[Inactive] Trojan Virus issues, Help please!

By cj1234
Mar 13, 2010
Topic Status:
Not open for further replies.
  1. Hello, I really need your help. I have a hp pavillion xp home edition. It has been running slowly for a while now but about 3 days ago i started to get this message to purchase expensive antivirus software. after a while of ignoring it, my computer started to freeze and then i was not able to get into windows at all. I did a system restore with f-10, that got me back into windows. i know my system needs updating, i will do this once all viruses are gone. here are my logs, i have pasted them b/c i cannot attach them, sorry. Thank you so much in advance.


    Malwarebytes' Anti-Malware 1.44
    Database version: 3865
    Windows 5.1.2600 Service Pack 1
    Internet Explorer 6.0.2800.1106

    3/13/2010 8:48:05 PM
    mbam-log-2010-03-13 (20-48-05).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 221903
    Time elapsed: 1 hour(s), 29 minute(s), 57 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 9

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\WINDOWS\_VOIDpymxnsviwu (Rootkit.TDSS) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\Owner\Local Settings\Application Data\Windows Server\fxlevx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Local Settings\Temp\asr64_ldm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Local Settings\Temp\kcedua.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Local Settings\Temp\vwwixjz.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Local Settings\Temp\_VOID3a00.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\_VOIDpymxnsviwu\_VOIDd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.
    C:\WINDOWS\casinoprophet.ico (Malware.Trace) -> Quarantined and deleted successfully.


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 03/13/2010 at 09:54 PM

    Application Version : 4.34.1000

    Core Rules Database Version : 4596
    Trace Rules Database Version: 1978

    Scan type : Complete Scan
    Total Scan Time : 00:57:07

    Memory items scanned : 416
    Memory threats detected : 0
    Registry items scanned : 4671
    Registry threats detected : 0
    File items scanned : 29733
    File threats detected : 9

    Adware.Tracking Cookie
    C:\Documents and Settings\Owner\Cookies\owner@content.yieldmanager[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@ad.wsod[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@kontera[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@at.atwola[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@collective-media[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
  2. cj1234

    cj1234 Newcomer, in training Topic Starter Posts: 26

    hi jack this

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:04:17 PM, on 3/13/2010
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
    O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - Startup: HP Organize.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Norton Personal Firewall.lnk = C:\Program Files\Norton Personal Firewall\nisfirst.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 7342 bytes
  3. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  4. cj1234

    cj1234 Newcomer, in training Topic Starter Posts: 26

    sorry, i don't know why i cannot attach anything. here are my logs.

    ComboFix 10-03-14.03 - Owner 03/14/2010 16:11:54.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.247.111 [GMT -6:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Internet Explorer\msimg32.dll
    c:\recycler\S-1-5-21-2570717487-1714920417-3223522827-1003
    c:\recycler\S-1-5-21-3211801940-4263789241-2446118236-1003
    c:\windows\COUPON~1.OCX
    c:\windows\CouponPrinter.ocx
    c:\windows\system32\iAlmcoin.dll
    c:\windows\viassary-hp.reg
    D:\Autorun.inf

    c:\windows\system32\qmgr.dll . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2010-02-14 to 2010-03-14 )))))))))))))))))))))))))))))))
    .

    2010-03-14 00:50 . 2010-03-14 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-03-14 00:48 . 2010-03-14 00:48 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
    2010-03-14 00:46 . 2010-03-14 00:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-03-14 00:46 . 2010-03-14 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-03-13 21:46 . 2003-08-29 03:19 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\interMute
    2010-03-13 21:46 . 2003-08-29 03:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
    2010-03-13 21:46 . 2003-08-24 03:26 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
    2010-03-13 21:46 . 2003-08-23 14:12 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Sonic

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-30 14:45 . 2007-12-30 14:45 32 --sha-w- c:\windows\{32DDC6AC-7427-4776-BCB2-ED9DD50467CC}.dat
    .

    ------- Sigcheck -------

    [-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe
    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wscntfy.exe
    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\wscntfy.exe

    [-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\xmlprov.dll
    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\xmlprov.dll
    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll
    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\xmlprov.dll

    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\ServicePackFiles\i386\mspmsnsv.dll
    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\mspmsnsv.dll
    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\mspmsnsv.dll
    [-] 2002-11-27 09:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll

    c:\windows\System32\wscntfy.exe ... is missing !!
    c:\windows\System32\xmlprov.dll ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BackupNotify"="c:\program files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2003-06-23 24576]
    "NVIEW"="nview.dll" [2003-05-03 835654]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
    "CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-06-14 49152]
    "HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 49152]
    "HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
    "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
    "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-03 4640768]
    "nwiz"="nwiz.exe" [2003-05-03 323584]
    "AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 50176]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
    AutoTBar.exe [2003-6-18 53248]
    mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    AutoTBar.exe [2003-6-18 53248]
    mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
    backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton Personal Firewall.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Norton Personal Firewall.lnk
    backup=c:\windows\pss\Norton Personal Firewall.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
    backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
    backup=c:\windows\pss\Updates from HP.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
    backup=c:\windows\pss\HP Organize.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
    2003-06-19 02:19 53248 ----a-w- c:\hp\bin\AUTOTKIT.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    2003-02-25 01:51 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    2002-09-14 04:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
    2003-06-18 01:13 118784 ----a-w- c:\windows\CREATOR\Remind_XP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-02-18 22:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2003-08-23 14:14 151597 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/13/2010 4:17 PM 114768]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
    S2 mrtRate;mrtRate; [x]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
  5. cj1234

    cj1234 Newcomer, in training Topic Starter Posts: 26

    combo fix log continued and hijack this log

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - ALG
    *NewlyCreated* - IPNAT
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 20:42]

    2010-03-13 c:\windows\Tasks\Easy Internet Sign-up.job
    - c:\program files\Easy Internet signup\HPSdpApp.exe [2003-05-23 23:13]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://us9.hpwis.com/
    uDefault_Search_URL = hxxp://srch-us9.hpwis.com/
    mStart Page = hxxp://us9.hpwis.com/
    mSearch Bar = hxxp://srch-us9.hpwis.com/
    uInternet Connection Wizard,ShellNext = hxxp://us9.hpwis.com/
    uInternet Settings,ProxyOverride = localhost
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-PS2 - c:\windows\system32\ps2.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-14 16:29
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(496)
    c:\windows\System32\ODBC32.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.dll

    - - - - - - - > 'lsass.exe'(552)
    c:\windows\System32\dssenh.dll

    - - - - - - - > 'explorer.exe'(3312)
    c:\windows\System32\msi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Alwil Software\Avast4\ashServ.exe
    c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\ALCXMNTR.EXE
    c:\program files\Alwil Software\Avast4\ashMaiSv.exe
    c:\program files\Alwil Software\Avast4\ashWebSv.exe
    .
    **************************************************************************
    .
    Completion time: 2010-03-14 16:50:35 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-03-14 22:50

    Pre-Run: 59,507,109,888 bytes free
    Post-Run: 59,489,722,368 bytes free

    - - End Of File - - BF9E05E27B1D51A170C0CC75F2A4AF84

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:54:19 PM, on 3/14/2010
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\ALCXMNTR.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
    O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 5496 bytes
  6. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    OK, we have quite few issues here with some system files either missing, or infected.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      qmgr.dll
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  7. cj1234

    cj1234 Newcomer, in training Topic Starter Posts: 26

    i posted a second reply sending the hijack this log, here it is again & here is the log for system look

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 22:26 on 14/03/2010 by Owner (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "qmgr.dll"
    C:\WINDOWS\$NtServicePackUninstall$\qmgr.dll -----c 382464 bytes [19:36 06/02/2009] [07:56 04/08/2004] 2C69EC7E5A311334D10DD95F338FCCEA
    C:\WINDOWS\ERDNT\cache\qmgr.dll --a--- 221696 bytes [22:48 14/03/2010] [12:00 29/08/2002] 6A1CF14D0E7D0B2241F552223769C8A7
    C:\WINDOWS\ServicePackFiles\i386\qmgr.dll ------ 409088 bytes [22:57 11/10/2007] [00:12 14/04/2008] 574738F61FCA2935F5265DC4E5691314
    C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\qmgr.dll --a--- 382464 bytes [22:57 11/10/2007] [07:56 04/08/2004] 2C69EC7E5A311334D10DD95F338FCCEA
    C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\qmgr.dll --a--- 382464 bytes [07:56 04/08/2004] [07:56 04/08/2004] 2C69EC7E5A311334D10DD95F338FCCEA
    C:\WINDOWS\system32\qmgr.dll ------ 221696 bytes [20:32 25/08/2003] [12:00 29/08/2002] 6A1CF14D0E7D0B2241F552223769C8A7

    -=End Of File=-

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:54:19 PM, on 3/14/2010
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\ALCXMNTR.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
    O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 5496 bytes
  8. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Please download OTM

    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes
    
    :Services
          
    :Reg
    
    :Files
    C:\WINDOWS\system32\qmgr.dll|C:\WINDOWS\$NtServicePackUninstall$\qmgr.dll /replace
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
    
    • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
  9. cj1234

    cj1234 Newcomer, in training Topic Starter Posts: 26

    here are moveit logs, thanks.

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    File C:\WINDOWS\system32\qmgr.dll successfully replaced with C:\WINDOWS\$NtServicePackUninstall$\qmgr.dll
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: LocalService
    ->Temp folder emptied: 82100 bytes
    ->Temporary Internet Files folder emptied: 112094 bytes
    ->Flash cache emptied: 300 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Owner
    ->Temp folder emptied: 381 bytes
    ->Temporary Internet Files folder emptied: 6131557 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 1890269 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 1087673 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 81920 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 9.00 mb


    OTM by OldTimer - Version 3.1.10.0 log created on 03152010_082623

    Files moved on Reboot...
    File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!
    C:\WINDOWS\temp\Perflib_Perfdata_4b8.dat moved successfully.

    Registry entries deleted on Reboot...
  10. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Please, re-run Combofix and post fresh log.
  11. cj1234

    cj1234 Newcomer, in training Topic Starter Posts: 26

    combo fix logs

    ComboFix 10-03-14.06 - Owner 03/15/2010 12:02:29.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.247.112 [GMT -6:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    .((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
    Restored copy from - c:\windows\ERDNT\cache\qmgr.dll
    .
    ((((((((((((((((((((((((( Files Created from 2010-02-15 to 2010-03-15 )))))))))))))))))))))))))))))))

    2010-03-14 00:50 . 2010-03-14 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-03-14 00:48 . 2010-03-14 00:48 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
    2010-03-14 00:46 . 2010-03-14 00:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-03-14 00:46 . 2010-03-14 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-03-13 21:46 . 2003-08-29 03:19 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\interMute
    2010-03-13 21:46 . 2003-08-29 03:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
    2010-03-13 21:46 . 2003-08-24 03:26 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
    2010-03-13 21:46 . 2003-08-23 14:12 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Sonic

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-30 14:45 . 2007-12-30 14:45 32 --sha-w- c:\windows\{32DDC6AC-7427-4776-BCB2-ED9DD50467CC}.dat

    ------- Sigcheck -------

    [-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe
    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wscntfy.exe
    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\wscntfy.exe

    [-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\xmlprov.dll
    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\xmlprov.dll
    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll
    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\xmlprov.dll

    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\ServicePackFiles\i386\mspmsnsv.dll
    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\mspmsnsv.dll
    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\mspmsnsv.dll
    [-] 2002-11-27 09:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll

    c:\windows\System32\wscntfy.exe ... is missing !!
    c:\windows\System32\xmlprov.dll ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BackupNotify"="c:\program files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2003-06-23 24576]
    "NVIEW"="nview.dll" [2003-05-03 835654]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
    "CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-06-14 49152]
    "HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 49152]
    "HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
    "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-03 4640768]
    "nwiz"="nwiz.exe" [2003-05-03 323584]
    "AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 50176]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
    AutoTBar.exe [2003-6-18 53248]
    mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    AutoTBar.exe [2003-6-18 53248]
    mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
    backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton Personal Firewall.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Norton Personal Firewall.lnk
    backup=c:\windows\pss\Norton Personal Firewall.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
    backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
    backup=c:\windows\pss\Updates from HP.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
    backup=c:\windows\pss\HP Organize.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
    2003-06-19 02:19 53248 ----a-w- c:\hp\bin\AUTOTKIT.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    2003-02-25 01:51 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    2002-09-14 04:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
    2003-06-18 01:13 118784 ----a-w- c:\windows\CREATOR\Remind_XP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-02-18 22:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2003-08-23 14:14 151597 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    R2 mrtRate;mrtRate; [x]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
    S1 aswSP;avast! Self Protection; [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 20:42]

    2010-03-13 c:\windows\Tasks\Easy Internet Sign-up.job
    - c:\program files\Easy Internet signup\HPSdpApp.exe [2003-05-23 23:13]
    .
     
  12. cj1234

    cj1234 Newcomer, in training Topic Starter Posts: 26

    combo fix continued

    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://us9.hpwis.com/
    uDefault_Search_URL = hxxp://srch-us9.hpwis.com/
    mStart Page = hxxp://us9.hpwis.com/
    mSearch Bar = hxxp://srch-us9.hpwis.com/
    uInternet Connection Wizard,ShellNext = hxxp://us9.hpwis.com/
    uInternet Settings,ProxyOverride = localhost
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-15 12:19
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(492)
    c:\windows\System32\ODBC32.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.dll

    - - - - - - - > 'lsass.exe'(548)
    c:\windows\System32\dssenh.dll

    - - - - - - - > 'explorer.exe'(2992)
    c:\windows\System32\msi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Alwil Software\Avast4\ashServ.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    c:\windows\ALCXMNTR.EXE
    c:\program files\Alwil Software\Avast4\ashMaiSv.exe
    c:\program files\Alwil Software\Avast4\ashWebSv.exe
    .
    **************************************************************************
    .
    Completion time: 2010-03-15 12:41:04 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-03-15 18:40
    ComboFix2.txt 2010-03-14 22:50

    Pre-Run: 59,687,628,800 bytes free
    Post-Run: 59,627,495,424 bytes free

    - - End Of File - - EAF36F4DFD05C776AB6119D74207F101
  13. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    
    Folder::
    
    Driver::
    
    Registry::
    
    RegLockDel::
    
    MIA::
    c:\windows\System32\xmlprov.dll
    c:\windows\System32\wscntfy.exe
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
  14. cj1234

    cj1234 Newcomer, in training Topic Starter Posts: 26

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:35:33 PM, on 3/15/2010
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
    O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268679323578
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 5587 bytes

    ComboFix 10-03-14.06 - Owner 03/15/2010 13:05:16.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.247.137 [GMT -6:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\System32\xmlprov.dll . . . is missing!!

    c:\windows\System32\wscntfy.exe . . . is missing!!

    .
    ((((((((((((((((((((((((( Files Created from 2010-02-15 to 2010-03-15 )))))))))))))))))))))))))))))))
    .

    2010-03-15 19:04 . 2005-02-25 03:35 22752 ----a-w- c:\windows\system32\spupdsvc.exe
    2010-03-15 19:00 . 2010-03-15 19:00 -------- d-----w- c:\windows\system32\bits
    2010-03-15 18:57 . 2004-07-01 22:08 7680 -c----w- c:\windows\system32\dllcache\bitsprx2.dll
    2010-03-15 18:57 . 2004-07-01 22:08 7680 ------w- c:\windows\system32\bitsprx2.dll
    2010-03-15 18:57 . 2004-07-01 22:08 7168 -c----w- c:\windows\system32\dllcache\bitsprx3.dll
    2010-03-15 18:57 . 2004-07-01 22:08 7168 ------w- c:\windows\system32\bitsprx3.dll
    2010-03-15 18:57 . 2004-07-01 22:08 331776 -c--a-w- c:\windows\system32\dllcache\winhttp.dll
    2010-03-15 18:57 . 2004-07-01 22:08 331776 ----a-w- c:\windows\system32\winhttp.dll
    2010-03-15 18:57 . 2004-07-01 22:08 17408 -c--a-w- c:\windows\system32\dllcache\qmgrprxy.dll
    2010-03-15 18:57 . 2004-07-01 22:08 17408 ----a-w- c:\windows\system32\qmgrprxy.dll
    2010-03-15 18:57 . 2004-06-30 23:59 158720 ------w- c:\windows\system32\xpob2res.dll
    2010-03-15 18:56 . 2009-08-07 01:24 327896 ----a-w- c:\windows\system32\wucltui.dll
    2010-03-15 18:56 . 2009-08-07 01:24 44768 ----a-w- c:\windows\system32\wups2.dll
    2010-03-15 18:56 . 2009-08-07 01:24 35552 ----a-w- c:\windows\system32\wups.dll
    2010-03-15 18:56 . 2009-08-07 01:23 575704 ----a-w- c:\windows\system32\wuapi.dll
    2010-03-15 14:26 . 2010-03-15 14:26 -------- d-----w- C:\_OTM
    2010-03-14 01:38 . 2010-03-14 01:38 -------- d-----w- c:\program files\Trend Micro
    2010-03-14 01:09 . 2010-03-14 01:09 -------- d-----w- c:\program files\Common Files\Java
    2010-03-14 01:08 . 2010-03-14 01:08 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-03-14 00:50 . 2010-03-14 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-03-14 00:48 . 2010-03-14 00:49 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-03-14 00:48 . 2010-03-14 00:48 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
    2010-03-14 00:47 . 2010-03-14 00:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-03-14 00:46 . 2010-03-14 00:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-03-14 00:46 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-14 00:46 . 2010-03-14 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-03-14 00:46 . 2010-03-14 00:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-14 00:46 . 2010-01-07 22:07 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-13 22:17 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-03-13 22:17 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-03-13 22:17 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-03-13 22:17 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
    2010-03-13 22:17 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-03-13 22:17 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-03-13 22:17 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-03-13 22:15 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
    2010-03-13 22:15 . 2010-03-13 22:15 -------- d-----w- c:\program files\Alwil Software
    2010-03-13 22:12 . 2010-03-13 22:13 -------- d-----w- c:\program files\CCleaner
    2010-03-13 21:50 . 2003-04-07 14:05 155648 ----a-w- c:\windows\system32\igfxres.dll
    2010-03-13 21:45 . 2010-03-13 21:45 -------- d-----w- c:\windows\system32\config\systemprofile\.javaws
  15. cj1234

    cj1234 Newcomer, in training Topic Starter Posts: 26

    combo fix continued

    2010-03-13 21:40 . 2002-08-29 08:06 51072 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2010-03-13 21:40 . 2002-08-29 07:27 23424 ------w- c:\windows\system32\drivers\kbdclass.sys
    2010-03-13 21:37 . 2002-08-29 08:01 134272 ----a-w- c:\windows\system32\drivers\portcls.sys
    2010-03-13 21:37 . 2002-08-29 07:32 57856 ----a-w- c:\windows\system32\drivers\drmk.sys
    2010-03-13 21:32 . 2003-08-23 14:32 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft
    2010-03-13 21:32 . 2002-08-29 09:32 5888 ----a-w- c:\windows\system32\drivers\splitter.sys
    2010-03-13 21:32 . 2002-08-29 10:00 77440 ----a-w- c:\windows\system32\drivers\wdmaud.sys
    2010-03-13 21:32 . 2001-08-17 21:59 50048 ----a-w- c:\windows\system32\drivers\DMusic.sys
    2010-03-13 21:32 . 2001-08-17 22:00 54272 ----a-w- c:\windows\system32\drivers\swmidi.sys
    2010-03-13 21:32 . 2002-08-29 07:16 142208 ------w- c:\windows\system32\drivers\aec.sys
    2010-03-13 21:32 . 2002-08-29 09:32 159360 ----a-w- c:\windows\system32\drivers\kmixer.sys
    2010-03-13 21:32 . 2002-08-29 09:32 2816 ----a-w- c:\windows\system32\drivers\drmkaud.sys
    2010-03-13 21:32 . 2002-08-29 10:01 56832 ----a-w- c:\windows\system32\drivers\sysaudio.sys
    2010-03-13 20:42 . 2010-03-15 19:02 -------- dcsh--r- c:\windows\system32\dllcache
    2010-03-08 23:44 . 2010-03-14 02:48 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Windows Server

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-15 18:52 . 2003-08-24 03:33 -------- d-----w- c:\program files\Easy Internet signup
    2010-03-14 02:55 . 2010-03-14 00:51 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-03-14 02:50 . 2003-08-29 03:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-03-14 01:12 . 2003-08-29 03:19 -------- d-----w- c:\documents and settings\Owner\Application Data\interMute
    2010-03-14 01:11 . 2003-08-23 14:19 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-03-14 01:09 . 2010-03-14 01:09 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1a312a54-n\msvcp71.dll
    2010-03-14 01:09 . 2010-03-14 01:09 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1a312a54-n\msvcr71.dll
    2010-03-14 01:09 . 2010-03-14 01:09 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1a312a54-n\jmc.dll
    2010-03-14 01:09 . 2010-03-14 01:09 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-45f028e3-n\decora-sse.dll
    2010-03-14 01:09 . 2010-03-14 01:09 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-45f028e3-n\decora-d3d.dll
    2010-03-14 01:08 . 2004-05-23 01:56 -------- d-----w- c:\program files\Java
    2010-03-14 00:51 . 2010-03-14 00:51 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-03-13 22:04 . 2003-08-29 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
    2010-03-13 22:04 . 2003-08-29 03:15 -------- d-----w- c:\program files\Norton AntiVirus
    2010-03-13 22:03 . 2003-08-29 03:15 -------- d-----w- c:\program files\Symantec
    2010-03-13 21:49 . 2010-03-13 21:49 3526 --sha-r- c:\windows\system32\drivers\HP_DM185A-ABA a335w_YUU_Pavi_QMXM344_E34NAheBLU2_4_IGlendale motherboard_STriGem Computer Inc._V_B3.24_T031014_WXH1_L409_M248_J82_7Intel_8Pentium 4_92.49_1_N10EC8139_P_Z11C1044C_K_A808624C5_U808624C2_G80862562.MRK
    2010-03-13 21:45 . 2007-08-31 18:44 -------- d-----w- c:\program files\Java Web Start
    2010-03-05 16:27 . 2006-12-08 00:14 -------- d-----w- c:\program files\NetZero
    2010-02-13 19:38 . 2006-04-11 23:18 -------- d-----w- c:\program files\America Online 9.0b
    2010-02-13 19:26 . 2005-03-24 21:31 7101 ----a-w- c:\documents and settings\All Users\Application Data\AOL\AOLszs.drv
    2010-02-07 05:12 . 2010-02-07 05:12 -------- d-----w- c:\program files\MSBuild
    2010-02-07 05:12 . 2010-02-07 05:12 -------- d-----w- c:\program files\Reference Assemblies
    2010-02-06 19:25 . 2010-02-06 19:24 -------- d-----w- c:\program files\Linksys Wireless-G USB Wireless Network Monitor
    2010-02-03 03:05 . 2008-01-15 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2010-01-30 19:52 . 2010-01-30 19:39 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
    2010-01-28 07:39 . 2006-04-11 23:56 -------- d-----w- c:\program files\Watchtower
    2007-12-30 14:45 . 2007-12-30 14:45 32 --sha-w- c:\windows\{32DDC6AC-7427-4776-BCB2-ED9DD50467CC}.dat
    .

    ------- Sigcheck -------

    [-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe
    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wscntfy.exe
    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\wscntfy.exe

    [-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\xmlprov.dll
    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\xmlprov.dll
    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll
    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\xmlprov.dll

    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\ServicePackFiles\i386\mspmsnsv.dll
    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\mspmsnsv.dll
    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\mspmsnsv.dll
    [-] 2002-11-27 09:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll

    c:\windows\System32\wscntfy.exe ... is missing !!
    c:\windows\System32\xmlprov.dll ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BackupNotify"="c:\program files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2003-06-23 24576]
    "NVIEW"="nview.dll" [2003-05-03 835654]
  16. cj1234

    cj1234 Newcomer, in training Topic Starter Posts: 26

    combo fix cont. 2

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
    "CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-06-14 49152]
    "HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 49152]
    "HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
    "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-03 4640768]
    "nwiz"="nwiz.exe" [2003-05-03 323584]
    "AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 50176]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
    AutoTBar.exe [2003-6-18 53248]
    mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    AutoTBar.exe [2003-6-18 53248]
    mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
    backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton Personal Firewall.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Norton Personal Firewall.lnk
    backup=c:\windows\pss\Norton Personal Firewall.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
    backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
    backup=c:\windows\pss\Updates from HP.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
    backup=c:\windows\pss\HP Organize.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
    2003-06-19 02:19 53248 ----a-w- c:\hp\bin\AUTOTKIT.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    2003-02-25 01:51 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    2002-09-14 04:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
    2003-06-18 01:13 118784 ----a-w- c:\windows\CREATOR\Remind_XP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-02-18 22:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2003-08-23 14:14 151597 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/13/2010 4:17 PM 114768]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
    S2 mrtRate;mrtRate; [x]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 20:42]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://us9.hpwis.com/
    uDefault_Search_URL = hxxp://srch-us9.hpwis.com/
    mStart Page = hxxp://us9.hpwis.com/
    mSearch Bar = hxxp://srch-us9.hpwis.com/
    uInternet Connection Wizard,ShellNext = hxxp://us9.hpwis.com/
    uInternet Settings,ProxyOverride = localhost
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-15 13:18
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(492)
    c:\windows\System32\ODBC32.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.dll

    - - - - - - - > 'lsass.exe'(548)
    c:\windows\System32\dssenh.dll
    .
    Completion time: 2010-03-15 13:26:09
    ComboFix-quarantined-files.txt 2010-03-15 19:26
    ComboFix2.txt 2010-03-15 18:41
    ComboFix3.txt 2010-03-14 22:50

    Pre-Run: 59,438,346,240 bytes free
    Post-Run: 59,421,724,672 bytes free

    - - End Of File - - 4461C561C050F7ADA05A28712D8CE5B4
  17. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Use OTM again and run it with following code:

    Code:
    :Processes
    
    :Services
          
    :Reg
    
    :Files
    c:\windows\System32\xmlprov.dll|c:\windows\ServicePackFiles\i386\xmlprov.dll /replace
    c:\windows\System32\wscntfy.exe|c:\windows\ServicePackFiles\i386\wscntfy.exe /replace
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
    
  18. cj1234

    cj1234 Newcomer, in training Topic Starter Posts: 26

    here is the log

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    File c:\windows\System32\xmlprov.dll successfully replaced with c:\windows\ServicePackFiles\i386\xmlprov.dll
    File c:\windows\System32\wscntfy.exe successfully replaced with c:\windows\ServicePackFiles\i386\wscntfy.exe
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 65536 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Owner
    ->Temp folder emptied: 155 bytes
    ->Temporary Internet Files folder emptied: 6048799 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16384 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 6.00 mb


    OTM by OldTimer - Version 3.1.10.0 log created on 03152010_140639

    Files moved on Reboot...
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EB8F43A3\01[1].htm moved successfully.
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P2BI3MD\topic144448[2].html moved successfully.
    File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!
    C:\WINDOWS\temp\Perflib_Perfdata_4e0.dat moved successfully.

    Registry entries deleted on Reboot...
  19. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Very good :)

    Give me fresh Combofix log, please.
  20. cj1234

    cj1234 Newcomer, in training Topic Starter Posts: 26

    Thanks, here it is. wish i could send a smiley... lol.

    ComboFix 10-03-15.01 - Owner 03/15/2010 14:55:51.4.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.247.135 [GMT -6:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\AppPatch\AcAdProc.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-02-15 to 2010-03-15 )))))))))))))))))))))))))))))))
    .

    2010-03-15 20:06 . 2008-04-14 00:12 13824 ----a-w- c:\windows\system32\wscntfy.exe
    2010-03-15 20:06 . 2008-04-14 00:12 129024 ----a-w- c:\windows\system32\xmlprov.dll
    2010-03-15 19:04 . 2005-02-25 03:35 22752 ----a-w- c:\windows\system32\spupdsvc.exe
    2010-03-15 19:00 . 2010-03-15 19:00 -------- d-----w- c:\windows\system32\bits
    2010-03-15 18:57 . 2004-07-01 22:08 7680 -c----w- c:\windows\system32\dllcache\bitsprx2.dll
    2010-03-15 18:57 . 2004-07-01 22:08 7680 ------w- c:\windows\system32\bitsprx2.dll
    2010-03-15 18:57 . 2004-07-01 22:08 7168 -c----w- c:\windows\system32\dllcache\bitsprx3.dll
    2010-03-15 18:57 . 2004-07-01 22:08 7168 ------w- c:\windows\system32\bitsprx3.dll
    2010-03-15 18:57 . 2004-07-01 22:08 331776 -c--a-w- c:\windows\system32\dllcache\winhttp.dll
    2010-03-15 18:57 . 2004-07-01 22:08 331776 ----a-w- c:\windows\system32\winhttp.dll
    2010-03-15 18:57 . 2004-07-01 22:08 17408 -c--a-w- c:\windows\system32\dllcache\qmgrprxy.dll
    2010-03-15 18:57 . 2004-07-01 22:08 17408 ----a-w- c:\windows\system32\qmgrprxy.dll
    2010-03-15 18:57 . 2004-06-30 23:59 158720 ------w- c:\windows\system32\xpob2res.dll
    2010-03-15 18:56 . 2009-08-07 01:24 327896 ----a-w- c:\windows\system32\wucltui.dll
    2010-03-15 18:56 . 2009-08-07 01:24 44768 ----a-w- c:\windows\system32\wups2.dll
    2010-03-15 18:56 . 2009-08-07 01:24 35552 ----a-w- c:\windows\system32\wups.dll
    2010-03-15 18:56 . 2009-08-07 01:23 575704 ----a-w- c:\windows\system32\wuapi.dll
    2010-03-15 14:26 . 2010-03-15 14:26 -------- d-----w- C:\_OTM
    2010-03-14 01:38 . 2010-03-14 01:38 -------- d-----w- c:\program files\Trend Micro
    2010-03-14 01:09 . 2010-03-14 01:09 -------- d-----w- c:\program files\Common Files\Java
    2010-03-14 01:08 . 2010-03-14 01:08 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-03-14 00:50 . 2010-03-14 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-03-14 00:48 . 2010-03-14 00:49 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-03-14 00:48 . 2010-03-14 00:48 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
    2010-03-14 00:47 . 2010-03-14 00:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-03-14 00:46 . 2010-03-14 00:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-03-14 00:46 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-14 00:46 . 2010-03-14 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-03-14 00:46 . 2010-03-14 00:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-14 00:46 . 2010-01-07 22:07 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-13 22:17 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-03-13 22:17 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-03-13 22:17 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-03-13 22:17 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
    2010-03-13 22:17 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-03-13 22:17 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-03-13 22:17 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-03-13 22:15 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
    2010-03-13 22:15 . 2010-03-13 22:15 -------- d-----w- c:\program files\Alwil Software
    2010-03-13 22:12 . 2010-03-13 22:13 -------- d-----w- c:\program files\CCleaner
    2010-03-13 21:50 . 2003-04-07 14:05 155648 ----a-w- c:\windows\system32\igfxres.dll
    2010-03-13 21:45 . 2010-03-13 21:45 -------- d-----w- c:\windows\system32\config\systemprofile\.javaws
    2010-03-13 21:40 . 2002-08-29 08:06 51072 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2010-03-13 21:40 . 2002-08-29 07:27 23424 ------w- c:\windows\system32\drivers\kbdclass.sys
    2010-03-13 21:37 . 2002-08-29 08:01 134272 ----a-w- c:\windows\system32\drivers\portcls.sys
    2010-03-13 21:37 . 2002-08-29 07:32 57856 ----a-w- c:\windows\system32\drivers\drmk.sys
    2010-03-13 21:32 . 2003-08-23 14:32 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft
    2010-03-13 21:32 . 2002-08-29 09:32 5888 ----a-w- c:\windows\system32\drivers\splitter.sys
    2010-03-13 21:32 . 2002-08-29 10:00 77440 ----a-w- c:\windows\system32\drivers\wdmaud.sys
    2010-03-13 21:32 . 2001-08-17 21:59 50048 ----a-w- c:\windows\system32\drivers\DMusic.sys
    2010-03-13 21:32 . 2001-08-17 22:00 54272 ----a-w- c:\windows\system32\drivers\swmidi.sys
    2010-03-13 21:32 . 2002-08-29 07:16 142208 ------w- c:\windows\system32\drivers\aec.sys
    2010-03-13 21:32 . 2002-08-29 09:32 159360 ----a-w- c:\windows\system32\drivers\kmixer.sys
    2010-03-13 21:32 . 2002-08-29 09:32 2816 ----a-w- c:\windows\system32\drivers\drmkaud.sys
    2010-03-13 21:32 . 2002-08-29 10:01 56832 ----a-w- c:\windows\system32\drivers\sysaudio.sys
    2010-03-13 20:42 . 2010-03-15 19:02 -------- dcsh--r- c:\windows\system32\dllcache
    2010-03-08 23:44 . 2010-03-14 02:48 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Windows Server

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-15 18:52 . 2003-08-24 03:33 -------- d-----w- c:\program files\Easy Internet signup
    2010-03-14 02:55 . 2010-03-14 00:51 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-03-14 02:50 . 2003-08-29 03:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-03-14 01:12 . 2003-08-29 03:19 -------- d-----w- c:\documents and settings\Owner\Application Data\interMute
    2010-03-14 01:11 . 2003-08-23 14:19 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-03-14 01:09 . 2010-03-14 01:09 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1a312a54-n\msvcp71.dll
    2010-03-14 01:09 . 2010-03-14 01:09 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1a312a54-n\msvcr71.dll
    2010-03-14 01:09 . 2010-03-14 01:09 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1a312a54-n\jmc.dll
    2010-03-14 01:09 . 2010-03-14 01:09 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-45f028e3-n\decora-sse.dll
    2010-03-14 01:09 . 2010-03-14 01:09 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-45f028e3-n\decora-d3d.dll
    2010-03-14 01:08 . 2004-05-23 01:56 -------- d-----w- c:\program files\Java
    2010-03-14 00:51 . 2010-03-14 00:51 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-03-13 22:04 . 2003-08-29 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
    2010-03-13 22:04 . 2003-08-29 03:15 -------- d-----w- c:\program files\Norton AntiVirus
    2010-03-13 22:03 . 2003-08-29 03:15 -------- d-----w- c:\program files\Symantec
    2010-03-13 21:49 . 2010-03-13 21:49 3526 --sha-r- c:\windows\system32\drivers\HP_DM185A-ABA a335w_YUU_Pavi_QMXM344_E34NAheBLU2_4_IGlendale motherboard_STriGem Computer Inc._V_B3.24_T031014_WXH1_L409_M248_J82_7Intel_8Pentium 4_92.49_1_N10EC8139_P_Z11C1044C_K_A808624C5_U808624C2_G80862562.MRK
    2010-03-13 21:45 . 2007-08-31 18:44 -------- d-----w- c:\program files\Java Web Start
    2010-03-05 16:27 . 2006-12-08 00:14 -------- d-----w- c:\program files\NetZero
    2010-02-13 19:38 . 2006-04-11 23:18 -------- d-----w- c:\program files\America Online 9.0b
    2010-02-13 19:26 . 2005-03-24 21:31 7101 ----a-w- c:\documents and settings\All Users\Application Data\AOL\AOLszs.drv
    2010-02-07 05:12 . 2010-02-07 05:12 -------- d-----w- c:\program files\MSBuild
    2010-02-07 05:12 . 2010-02-07 05:12 -------- d-----w- c:\program files\Reference Assemblies
    2010-02-06 19:25 . 2010-02-06 19:24 -------- d-----w- c:\program files\Linksys Wireless-G USB Wireless Network Monitor
    2010-02-03 03:05 . 2008-01-15 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2010-01-30 19:52 . 2010-01-30 19:39 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
    2010-01-28 07:39 . 2006-04-11 23:56 -------- d-----w- c:\program files\Watchtower
    2007-12-30 14:45 . 2007-12-30 14:45 32 --sha-w- c:\windows\{32DDC6AC-7427-4776-BCB2-ED9DD50467CC}.dat
    .
  21. cj1234

    cj1234 Newcomer, in training Topic Starter Posts: 26

    ------- Sigcheck -------

    [-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
    [-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe
    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wscntfy.exe
    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\wscntfy.exe

    [-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\xmlprov.dll
    [-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\xmlprov.dll
    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll
    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\xmlprov.dll

    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\ServicePackFiles\i386\mspmsnsv.dll
    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\mspmsnsv.dll
    [-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\mspmsnsv.dll
    [-] 2002-11-27 09:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BackupNotify"="c:\program files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2003-06-23 24576]
    "NVIEW"="nview.dll" [2003-05-03 835654]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
    "CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-06-14 49152]
    "HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 49152]
    "HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
    "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-03 4640768]
    "nwiz"="nwiz.exe" [2003-05-03 323584]
    "AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 50176]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

    c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
    AutoTBar.exe [2003-6-18 53248]
    mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    AutoTBar.exe [2003-6-18 53248]
    mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
    backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton Personal Firewall.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Norton Personal Firewall.lnk
    backup=c:\windows\pss\Norton Personal Firewall.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
    backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
    backup=c:\windows\pss\Updates from HP.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
    backup=c:\windows\pss\HP Organize.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
    2003-06-19 02:19 53248 ----a-w- c:\hp\bin\AUTOTKIT.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    2003-02-25 01:51 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    2002-09-14 04:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
    2003-06-18 01:13 118784 ----a-w- c:\windows\CREATOR\Remind_XP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-02-18 22:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2003-08-23 14:14 151597 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/13/2010 4:17 PM 114768]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
    S2 mrtRate;mrtRate; [x]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 20:42]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uDefault_Search_URL = hxxp://srch-us9.hpwis.com/
    mStart Page = hxxp://us9.hpwis.com/
    mSearch Bar = hxxp://srch-us9.hpwis.com/
    uInternet Connection Wizard,ShellNext = hxxp://us9.hpwis.com/
    uInternet Settings,ProxyOverride = localhost
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-15 15:07
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(492)
    c:\windows\System32\ODBC32.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.dll

    - - - - - - - > 'lsass.exe'(548)
    c:\windows\System32\dssenh.dll
    .
    Completion time: 2010-03-15 15:17:57
    ComboFix-quarantined-files.txt 2010-03-15 21:17
    ComboFix2.txt 2010-03-15 19:26
    ComboFix3.txt 2010-03-15 18:41
    ComboFix4.txt 2010-03-14 22:50

    Pre-Run: 59,231,952,896 bytes free
    Post-Run: 59,215,867,904 bytes free

    - - End Of File - - A1EE674942B93B8BE4A51CDD7E150F4C
  22. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    OK, I want to make sure all files are safe, so...

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    c:\windows\system32\mspmsnsv.dll
    c:\windows\system32\xmlprov.dll
    c:\windows\system32\wscntfy.exe
    If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results, if the results are different than 0/40.
  23. cj1234

    cj1234 Newcomer, in training Topic Starter Posts: 26

    results show all had 0/42 found
  24. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =========================================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
  25. cj1234

    cj1234 Newcomer, in training Topic Starter Posts: 26

    can't seem to get into kaspersky. it just keeps freezing at the accept screen. is there some kind of alternative? i will keep trying it though for a while.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.