nasty virus(RESOLVED)

**jorie9699** · 19-07-2008

I ran combo fix, now I tried everything to disable my anti virus, but I noticed the combofix is saying resident AV, so i uninstalled my nod32 and ran it again and it's still saying resident AV.......I don't know what else is running, in the background

.1 - Jessica 2008-07-18 23:34:47.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.171 [GMT -5:00]
Running from: C:\Documents and Settings\Jessica\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-18 08:37 . 2008-07-18 08:37 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-17 21:40 . 2008-07-18 23:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-17 21:40 . 2008-07-18 23:12 <DIR> d-------- C:\Documents and Settings\Jessica\Application Data\SUPERAntiSpyware.com
2008-07-17 21:40 . 2008-07-17 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-16 10:53 . 2008-07-16 10:53 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-16 10:53 . 2008-07-16 10:53 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-07-14 23:33 . 2008-07-14 23:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-14 23:33 . 2008-07-14 23:33 <DIR> d-------- C:\Documents and Settings\Jessica\Application Data\Malwarebytes
2008-07-14 23:33 . 2008-07-14 23:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-14 23:33 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-14 23:33 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-14 20:19 . 2008-07-14 20:20 <DIR> d-------- C:\Program Files\CCleaner
2008-07-14 20:10 . 2008-07-14 20:10 <DIR> d-------- C:\Program Files\RegSupreme
2008-07-14 20:10 . 2008-07-14 20:10 23 --a------ C:\WINDOWS\system32\fcedebe4_g.ocx
2008-07-14 19:46 . 2008-07-14 19:46 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-14 19:46 . 2008-07-14 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-14 19:45 . 2008-07-18 23:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 18:05 . 2008-07-12 18:06 <DIR> d-------- C:\Documents and Settings\Jessica\SecurityScans
2008-07-12 17:50 . 2008-07-12 17:50 <DIR> d-------- C:\Documents and Settings\Jessica\Application Data\Uniblue
2008-07-12 17:32 . 2008-07-12 17:32 1,052 --a------ C:\Documents and Settings\Jessica\z.dat
2008-07-12 17:32 . 2008-07-12 17:32 298 --a------ C:\Documents and Settings\Jessica\x.dat
2008-07-12 15:44 . 2008-07-12 17:27 185,527 --a------ C:\WINDOWS\wininit.ini
2008-07-12 15:11 . 2008-07-12 15:11 <DIR> d-------- C:\Program Files\AML Products
2008-07-12 15:02 . 2008-07-12 15:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-12 15:02 . 2008-07-17 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-11 08:22 . 2008-07-11 08:22 0 --a------ C:\z3g45.bat
2008-07-09 08:51 . 2007-05-17 16:43 15,086 --a------ C:\WINDOWS\ComcastWebmail.ico
2008-07-09 08:50 . 2008-07-09 08:50 <DIR> d-------- C:\Program Files\Comcast
2008-07-09 08:50 . 2008-07-09 08:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-07-08 22:49 . 2008-07-09 08:50 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-07-08 22:49 . 2008-07-08 22:49 1,152 --a------ C:\net_save.dna

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-07-19 04:33 --------- d-----w C:\Program Files\ESET
2008-07-17 03:39 --------- d-----w C:\Program Files\Yahoo!
2008-07-15 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-07-15 16:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-15 16:06 --------- d-----w C:\Program Files\Kazaa
2008-07-15 16:05 --------- d-----w C:\Program Files\Google
2008-07-15 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-14 17:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-20 01:52 2 --shatr C:\WINDOWS\winstart.bat
.

------- Sigcheck -------

2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b 51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b 51a37f45e0e5cf03d0d5e3c\sp2qfe\tcpip.sys
2008-06-20 05:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\SoftwareDistribution\Download\663e7188b bb3d768555f5280d384ddab\sp2gdr\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\SoftwareDistribution\Download\663e7188b bb3d768555f5280d384ddab\sp2qfe\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\SoftwareDistribution\Download\663e7188b bb3d768555f5280d384ddab\sp3gdr\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\SoftwareDistribution\Download\663e7188b bb3d768555f5280d384ddab\sp3qfe\tcpip.sys
2007-11-18 12:56 359040 4235257833c3e98956fef69ff2c23ee3 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2007-11-18 12:56 359040 4235257833c3e98956fef69ff2c23ee3 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-20 23:36 1207080]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 07:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-08-04 07:00 455168]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2003-10-03 13:52 61440]
"HPLJ Config"="C:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe" [2003-03-31 17:32 28672]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 11:40 49152]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 10:59 794624]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-21 10:57 286720]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE " [2004-08-04 07:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScI nst.exe" [2004-08-04 07:00 59392]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 14:21 198184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXRjihi]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxxutu]
[BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMSAccessU"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2007-05-04 09:27]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.s ys [2007-01-30 16:09]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Part izan.sys [2007-11-19 21:10]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-02-02 18:38]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 11:24]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2563DA26-40A7-A641-3235-308CA13E866F}]
C:\WINDOWS\system32:dlihost.exe
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 23:36:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-07-18 23:37:00
ComboFix-quarantined-files.txt 2008-07-19 04:36:55
ComboFix2.txt 2008-07-19 04:27:36
ComboFix3.txt 2008-07-19 04:04:48
ComboFix4.txt 2008-07-15 15

25

Pre-Run: 59,715,391,488 bytes free
Post-Run: 59,705,331,712 bytes free

137 --- E O F --- 2008-07-18 13:37:09

**Neal** · 20-07-2008

Open notepad(Must be NotePad) and copy/paste the text in the quotebox below into it:NOT THE WORD QUOTE

File::
C:\WINDOWS\system32:dlihost.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXRjihi]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxxutu]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2563DA26-40A7-A641-3235-308CA13E866F}]

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog when done with the rest of this.

Strongly advise getting rid of kazza(VERY BAD PROGRAM), like this:

KazaaBegone:-

This is a Kazaa uninstaller which scans and removes all elements of all Kazaa versions, as well as all of the bundled software that comes with it. This tool was made by Merijn.

First you need to download LSP Fix and place it in a secure place. As using KazaaBegone may distrupt your internet connection.

Next, download KazaaBegone.zip, and unzip it to a convenient location.

Run KazaaBegone

Double click KazaaBegone from where you unzipped it.
Select Search & destroy all installed components
Click Go
Close KazaaBegone

As I said before. If you lose Internet access after removing Kazaa, run the LSPfix program and click I know what I am doing box then click finish and reboot your computer and connection will be back. This is just a precaution and very very rare that it happens.

Go here to learn how to show hidden files/folders:

Help: How to Show System Files

Re-hide after we are done

Scan these files please:

C:\WINDOWS\system32\fcedebe4_g.ocx

C:\z3g45.bat

Like this:

Go to next site:
VirusTotal - Free Online Virus and Malware Scan
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\fcedebe4_g.ocx

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

If that one is to busy here is another option:

Online malware scan

And

Virus File Scanner

I need:

New hijackthis log after all of the above is done
combofix log
SCan results for those files.

Thanks.

**jorie9699** · 21-07-2008

Hi, sorry I haven't responded went camping over the weekend.....here are my logs..hope it helps

ComboFix 08-07-18.1 - Jessica 2008-07-20 23:07:18.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.186 [GMT -5:00]
Running from: C:\Documents and Settings\Jessica\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jessica\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

FILE ::
C:\WINDOWS\system32:dlihost.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-18 08:37 . 2008-07-18 08:37 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-17 21:40 . 2008-07-18 23:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-17 21:40 . 2008-07-18 23:12 <DIR> d-------- C:\Documents and Settings\Jessica\Application Data\SUPERAntiSpyware.com
2008-07-17 21:40 . 2008-07-17 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-16 10:53 . 2008-07-16 10:53 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-16 10:53 . 2008-07-16 10:53 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-07-14 23:33 . 2008-07-14 23:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-14 23:33 . 2008-07-14 23:33 <DIR> d-------- C:\Documents and Settings\Jessica\Application Data\Malwarebytes
2008-07-14 23:33 . 2008-07-14 23:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-14 23:33 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-14 23:33 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-14 20:19 . 2008-07-14 20:20 <DIR> d-------- C:\Program Files\CCleaner
2008-07-14 20:10 . 2008-07-14 20:10 <DIR> d-------- C:\Program Files\RegSupreme
2008-07-14 20:10 . 2008-07-14 20:10 23 --a------ C:\WINDOWS\system32\fcedebe4_g.ocx
2008-07-14 19:46 . 2008-07-14 19:46 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-14 19:46 . 2008-07-14 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-14 19:45 . 2008-07-18 23:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 18:05 . 2008-07-12 18:06 <DIR> d-------- C:\Documents and Settings\Jessica\SecurityScans
2008-07-12 17:50 . 2008-07-12 17:50 <DIR> d-------- C:\Documents and Settings\Jessica\Application Data\Uniblue
2008-07-12 17:32 . 2008-07-12 17:32 1,052 --a------ C:\Documents and Settings\Jessica\z.dat
2008-07-12 17:32 . 2008-07-12 17:32 298 --a------ C:\Documents and Settings\Jessica\x.dat
2008-07-12 15:44 . 2008-07-12 17:27 185,527 --a------ C:\WINDOWS\wininit.ini
2008-07-12 15:11 . 2008-07-12 15:11 <DIR> d-------- C:\Program Files\AML Products
2008-07-12 15:02 . 2008-07-12 15:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-12 15:02 . 2008-07-17 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-11 08:22 . 2008-07-11 08:22 0 --a------ C:\z3g45.bat
2008-07-09 08:51 . 2007-05-17 16:43 15,086 --a------ C:\WINDOWS\ComcastWebmail.ico
2008-07-09 08:50 . 2008-07-09 08:50 <DIR> d-------- C:\Program Files\Comcast
2008-07-09 08:50 . 2008-07-09 08:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-07-08 22:49 . 2008-07-09 08:50 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-07-08 22:49 . 2008-07-08 22:49 1,152 --a------ C:\net_save.dna

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-07-19 04:33 --------- d-----w C:\Program Files\ESET
2008-07-17 03:39 --------- d-----w C:\Program Files\Yahoo!
2008-07-15 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-07-15 16:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-15 16:06 --------- d-----w C:\Program Files\Kazaa
2008-07-15 16:05 --------- d-----w C:\Program Files\Google
2008-07-15 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-14 17:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-20 01:52 2 --shatr C:\WINDOWS\winstart.bat
.

------- Sigcheck -------

2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b 51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b 51a37f45e0e5cf03d0d5e3c\sp2qfe\tcpip.sys
2008-06-20 05:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\SoftwareDistribution\Download\663e7188b bb3d768555f5280d384ddab\sp2gdr\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\SoftwareDistribution\Download\663e7188b bb3d768555f5280d384ddab\sp2qfe\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\SoftwareDistribution\Download\663e7188b bb3d768555f5280d384ddab\sp3gdr\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\SoftwareDistribution\Download\663e7188b bb3d768555f5280d384ddab\sp3qfe\tcpip.sys
2007-11-18 12:56 359040 4235257833c3e98956fef69ff2c23ee3 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2007-11-18 12:56 359040 4235257833c3e98956fef69ff2c23ee3 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-20 23:36 1207080]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 07:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-08-04 07:00 455168]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2003-10-03 13:52 61440]
"HPLJ Config"="C:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe" [2003-03-31 17:32 28672]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 11:40 49152]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 10:59 794624]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-21 10:57 286720]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE " [2004-08-04 07:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScI nst.exe" [2004-08-04 07:00 59392]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 14:21 198184]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMSAccessU"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2007-05-04 09:27]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.s ys [2007-01-30 16:09]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Part izan.sys [2007-11-19 21:10]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-02-02 18:38]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 11:24]
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 23:09:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [948] 0x81778020

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-07-20 23:09:57
ComboFix-quarantined-files.txt 2008-07-21 04:09:51
ComboFix2.txt 2008-07-19 04:37:03
ComboFix3.txt 2008-07-19 04:27:36
ComboFix4.txt 2008-07-19 04:04:48
ComboFix5.txt 2008-07-21 04:06:44

Pre-Run: 59,627,925,504 bytes free
Post-Run: 59,618,824,192 bytes free

137 --- E O F --- 2008-07-21 03

30

file scan

File fcedebe4_g.ocx received on 07.21.2008 06:38:40 (CET)
Current status: finished

Result: 0/33 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.7.17.0 2008.07.18 -
AntiVir 7.8.1.11 2008.07.20 -
Authentium 5.1.0.4 2008.07.20 -
Avast 4.8.1195.0 2008.07.20 -
AVG 8.0.0.130 2008.07.20 -
BitDefender 7.2 2008.07.21 -
CAT-QuickHeal 9.50 2008.07.18 -
ClamAV 0.93.1 2008.07.20 -
DrWeb 4.44.0.09170 2008.07.20 -
eSafe 7.0.17.0 2008.07.20 -
eTrust-Vet 31.6.5966 2008.07.18 -
Ewido 4.0 2008.07.20 -
F-Prot 4.4.4.56 2008.07.20 -
F-Secure 7.60.13501.0 2008.07.21 -
Fortinet 3.14.0.0 2008.07.21 -
GData 2.0.7306.1023 2008.07.21 -
Ikarus T3.1.1.34.0 2008.07.21 -
Kaspersky 7.0.0.125 2008.07.21 -
McAfee 5342 2008.07.18 -
Microsoft 1.3704 2008.07.21 -
NOD32v2 3282 2008.07.19 -
Norman 5.80.02 2008.07.18 -
Panda 9.0.0.4 2008.07.20 -
Prevx1 V2 2008.07.21 -
Rising 20.54.00.00 2008.07.21 -
Sophos 4.31.0 2008.07.21 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.21 -
TheHacker 6.2.96.385 2008.07.20 -
TrendMicro 8.700.0.1004 2008.07.21 -
VBA32 3.12.8.1 2008.07.20 -
VirusBuster 4.5.11.0 2008.07.20 -
Webwasher-Gateway 6.6.2 2008.07.20 -
Additional information
File size: 23 bytes
MD5...: e6c7b226fe21be594542061139a38daf
SHA1..: dcc0ddfd6df3b91d25cd3bd524916ed42cb36352
SHA256: b74c2866627b0d394347b6a2b058eeedfc43b5166f4eaa98be 3d1465559bd24e
SHA512: 0eb826254b59282bf2e8dc28eaf355b2b87c7e11f14cfe364b 8fcd2079308e3f
65f21e47952aaad341335d96b6b8c31796cb8b54bd29064a9e f8cf7f81091245
PEiD..: -
PEInfo: -

second file C:\z3g45.bat

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

and lastly my hijack this:

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:52, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jessica\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Comcast.net Home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe -c Direct -p DOT4_002 -pn "" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} -
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://aolsvc.aol.com/onlinegames/fr...h.1.0.0.47.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 8274 bytes

**Neal** · 21-07-2008

Disconnect from the internet,pull the plug,wire etc.

Now reboot into safe mode( without networking support) by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Run hijackthis and click on "scan system only" button and put checks next to these:

[b]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} -
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} -
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} -
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} -
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} -

O24 - Desktop Component 0: Privacy Protection - (no file)

Please close ALL browser windows (including this one).

Everything closed out but hijackthis and click on "fix checked"

Reboot your PC and reconnect and tell me what is going on now plus a new hijackthis log, thanks.

Did you run the kazzabegone?

**jorie9699** · 23-07-2008

I did run the kazaa be gone.
I ran the hijack this in safe mode and fixed the checked files. I rebooted and received an error message saying windows stopped some windows 32 application from running, now i don't remember exactly what it said, heres my hijack log and I'm going to reboot to see if I get the message again....

Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\WINDOWS\system32\wuauclt.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Documents and Settings\Jessica\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Comcast.net Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe -c Direct -p DOT4_002 -pn "" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://aolsvc.aol.com/onlinegames/fr...h.1.0.0.47.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 7962 bytes

**jorie9699** · 23-07-2008

i attached an image of my desktop so you can see the white box, and I could not find the error message i received. I tried to find it in the event viewer???

**jorie9699** · 23-07-2008

the white box is gone, I deleted a folder and internet icon that said show message off my desktop and I don't know if that is what it was.....but my desktop is finally back to normal. I've rebooted twice and there is no error message showing up either. Although I also noticed the file you had me check is still showing up. Your the expert, don't know if there's anything lingering around.....

**Neal** · 23-07-2008

If this is what your talking about coming back:

O24 - Desktop Component 0: Privacy Protection - (no file)

It is just clutter in hijackthis and has no file attached to it.

If all is ok I will have some closeing tips and free programs for your consideration.

Also...

Update Java: Security Issue

* Go to Start > Control Panel double-click on the Software icon > add/remove programs.
* Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

It should have next icon next to it:

Select it and click Remove.
* The current version can be downloaded from Sun here: http://java.sun.com/javase/downloads/index.jsp Scroll down the page to 'Java Runtime Environment (JRE) 6u7 and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.

**jorie9699** · 24-07-2008

Ok, I installed the java after removing the older one. Thank you very much for your help and time. Hopefully everything is fine. Its seems I'm back to normal. Thank you again.
jess

**Neal** · 24-07-2008

great news and safe surfing out there.

If you are no longer having any more trouble here is some preventative measures for you.

Be sure to re-hide hidden files/folders if you were asked to unhide them

Here are some preventive measures you can take to keep your computer from getting infected again. Also keep SpybotS&D updated.

Read This First - IMPORTANT Instructions

Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.

Explained Here:
Windows XP: McAfee Threat Center

Explained Here
Microsoft ME:
Disabling or enabling Windows Me System Restore

Please download ATF Cleaner by Atribune to desktop.
http://www.atribune.org/public-beta/ATF-Cleaner.exe

Double-click ATF-Cleaner.exe to run the program, to clean junk files off your PC.

If you would like to keep your cookies don't check that item

* Under Main "Select Files to Delete" choose: Select All.
* Click the Empty Selected button.
* If you use Firefox browser click Firefox at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* If you use Opera browser click Opera at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us

http://www.microsoft.com/windows/ie/default.asp

2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including Avira and Avast and PCTools.
AVIRA: http://www.free-av.com/]Avira

AVAST: FREE avast! antivirus 4.x Home Edition, anti-spyware & anti-rootkit for Windows

PCTOOLS: PC Tools AntiVirus - Free Anti-Virus Download

3. In addtion to using SpyBot S&D consider using another free malware scanning/removal program:
Windows Defender: Windows Defender: Home Page

4. Consider using a free firewall if you are not already using one. Some good free ones are:
Kerio: Free Firewall Download ? Personal Firewall Protection from Sunbelt Kerio

Comodo:Comodo Free Firewall Software Download

5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: www.mozilla.org/products/firefox/

6. Consider increasing your browser security by using Spyware Blaster:
SpywareBlaster will increase browser protection by blocking Thousands of known malware sites by adding them to IE's restricted sites zone. Download it here:

SpywareBlaster

If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: CJB.NET

IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

Block access to Untrustworthy Sites

You can prevent your computer from visiting a myriad of untrustworthy sites and ad-servers by installing a customised hosts file. One of the best available is the: MVPS Hosts File. Simply follow the instructions to install the file in the correct location. This will not only make surfing safer but will improve website load times and block popups from many of the large ad-servers.

*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis. It's Free

nasty virus(RESOLVED)

re: nasty virus(RESOLVED)

Similar Threads

HJT/Antivirus Programs won't run, browser redirects, nasty trojans/worms

[Active] need help to remove nasty virus that wont go away

Virus and other nasty bugs Help Pleeeeeease!!!

a nasty self copier

Nasty CID Pop-ups (RESOLVED)