Scprot4.exe

beemanbone · January 3, 2008

Here is the new hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:58:00 PM, on 1/2/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Avast4\aswUpdSv.exe

C:\Program Files\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Avast4\ashMaiSv.exe

C:\Program Files\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ps2.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\System32\hphmon05.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [backupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe

O4 - Global Startup: APC UPS Status.lnk = ?

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applicatio...torLauncher.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174224923609

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...302/Coupons.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/instal...edsolutions.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--

End of file - 10062 bytes

sarahw · January 3, 2008

I looks like it wants to call alot of files on your i: and j: a Virus, do you know why that is?

Apart from that your logs are looking very promising.

Can you please run Combofix again.

beemanbone · January 3, 2008

I: and J: are an external hard drive that I made using my old CPU's hard drive. It also did not run antivirus software.

Here is the new ComboFix log:

ComboFix 07-12-31.4 - Owner 2008-01-03 7:17:33.5 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.206 [GMT -6:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))

.

2008-01-02 20:40 . 2008-01-02 20:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-01-02 20:40 . 2008-01-02 20:40 <DIR> d-------- C:\WINDOWS\LastGood

2008-01-02 20:40 . 2008-01-02 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-01-02 16:15 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr

2008-01-02 16:15 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys

2008-01-02 16:15 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys

2008-01-02 16:15 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys

2008-01-02 16:15 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys

2008-01-02 16:15 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

2008-01-02 16:14 . 2008-01-02 16:14 <DIR> d-------- C:\Program Files\Avast4

2008-01-02 16:14 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe

2008-01-02 16:14 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx

2008-01-02 12:57 . 2008-01-02 01:53 483,328 --a------ C:\WINDOWS\system32\hphmon05.exe

2008-01-02 12:57 . 2008-01-02 01:53 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe

2008-01-02 12:57 . 2008-01-02 01:53 118,784 --a------ C:\WINDOWS\system32\hkcmd.exe

2008-01-02 12:57 . 2008-01-02 01:53 81,920 --a------ C:\WINDOWS\system32\ps2.exe

2008-01-02 08:43 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-12-19 22:47 . 2007-12-20 07:14 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe

2007-12-19 22:47 . 2007-12-20 07:14 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe

2007-12-19 22:26 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2007-12-19 22:26 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-12-19 22:26 . 2007-12-19 22:57 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe

2007-12-19 22:26 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-12-19 22:26 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-12-19 22:26 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2007-12-19 16:13 . 2007-12-19 16:13 <DIR> d-------- C:\Program Files\Lavasoft

2007-12-19 16:13 . 2007-12-19 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2007-12-19 16:12 . 2007-12-19 16:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-12-19 15:53 . 2007-12-19 15:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdwareAlert

2007-12-19 15:20 . 2007-12-19 15:20 <DIR> d-------- C:\Program Files\Trend Micro

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-02 22:47 --------- d-----w C:\Program Files\Morpheus

2008-01-02 21:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-01-02 21:41 --------- d-----w C:\Program Files\Symantec

2008-01-02 21:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2008-01-02 14:51 --------- d-----w C:\Program Files\QuickTime

2007-12-19 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-12-16 17:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso

2007-11-26 01:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-27 23:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-09-01 12:55 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys

.

------w			84,640 2008-01-02 07:53:49  C:\Program Files\Common Files\Symantec Shared\ccApp .exe

((((((((((((((((((((((((((((( snapshot_2008-01-02_ 9.01.43.43 )))))))))))))))))))))))))))))))))))))))))

.

- 2004-08-04 03:32:00 208,952 ----a-w C:\WINDOWS\ime\imjp8_1\imjpmig.exe

+ 2007-12-20 13:14:23 208,952 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE

- 2002-08-29 12:00:00 44,032 ----a-w C:\WINDOWS\ime\imkr6_1\imekrmig.exe

+ 2007-12-20 13:14:27 44,032 ----a-w C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

+ 2008-01-02 07:53:21 233,472 ----a-w C:\WINDOWS\SMINST\RECGUARD.EXE

+ 2008-01-02 07:53:56 114,741 ----a-w C:\WINDOWS\system32\dla\tfswctrl.exe

- 2002-08-29 12:00:00 44,032 -c--a-w C:\WINDOWS\system32\dllcache\imekrmig.exe

+ 2007-12-20 13:14:27 44,032 -c--a-w C:\WINDOWS\system32\dllcache\imekrmig.exe

- 2004-08-04 03:32:00 208,952 -c--a-w C:\WINDOWS\system32\dllcache\imjpmig.exe

+ 2007-12-20 13:14:23 208,952 -c--a-w C:\WINDOWS\system32\dllcache\imjpmig.exe

- 2004-08-04 03:31:50 59,392 -c--a-w C:\WINDOWS\system32\dllcache\imscinst.exe

+ 2007-12-20 13:14:26 59,392 -c--a-w C:\WINDOWS\system32\dllcache\imscinst.exe

- 2004-08-04 03:32:16 455,168 -c--a-w C:\WINDOWS\system32\dllcache\tintsetp.exe

+ 2007-12-20 13:14:31 455,168 -c--a-w C:\WINDOWS\system32\dllcache\tintsetp.exe

- 2004-08-04 03:31:50 59,392 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe

+ 2007-12-20 13:14:26 59,392 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

- 2004-08-04 03:32:16 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe

+ 2007-12-20 13:14:31 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll

+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe

+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll

+ 2008-01-02 23:32:58 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_4f0.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RecordNow!"="" []

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-20 07:14 15360]

"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2008-01-02 01:54 32768]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-02 01:54 1694208]

"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2008-01-02 01:54 200704]

"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-01-02 01:53 233472]

"PS2"="C:\WINDOWS\system32\ps2.exe" [2008-01-02 01:53 81920]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-02 01:53 155648]

"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2008-01-02 01:53 483328]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-02 01:53 118784]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-01-02 01:53 114741]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-02 01:53 185896]

"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2008-01-02 01:54 57344]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2007-12-20 07:14 208952]

"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2007-12-20 07:14 44032]

"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2007-12-20 07:14 59392]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2007-12-20 07:14 455168]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2007-12-20 07:14 455168]

"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2006-09-02 17:36 100032]

"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 08:52 218232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk

backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2008-01-02 01:54 57344 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]

2004-08-16 16:45 45056 --a------ C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus XtremeG]

2004-09-22 13:08 987136 --a------ C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]

2003-08-21 05:23 49152 --a------ c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

1998-05-07 18:04 52736 --a------ c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2005-06-24 14:16 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

2003-02-11 21:02 61440 --a------ C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2005-05-28 21:48 155648 --------- C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]

2005-04-02 22:08 98304 --a------ C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2006-11-09 15:07 49263 --a------ C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]

2003-03-31 19:28 155648 --a------ C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Viewpoint Manager Service"=2 (0x2)

"StarWindService"=2 (0x2)

"Pml Driver HPZ12"=3 (0x3)

"ose"=3 (0x3)

"MDM"=2 (0x2)

"LiveUpdate"=3 (0x3)

"iPodService"=3 (0x3)

"IDriverT"=3 (0x3)

"comHost"=3 (0x3)

"Bonjour Service"=2 (0x2)

"Automatic LiveUpdate Scheduler"=2 (0x2)

"Adobe LM Service"=3 (0x3)

S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2004-09-02 21:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f31d8fe-21d6-11d9-928a-000c76ff2271}]

\Shell\AutoRun\command - H:\setupSNK.exe

*Newly Created Service* - AAVMKER4

*Newly Created Service* - ASWMON2

*Newly Created Service* - ASWRDR

*Newly Created Service* - ASWTDI

*Newly Created Service* - ASWUPDSV

*Newly Created Service* - AVAST!_ANTIVIRUS

*Newly Created Service* - AVAST!_MAIL_SCANNER

*Newly Created Service* - AVAST!_WEB_SCANNER

.

Contents of the 'Scheduled Tasks' folder

"2007-12-19 21:53:35 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"

- C:\Program Files\AdwareAlert\AdwareAlert.ex

- C:\Program Files\AdwareAlert

"2007-12-06 23:50:01 C:\WINDOWS\Tasks\EasyShare Registration Task.job"

- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16

.

**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-03 07:24:38

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-01-03 7:25:41

C:\qoobox\ComboFix-quarantined-files.txt 2008-01-03 13:25:18

C:\qoobox\ComboFix2.txt 2008-01-02 19:06:23

C:\qoobox\ComboFix3.txt 2008-01-02 15:02:19

C:\qoobox\ComboFix4.txt 2007-12-20 13:48:47

C:\qoobox\ComboFix5.txt 2007-12-20 04:52:57

.

2008-01-03 13:20:45 --- E O F ---

sarahw · January 4, 2008

Download a new version of RenV.exe by sUBs to your desktop. Replsce your old copy.
Copy the entire contents of the Code Box below to Notepad.
Name the file as Log.txt (Overwrite the existing one)
Change the Save as Type to All Files
and Save it on the desktop
Reboot into Safe Mode

------w            84,640 2008-01-02 07:53:49  C:\Program Files\Common Files\Symantec Shared\ccApp .exe

In Safe mode, refering to the picture above, drag Log.txt into RenV.exe and attach the resulting report to your reply.

beemanbone · January 4, 2008

Here's the log.

Ran on Fri 01/04/2008 -  7:25:52.65

------w			84,640 2008-01-02 07:53:49  C:\Program Files\Common Files\Symantec Shared\ccApp .exe

 Entries:				1  (1)
 Directories:			0  Files:			 1
 Bytes:			 84,640  Blocks:		  166

sarahw · January 4, 2008

Could you try that again please, drag the new log.txt (the one that you posted the information from) onto the RenV.exe file in normal mode.

beemanbone · January 4, 2008

Here it is.

Ran on Fri 01/04/2008 - 12:15:01.40

 Entries:				0  (0)
 Directories:			0  Files:			 0
 Bytes:				  0  Blocks:			0

sarahw · January 4, 2008

Can you please run combofix again.

Also, post a fresh hijack this log.

beemanbone · January 4, 2008

ComboFix 07-12-31.4 - Owner 2008-01-04 12:26:14.6 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.311 [GMT -6:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

.

The following files were disabled during the run:

C:\WINDOWS\system32\guard32.dll

((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))

.

2008-01-04 08:16 . 2008-01-04 08:16 <DIR> d-------- C:\Program Files\SiteAdvisor

2008-01-04 08:16 . 2008-01-04 08:16 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor

2008-01-04 08:05 . 2008-01-04 08:07 <DIR> d-------- C:\Program Files\SpywareBlaster

2008-01-04 07:59 . 2008-01-04 07:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SiteAdvisor

2008-01-04 07:59 . 2008-01-04 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor

2008-01-04 07:59 . 2008-01-04 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee

2008-01-04 07:44 . 2008-01-04 07:44 <DIR> d-------- C:\Program Files\COMODO

2008-01-04 07:44 . 2008-01-04 07:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Comodo

2008-01-04 07:44 . 2008-01-04 07:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo

2008-01-04 07:44 . 2008-01-04 07:44 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir

2008-01-04 07:44 . 2008-01-04 07:44 79,096 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys

2008-01-04 07:44 . 2008-01-04 07:44 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys