08-27 14:19 36963 -ra------ C:\Program Files\Common Files\SM1updtr.dll
2007-02-22 17:25:13 88 --sh--r C:\WINDOWS\system32\9B2ED09F89.sys
.

((((((((((((((((((((((((((((( snapshot_2007-09-17_193501.85 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-09-20 06:46:25 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 4,145,152 2007-09-21 15:04:58 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
----a-w 61,440 2007-09-21 15:04:58 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 163,328 2007-09-20 06:46:25 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 4,145,152 2007-09-21 15:04:55 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
----a-w 61,440 2007-09-21 15:04:55 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
----a-w 6,977 2004-06-09 16:29:56 C:\WINDOWS\LastGood\System32\DDMI2.sys
----a-w 6,656 2003-03-16 23:16:46 C:\WINDOWS\LastGood\System32\DLPT2.sys
----a-r 51,056 2004-01-05 07:27:32 C:\WINDOWS\LastGood\System32\drivers\hpzid412.sys
----a-r 16,496 2004-01-05 07:27:34 C:\WINDOWS\LastGood\System32\drivers\HPZipr12.sys
----a-w 73,728 2005-07-30 04:07:48 C:\WINDOWS\LastGood.Tmp\system32\asuninst.exe
----a-w 262,144 2004-01-05 07:27:24 C:\WINDOWS\LastGood.Tmp\system32\HPZc3212.dll
----a-w 38,567 2007-03-27 17:45:22 C:\WINDOWS\LastGood.Tmp\system32\pcpbios.exe
----a-r 21,488 2004-01-05 07:27:34 C:\WINDOWS\LastGood.Tmp\system32\drivers\HPZius12.sys
----a-w 73,728 2006-08-02 19:39:06 C:\WINDOWS\system32\asuninst.exe
----a-w 6,656 2005-03-13 23:54:00 C:\WINDOWS\system32\DLPT2.sys
----a-w 270,336 2004-03-14 10:34:10 C:\WINDOWS\system32\HPZc3212.dll
----a-w 278,584 2004-03-18 23:53:54 C:\WINDOWS\system32\HPZidr12.dll
----a-w 61,440 2004-03-18 23:38:00 C:\WINDOWS\system32\HPZinw12.exe
----a-w 65,536 2004-03-18 23:55:48 C:\WINDOWS\system32\HPZipm12.exe
----a-w 204,800 2004-03-18 23:56:28 C:\WINDOWS\system32\HPZipr12.dll
----a-w 94,208 2004-03-18 23:39:24 C:\WINDOWS\system32\HPZipt12.dll
----a-w 57,344 2004-03-18 23:39:30 C:\WINDOWS\system32\HPZisn12.dll
----a-w 80,298 2007-10-08 03:05:45 C:\WINDOWS\system32\perfc009.dat
----a-w 449,114 2007-10-08 03:05:45 C:\WINDOWS\system32\perfh009.dat
----a-w 526,184 2007-03-15 19:19:58 C:\WINDOWS\system32\XceedCry.dll
----a-w 497,496 2007-03-15 19:23:16 C:\WINDOWS\system32\XceedZip.dll
----a-w 821,728 2007-09-26 06:30:28 C:\WINDOWS\system32\drivers\avg7core.sys
----a-w 51,088 2004-03-22 12:35:48 C:\WINDOWS\system32\drivers\hpzid412.sys
----a-w 16,496 2004-03-22 12:35:52 C:\WINDOWS\system32\drivers\HPZipr12.sys
----a-w 21,744 2004-03-22 12:35:58 C:\WINDOWS\system32\drivers\HPZius12.sys
----a-w 182,248 2007-08-08 00:20:44 C:\WINDOWS\system32\Macromed\Director\SwDir.dll
----a-w 55,272 2007-08-08 00:21:02 C:\WINDOWS\system32\Macromed\Director\SwDnld.exe
----a-w 585,728 2007-08-07 20:35:56 C:\WINDOWS\system32\Macromed\Shockwave 10\Control.dll
----a-w 1,490,944 2007-08-07 20:19:40 C:\WINDOWS\system32\Macromed\Shockwave 10\dirapi.dll
----a-w 24,576 2007-08-07 20:36:32 C:\WINDOWS\system32\Macromed\Shockwave 10\DynaPlayer.dll
----a-w 1,113,600 2007-08-07 23:52:32 C:\WINDOWS\system32\Macromed\Shockwave 10\gi.dll
----a-w 52,288 2007-08-07 20:08:48 C:\WINDOWS\system32\Macromed\Shockwave 10\gtapi.dll
----a-w 606,208 2007-08-07 20:17:24 C:\WINDOWS\system32\Macromed\Shockwave 10\iml32.dll
----a-w 339,968 2007-08-07 20:35:22 C:\WINDOWS\system32\Macromed\Shockwave 10\Plugin.dll
----a-w 483,328 2007-08-07 20:35:32 C:\WINDOWS\system32\Macromed\Shockwave 10\PluginPing.dll
----a-w 180,224 2007-08-07 20:28:38 C:\WINDOWS\system32\Macromed\Shockwave 10\Proj.dll
----a-w 391,144 2007-08-08 00:20:28 C:\WINDOWS\system32\Macromed\Shockwave 10\SwHelper_1020023.exe
----a-w 77,824 2007-08-07 20:37:56 C:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
----a-w 86,016 2007-08-07 20:35:18 C:\WINDOWS\system32\Macromed\Shockwave 10\SwMenu.dll
----a-w 98,304 2007-08-07 20:37:58 C:\WINDOWS\system32\Macromed\Shockwave 10\SwOnce.dll
----a-w 50,808 2007-08-07 20:08:46 C:\WINDOWS\system32\Macromed\Shockwave 10\SYMCCHECKER.DLL
----a-w 149,504 1999-06-25 17:55:30 C:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
.
----a-w 73,728 2005-07-30 04:07:48 C:\WINDOWS\system32\asuninst.exe
----a-w 6,656 2003-03-16 23:16:46 C:\WINDOWS\system32\DLPT2.sys
----a-w 262,144 2004-01-05 07:27:24 C:\WINDOWS\system32\HPZc3212.dll
----a-w 266,296 2004-01-05 07:27:32 C:\WINDOWS\system32\hpzidr12.dll
----a-w 61,699 2004-01-05 07:27:32 C:\WINDOWS\system32\hpzinw12.exe
----a-w 65,795 2004-01-05 07:27:32 C:\WINDOWS\system32\hpzipm12.exe
----a-w 196,608 2004-01-05 07:27:34 C:\WINDOWS\system32\hpzipr12.dll
----a-w 94,208 2004-01-05 07:27:34 C:\WINDOWS\system32\hpzipt12.dll
----a-w 57,344 2004-01-05 07:27:34 C:\WINDOWS\system32\hpzisn12.dll
----a-w 80,298 2007-09-17 06:16:31 C:\WINDOWS\system32\perfc009.dat
----a-w 449,114 2007-09-17 06:16:31 C:\WINDOWS\system32\perfh009.dat
----a-w 821,600 2007-09-03 16:31:04 C:\WINDOWS\system32\drivers\avg7core.sys
----a-r 51,056 2004-01-05 07:27:32 C:\WINDOWS\system32\drivers\hpzid412.sys
----a-r 16,496 2004-01-05 07:27:34 C:\WINDOWS\system32\drivers\HPZipr12.sys
----a-r 21,488 2004-01-05 07:27:34 C:\WINDOWS\system32\drivers\HPZius12.sys
----a-w 32,768 2001-05-25 00:46:02 C:\WINDOWS\system32\Macromed\Director\SwDir.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-10-12 11:51]
"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe" [2005-03-15 08:58]
"nwiz"="nwiz.exe" [2003-10-06 15:16 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 15:16]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-01 21:51]
"DXDllRegExe"="dxdllreg.exe" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2005-03-15 08:58]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-13 08:10]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"Act.Outlook.Service"="C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe" [2006-10-25 09:57]
"Act! Preloader"="C:\Program Files\ACT\ACT for Windows\ActSage.exe" [2006-10-25 09:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"PC Pitstop Optimize Scheduler"="C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" [2007-07-09 16:51]
"PCPitstop Optimize Registration Reminder"="C:\Program Files\PCPitstop\Optimize\Reminder.exe" [2007-07-09 16:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2001-06-26 10:23]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-12-15 05:54:33]


R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\system32\drivers\pwd_2K.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S2 MSSQL$ACT7;SQL Server (ACT7);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sACT7
S2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys
S3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70781842-c1b7-11db-9004-444553544200}]
AutoRun\command- G:\autoplay.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-10 18:30:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 23:54:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-07 23:55:30
C:\ComboFix-quarantined-files.txt ... 2007-10-07 23:55
C:\ComboFix2.txt ... 2007-10-07 20:12
C:\ComboFix3.txt ... 2007-10-05 21:07
.
--- E O F ---

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 08 October 2007 - 11:34 AM

The only file i see that may be suspect is:

C:\WINDOWS\system32\9B2ED09F89.sys

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Then submit the file above to this page:

http://www.bleepingcomputer.com/submit-malware.php?channel=3

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 09 October 2007 - 10:51 AM

I received the file.

Open *notepad* by clicking on Start, then Run, and typing notepad and pressing enter.

When notepad opens, copy and paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\9B2ED09F89.sys



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

#8 jamy1224

jamy1224
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 09 October 2007 - 09:10 PM

Here is the combofix file:

ComboFix 07-09-17.2 - "Amy" 2007-10-09 18:56:01.6 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.796 [GMT -7:00]
.

((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.

2007-10-07 19:11 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\APPLIC~1\GTek
2007-10-07 19:00 7,882 --a------ C:\WINDOWS\system32\GTKCMOS.sys
2007-10-07 19:00 7,626 --a------ C:\WINDOWS\system32\GPCIEnum.sys
2007-10-07 19:00 7,168 --a------ C:\WINDOWS\system32\DLPT64.sys
2007-10-07 19:00 5,632 --a------ C:\WINDOWS\system32\GPCIEn64.sys
2007-10-07 19:00 5,120 --a------ C:\WINDOWS\system32\GTKCMO64.sys
2007-10-07 19:00 4,608 --a------ C:\WINDOWS\system32\DDMI64.sys
2007-10-05 20:39 <DIR> d-------- C:\WINDOWS\LastGood
2007-09-25 23:22 <DIR> d-------- C:\DOCUME~1\Amy\APPLIC~1\Uniblue
2007-09-25 22:34 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-24 23:25 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-09-21 19:41 <DIR> d-------- C:\Program Files\Hijack This
2007-09-21 08:04 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-19 06:02 <DIR> d-------- C:\Deckard
2007-09-17 19:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-17 19:31 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-16 22:17 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-09-16 20:41 <DIR> d-------- C:\Program Files\PCPitstop
2007-09-16 18:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-16 18:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-15 14:10 <DIR> d-------- C:\DOCUME~1\Amy\APPLIC~1\dvdcss
2007-09-15 13:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-09-15 13:49 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 19:00 --------- d--h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GTek
2007-09-28 19:43 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-26 00:07 --------- d-------- C:\Program Files\HP
2007-09-25 21:20 --------- d-------- C:\Program Files\ewido anti-malware
2007-09-21 07:21 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-20 19:02 --------- d-------- C:\Program Files\True Sword 4
2007-09-17 15:22 --------- d-------- C:\Program Files\ProcessGuard
2007-09-09 10:05 --------- d-------- C:\DOCUME~1\Amy\APPLIC~1\AdobeUM
2007-09-08 15:57 --------- d-------- C:\Program Files\CyberLink
2007-09-08 15:51 --------- d-------- C:\Program Files\ffdshow
2007-09-08 15:10 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-09-08 14:58 --------- d-------- C:\Program Files\InterActual
2007-09-08 00:04 --------- d-------- C:\Program Files\Verizon
2007-09-08 00:04 --------- d-------- C:\Program Files\Common Files\SupportSoft
2007-09-04 23:14 --------- d-------- C:\DOCUME~1\Jady\APPLIC~1\ACT
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-28 14:36 401720 --a------ C:\Program Files\HijackThis.exe
2007-02-22 09:28 260648470 --a------ C:\Program Files\ACTS2007trial.exe
2006-10-30 12:34 15520048 --a------ C:\Program Files\IE7-WindowsXP-x86-enu.exe
2006-05-17 08:01 33408 --a------ C:\DOCUME~1\Amy\g2mdlhlpx.exe
2005-02-04 11:13 2449408 --a------ C:\DOCUME~1\Jady\gosetup.exe
2004-05-04 21:09 99368 --a------ C:\Program Files\10632-630.pdf
2004-04-27 19:46 22883472 --a------ C:\Program Files\ExAllTools.EXE
2004-03-27 19:57 488032 --a------ C:\Program Files\PopUpStopper.exe
2004-03-27 17:08 219328 --a------ C:\Program Files\MSNToolbarSetup_en-us.exe
2004-01-06 20:41 616631 --a------ C:\Program Files\Popup_Blocker.exe
2004-01-04 22:47 424960 --a------ C:\Program Files\cookiecheck.doc
2003-12-15 10:58 16251072 --a------ C:\Program Files\AdbeRdr60_enu_full.exe
2003-08-27 14:19 36963 -ra------ C:\Program Files\Common Files\SM1updtr.dll
2007-02-22 17:25:13 88 --sh--r C:\WINDOWS\system32\9B2ED09F89.sys
.

((((((((((((((((((((((((((((( snapshot_2007-09-17_193501.85 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-09-20 06:46:25 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 4,145,152 2007-09-21 15:04:58 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
----a-w 61,440 2007-09-21 15:04:58 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 163,328 2007-09-20 06:46:25 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 4,145,152 2007-09-21 15:04:55 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
----a-w 61,440 2007-09-21 15:04:55 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
----a-w 6,977 2004-06-09 16:29:56 C:\WINDOWS\LastGood\System32\DDMI2.sys
----a-w 6,656 2003-03-16 23:16:46 C:\WINDOWS\LastGood\System32\DLPT2.sys
----a-r 51,056 2004-01-05 07:27:32 C:\WINDOWS\LastGood\System32\drivers\hpzid412.sys
----a-r 16,496 2004-01-05 07:27:34 C:\WINDOWS\LastGood\System32\drivers\HPZipr12.sys
----a-w 73,728 2005-07-30 04:07:48 C:\WINDOWS\LastGood.Tmp\system32\asuninst.exe
----a-w 262,144 2004-01-05 07:27:24 C:\WINDOWS\LastGood.Tmp\system32\HPZc3212.dll
----a-w 38,567 2007-03-27 17:45:22 C:\WINDOWS\LastGood.Tmp\system32\pcpbios.exe
----a-r 21,488 2004-01-05 07:27:34 C:\WINDOWS\LastGood.Tmp\system32\drivers\HPZius12.sys
----a-w 73,728 2006-08-02 19:39:06 C:\WINDOWS\system32\asuninst.exe
----a-w 6,656 2005-03-13 23:54:00 C:\WINDOWS\system32\DLPT2.sys
----a-w 270,336 2004-03-14 10:34:10 C:\WINDOWS\system32\HPZc3212.dll
----a-w 278,584 2004-03-18 23:53:54 C:\WINDOWS\system32\HPZidr12.dll
----a-w 61,440 2004-03-18 23:38:00 C:\WINDOWS\system32\HPZinw12.exe
----a-w 65,536 2004-03-18 23:55:48 C:\WINDOWS\system32\HPZipm12.exe
----a-w 204,800 2004-03-18 23:56:28 C:\WINDOWS\system32\HPZipr12.dll
----a-w 94,208 2004-03-18 23:39:24 C:\WINDOWS\system32\HPZipt12.dll
----a-w 57,344 2004-03-18 23:39:30 C:\WINDOWS\system32\HPZisn12.dll
----a-w 80,298 2007-10-09 04:30:48 C:\WINDOWS\system32\perfc009.dat
----a-w 449,114 2007-10-09 04:30:48 C:\WINDOWS\system32\perfh009.dat
----a-w 526,184 2007-03-15 19:19:58 C:\WINDOWS\system32\XceedCry.dll
----a-w 497,496 2007-03-15 19:23:16 C:\WINDOWS\system32\XceedZip.dll
----a-w 821,728 2007-09-26 06:30:28 C:\WINDOWS\system32\drivers\avg7core.sys
----a-w 51,088 2004-03-22 12:35:48 C:\WINDOWS\system32\drivers\hpzid412.sys
----a-w 16,496 2004-03-22 12:35:52 C:\WINDOWS\system32\drivers\HPZipr12.sys
----a-w 21,744 2004-03-22 12:35:58 C:\WINDOWS\system32\drivers\HPZius12.sys
----a-w 182,248 2007-08-08 00:20:44 C:\WINDOWS\system32\Macromed\Director\SwDir.dll
----a-w 55,272 2007-08-08 00:21:02 C:\WINDOWS\system32\Macromed\Director\SwDnld.exe
----a-w 585,728 2007-08-07 20:35:56 C:\WINDOWS\system32\Macromed\Shockwave 10\Control.dll
----a-w 1,490,944 2007-08-07 20:19:40 C:\WINDOWS\system32\Macromed\Shockwave 10\dirapi.dll
----a-w 24,576 2007-08-07 20:36:32 C:\WINDOWS\system32\Macromed\Shockwave 10\DynaPlayer.dll
----a-w 1,113,600 2007-08-07 23:52:32 C:\WINDOWS\system32\Macromed\Shockwave 10\gi.dll
----a-w 52,288 2007-08-07 20:08:48 C:\WINDOWS\system32\Macromed\Shockwave 10\gtapi.dll
----a-w 606,208 2007-08-07 20:17:24 C:\WINDOWS\system32\Macromed\Shockwave 10\iml32.dll
----a-w 339,968 2007-08-07 20:35:22 C:\WINDOWS\system32\Macromed\Shockwave 10\Plugin.dll
----a-w 483,328 2007-08-07 20:35:32 C:\WINDOWS\system32\Macromed\Shockwave 10\PluginPing.dll
----a-w 180,224 2007-08-07 20:28:38 C:\WINDOWS\system32\Macromed\Shockwave 10\Proj.dll
----a-w 391,144 2007-08-08 00:20:28 C:\WINDOWS\system32\Macromed\Shockwave 10\SwHelper_1020023.exe
----a-w 77,824 2007-08-07 20:37:56 C:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
----a-w 86,016 2007-08-07 20:35:18 C:\WINDOWS\system32\Macromed\Shockwave 10\SwMenu.dll
----a-w 98,304 2007-08-07 20:37:58 C:\WINDOWS\system32\Macromed\Shockwave 10\SwOnce.dll
----a-w 50,808 2007-08-07 20:08:46 C:\WINDOWS\system32\Macromed\Shockwave 10\SYMCCHECKER.DLL
----a-w 149,504 1999-06-25 17:55:30 C:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
.
----a-w 73,728 2005-07-30 04:07:48 C:\WINDOWS\system32\asuninst.exe
----a-w 6,656 2003-03-16 23:16:46 C:\WINDOWS\system32\DLPT2.sys
----a-w 262,144 2004-01-05 07:27:24 C:\WINDOWS\system32\HPZc3212.dll
----a-w 266,296 2004-01-05 07:27:32 C:\WINDOWS\system32\hpzidr12.dll
----a-w 61,699 2004-01-05 07:27:32 C:\WINDOWS\system32\hpzinw12.exe
----a-w 65,795 2004-01-05 07:27:32 C:\WINDOWS\system32\hpzipm12.exe
----a-w 196,608 2004-01-05 07:27:34 C:\WINDOWS\system32\hpzipr12.dll
----a-w 94,208 2004-01-05 07:27:34 C:\WINDOWS\system32\hpzipt12.dll
----a-w 57,344 2004-01-05 07:27:34 C:\WINDOWS\system32\hpzisn12.dll
----a-w 80,298 2007-09-17 06:16:31 C:\WINDOWS\system32\perfc009.dat
----a-w 449,114 2007-09-17 06:16:31 C:\WINDOWS\system32\perfh009.dat
----a-w 821,600 2007-09-03 16:31:04 C:\WINDOWS\system32\drivers\avg7core.sys
----a-r 51,056 2004-01-05 07:27:32 C:\WINDOWS\system32\drivers\hpzid412.sys
----a-r 16,496 2004-01-05 07:27:34 C:\WINDOWS\system32\drivers\HPZipr12.sys
----a-r 21,488 2004-01-05 07:27:34 C:\WINDOWS\system32\drivers\HPZius12.sys
----a-w 32,768 2001-05-25 00:46:02 C:\WINDOWS\system32\Macromed\Director\SwDir.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-10-12 11:51]
"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe" [2005-03-15 08:58]
"nwiz"="nwiz.exe" [2003-10-06 15:16 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 15:16]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-01 21:51]
"DXDllRegExe"="dxdllreg.exe" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2005-03-15 08:58]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-13 08:10]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"Act.Outlook.Service"="C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe" [2006-10-25 09:57]
"Act! Preloader"="C:\Program Files\ACT\ACT for Windows\ActSage.exe" [2006-10-25 09:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"PC Pitstop Optimize Scheduler"="C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" [2007-07-09 16:51]
"PCPitstop Optimize Registration Reminder"="C:\Program Files\PCPitstop\Optimize\Reminder.exe" [2007-07-09 16:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2001-06-26 10:23]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-12-15 05:54:33]


R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\system32\drivers\pwd_2K.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S2 MSSQL$ACT7;SQL Server (ACT7);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sACT7
S2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys
S3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70781842-c1b7-11db-9004-444553544200}]
AutoRun\command- G:\autoplay.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-10 18:30:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 18:59:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-09 19:00:30
C:\ComboFix-quarantined-files.txt ... 2007-10-09 19:00
C:\ComboFix2.txt ... 2007-10-08 17:41
C:\ComboFix3.txt ... 2007-10-07 23:55
.
--- E O F ---
and here is the Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:39 PM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe"
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\ActSage.exe" -preload
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: HomeNet Manager.lnk = C:\Program Files\SingleClick Systems\HomeNet Manager\ezi_hnm2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129773528234
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-ps...bex/ieatgpc.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...120/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7600 bytes

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 10 October 2007 - 11:07 AM

Are you still having problems getting into normal mode? If so, boot into safe mode, and click on start, then run, and type msconfig.

On the General tab, select Select Startup and then uncheck load startup items. Press the apply and then ok button and reboot when it asks. Can you get into normal mode now?

#10 jamy1224

jamy1224
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 10 October 2007 - 10:42 PM

I disabled all and I still can't login in normal mode.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 11 October 2007 - 10:39 AM

Just to clarify. So you get to your desktop, you see icons, and then it logs you out? Or does it give an error or does the machine shut off? Please give me as much detail as you can so I can research it better.

#12 jamy1224

jamy1224
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 11 October 2007 - 03:00 PM

When I boot the computer it goes to the login screen, where there are 4 user profiles/icons listed. When I move my cursor to my icon, the computer hesitates/ freezes the screen blinks black and then moves a copy of an icon from the right side of the screen to the left side. This happens everytime I try to login and it never takes my password. I can never get past the windows login screen. I tried running chkdsk but it failed and it kept restarting my computer.

The only way I'm able to try and do anything is in safe mode with networking, but I'm also unable to print. My printer doesn't show up in the printer file and I haven't been able to download the drivers to re-install the printer.

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 11 October 2007 - 04:30 PM

Are you able to login to any of the other profiles?

#14 jamy1224

jamy1224
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 11 October 2007 - 05:00 PM

No, I can't get even enter in the passwords.

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 12 October 2007 - 08:36 AM

Ok, as we are not finding any malware, I suggest you post your problem in the Windows XP forum stating that your log was analyzed and no malware was found. The helpers who frequent that forum are more competent in the problems you are having that I am and can help you better.

You can also boot back into safe mode, run msconfig, and select normal startup so our changes are reversed.

Sorry I could not help you further, but at least we know the issue is not malware related.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users