Hi. I think I have a virus that all my software cannot find. AVG, Spydoctor and Windows malware removal program all say there is no problem but there is. I cannot start my computer except in safe mode. and I get windows pop up from internet explorer when I am using Firefox. This is my log. Please let me know what is going on. This was taken in safe mode, because I can't use my computer in normal mode. Thanks for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:37 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.princetonreview.com/teachers
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows SP System] svchost.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 4510 bytes

Lets see if I can work my magic

You will need to download and transfer these files over via a usb key or a cd or something like that.



You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
• Under Additional Scans on the bottom right, check the boxes for Reg - Disabled MS Config Items.
• Now click the Run Scan button on the toolbar.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Thanks for the help, here's my SDFix:
SDFix: Version 1.112

Run by me on Tue 10/30/2007 at 11:36 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\PROGRA~1\hijack\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\images.zip - Deleted
C:\WINDOWS\install.exe - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\me\\Shared\\emule0.48a-PRO-Ultra2\\emule.exe"="C:\\Documents and Settings\\me\\Shared\\emule0.48a-PRO-Ultra2\\emule.exe:*:Enabled:eMule"
"C:\\Documents and Settings\\me\\Desktop\\emule.exe"="C:\\Documents and Settings\\me\\Desktop\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\emule\\emule.exe"="C:\\Program Files\\emule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"
"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List"="SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List:*:enabled:@shell32.dll,-1"
"C:\\WINDOWS\\TEMP\\PSTO_ps17.exe"="C:\\WINDOWS\\TEMP\\PSTO_ps17.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\PROGRA~1\hijack\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 13 Sep 2005 1,855,488 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\launcher.exe"
Sat 25 Jun 2005 62,464 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\mnyinsta.dll"
Fri 18 Aug 2006 102,704 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\RmvSuite.exe"
Thu 18 Aug 2005 36,864 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\setuplng.dll"
Sat 27 Oct 2007 20,480 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\unregwtr.exe"
Thu 25 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8361ae28fcfac79271825a6b2935fdb6\BIT2.tmp"
Fri 22 Sep 2006 152,541 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f040a43a7788e207ef67f26bf9f0471f\BITD.tmp"
Sun 14 Oct 2007 24,064 ...H. --- "C:\Documents and Settings\me\Application Data\Microsoft\Word\~WRL2639.tmp"

Finished!

My Combofix report

ComboFix 07-10-30.5 - me 2007-10-31 7:47:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.109 [GMT -7:00]
Running from: C:\Documents and Settings\me\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\byxwv.dll
C:\WINDOWS\system32\vwxyb.ini
C:\WINDOWS\system32\vwxyb.ini2

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-31 )))))))))))))))))))))))))))))))
.

2007-10-31 07:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-30 11:35 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-29 15:47 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-29 15:33 <DIR> d-------- C:\Program Files\hijack
2007-10-29 13:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-10-29 11:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-29 08:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-28 11:52 <DIR> d-------- C:\Documents and Settings\me\Application Data\Grisoft
2007-10-28 11:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 11:50 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-27 16:57 <DIR> d-------- C:\Documents and Settings\me\Application Data\Printer Info Cache
2007-10-27 16:56 <DIR> d-------- C:\Documents and Settings\me\Application Data\Image Zone Express
2007-10-27 13:56 <DIR> d-------- C:\Documents and Settings\me\Application Data\HP
2007-10-27 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-10-27 13:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2007-10-27 13:19 <DIR> d-------- C:\Program Files\Common Files\HP
2007-10-27 13:13 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-10-27 13:09 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-10-27 12:57 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-10-27 12:57 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-10-27 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-10-27 12:54 258,048 -ra------ C:\WINDOWS\system32\hpzids01.dll
2007-10-27 12:54 117,760 --a------ C:\WINDOWS\system32\hpzll4v2.dll
2007-10-27 12:53 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2007-10-27 12:50 675,840 -ra------ C:\WINDOWS\system32\hpowiax3.dll
2007-10-27 12:50 569,344 -ra------ C:\WINDOWS\system32\hpotscl3.dll
2007-10-27 12:50 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2007-10-27 12:50 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2007-10-27 12:50 294,912 -ra------ C:\WINDOWS\system32\hpovst10.dll
2007-10-27 12:50 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-10-27 12:45 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-27 12:42 <DIR> d-------- C:\Program Files\HP
2007-10-27 12:42 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-27 12:41 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-27 11:24 139,814 --a------ C:\WINDOWS\hpoins12.dat
2007-10-27 11:24 1,470 --------- C:\WINDOWS\hpomdl12.dat
2007-10-24 11:02 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-22 19:53 <DIR> d-------- C:\Program Files\MSBuild
2007-10-22 19:23 676,224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2007-10-22 12:55 <DIR> d--hs---- C:\found.000
2007-10-12 16:04 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-10 10:19 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-10-10 10:15 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-10 10:12 <DIR> dr-h----- C:\MSOCache
2007-10-09 12:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-08 17:33 60,080 --a------ C:\Documents and Settings\me\Application Data\GDIPFONTCACHEV1.DAT
2007-10-06 02:08 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-10-05 22:16 <DIR> d-------- C:\Program Files\Final Draft Tagger
2007-10-05 22:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 19:54 <DIR> d-------- C:\Documents and Settings\me\Application Data\Final Draft
2007-10-05 19:48 <DIR> d-------- C:\Program Files\Final Draft 7
2007-10-05 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Final Draft
2007-09-27 16:33 <DIR> d-------- C:\Program Files\QuickTime
2007-09-27 16:33 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-27 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-27 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-19 12:23 <DIR> d-------- C:\Program Files\Advanced Batch Converter
2007-09-19 12:14 <DIR> d-------- C:\Program Files\ABC Amber Photoshop Converter
2007-09-19 12:10 <DIR> d-------- C:\Program Files\Photo Converter
2007-09-18 11:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-09-17 15:17 <DIR> d-------- C:\desktop
2007-09-17 14:01 <DIR> d-------- C:\Program Files\WebSite X5 Evolution
2007-09-17 14:01 192,000 --a------ C:\WINDOWS\system32\iwpsetup.exe
2007-09-17 14:01 29,696 --a------ C:\WINDOWS\system32\VB5STKIT.DLL
2007-09-17 13:59 <DIR> d-------- C:\WINDOWS\Sun
2007-09-17 13:24 <DIR> d-------- C:\Documents and Settings\me\Application Data\Web Page Maker V2
2007-09-16 22:07 <DIR> d-------- C:\Documents and Settings\me\Application Data\dvdcss
2007-09-16 20:24 <DIR> d-------- C:\Program Files\emule
2007-09-16 20:24 <DIR> d-------- C:\Program Files\Common Files\eMule
2007-09-16 19:18 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-09-16 19:12 <DIR> d-------- C:\Program Files\Photoshop CS
2007-09-16 14:37 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-14 06:09 <DIR> d-------- C:\Documents and Settings\me\Shared
2007-09-14 06:09 <DIR> d-------- C:\Documents and Settings\me\Incomplete
2007-09-14 06:09 <DIR> d-------- C:\Documents and Settings\me\Application Data\LimeWire
2007-09-14 06:08 <DIR> d-------- C:\Program Files\Java
2007-09-14 06:07 <DIR> d-------- C:\Program Files\LimeWire
2007-09-14 06:07 <DIR> d-------- C:\Program Files\Common Files\Java
2007-09-13 10:32 <DIR> d-------- C:\Documents and Settings\me\Application Data\Template
2007-09-12 21:23 24,560 --a------ C:\Documents and Settings\me\Application Data\wklnhst.dat
2007-09-12 21:18 <DIR> d-------- C:\Program Files\Microsoft Streets and Trips Essentials
2007-09-12 21:17 <DIR> d-------- C:\Program Files\Microsoft Location Finder
2007-09-12 21:13 <DIR> d-------- C:\Program Files\Encarta
2007-09-12 21:07 <DIR> d-------- C:\Program Files\Microsoft Digital Image 2006
2007-09-12 21:03 <DIR> d-------- C:\Program Files\microsoft money 2006
2007-09-12 20:51 <DIR> d-------- C:\Program Files\Microsoft Works
2007-09-12 20:49 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-09-12 20:48 <DIR> d-------- C:\Program Files\Microsoft Works Suite 2006
2007-09-12 17:27 <DIR> d-------- C:\WINDOWS\pss
2007-09-12 16:41 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-09-12 10:53 <DIR> d-------- C:\Documents and Settings\me\Application Data\vlc
2007-09-12 10:50 <DIR> d-------- C:\Program Files\The Weather Channel FW
2007-09-12 10:49 <DIR> d-------- C:\Program Files\VideoLAN
2007-09-12 10:49 <DIR> d-------- C:\Program Files\AskPBar
2007-09-12 10:48 <DIR> d-------- C:\Program Files\Trillian
2007-09-11 11:39 <DIR> d-------- C:\Documents and Settings\me\Application Data\eFax Messenger
2007-09-11 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
2007-09-11 11:38 <DIR> d-------- C:\Program Files\eFax Messenger 4.3
2007-09-11 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
2007-09-10 10:18 <DIR> d-------- C:\Program Files\PIXresizer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-30 20:08 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-29 21:57 57,856 ----a-w C:\WINDOWS\system32\spoolsv.exe
2007-10-28 19:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-28 19:53 --------- d-----w C:\Program Files\7-Zip
2007-10-28 03:47 15,360 ----a-w C:\WINDOWS\TASKMAN.EXE
2007-10-28 03:45 20,992 ----a-w C:\WINDOWS\system32\ssmarque.scr
2007-10-28 03:45 18,944 ----a-w C:\WINDOWS\system32\ssmyst.scr
2007-10-28 03:45 14,336 ----a-w C:\WINDOWS\system32\ssstars.scr
2007-10-28 03:44 9,216 ----a-w C:\WINDOWS\system32\scrnsave.scr
2007-10-28 03:44 19,968 ----a-w C:\WINDOWS\system32\ssbezier.scr
2007-10-28 02:09 150,528 ----a-w C:\WINDOWS\pchealth\UploadLB\Binaries\UploadM.exe
2007-10-28 02:08 35,328 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\notiflag.exe
2007-10-28 02:08 18,944 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\HscUpd.exe
2007-10-27 20:11 25,600 ----a-w C:\WINDOWS\twunk_32.exe
2007-10-27 17:49 69,120 ----a-w C:\WINDOWS\NOTEPAD.EXE
2007-10-27 17:12 98,304 ----a-w C:\WINDOWS\system32\verifier.exe
2007-10-27 17:12 9,728 ----a-w C:\WINDOWS\system32\sfc.exe
2007-10-27 17:12 9,728 ----a-w C:\WINDOWS\system32\reset.exe
2007-10-27 17:12 9,216 ----a-w C:\WINDOWS\system32\subst.exe
2007-10-27 17:12 9,216 ----a-w C:\WINDOWS\system32\proxycfg.exe
2007-10-27 17:12 9,216 ----a-w C:\WINDOWS\system32\print.exe
2007-10-27 17:12 8,192 ----a-w C:\WINDOWS\system32\winhlp32.exe
2007-10-27 17:12 8,192 ----a-w C:\WINDOWS\system32\smbinst.exe
2007-10-27 17:12 78,336 ----a-w C:\WINDOWS\system32\tlntsess.exe
2007-10-27 17:12 77,824 ----a-w C:\WINDOWS\system32\shrpubw.exe
2007-10-27 17:12 77,312 ----a-w C:\WINDOWS\system32\sdbinst.exe
2007-10-27 17:12 77,312 ----a-w C:\WINDOWS\system32\rtcshare.exe
2007-10-27 17:12 72,192 ----a-w C:\WINDOWS\system32\tasklist.exe
2007-10-27 17:12 72,192 ----a-w C:\WINDOWS\system32\taskkill.exe
2007-10-27 17:12 70,144 ----a-w C:\WINDOWS\system32\sigverif.exe
2007-10-27 17:12 7,168 ----a-w C:\WINDOWS\system32\recover.exe
2007-10-27 17:12 69,632 ----a-w C:\WINDOWS\system32\odbcconf.exe
2007-10-27 17:12 68,096 ----a-w C:\WINDOWS\system32\systeminfo.exe
2007-10-27 17:12 67,584 ----a-w C:\WINDOWS\system32\openfiles.exe
2007-10-27 17:12 65,536 ----a-w C:\WINDOWS\system32\wextract.exe
2007-10-27 17:12 62,976 ----a-w C:\WINDOWS\system32\rsopprov.exe
2007-10-27 17:12 61,440 ----a-w C:\WINDOWS\system32\usrprbda.exe
2007-10-27 17:12 6,656 ----a-w C:\WINDOWS\system32\msswchx.exe
2007-10-27 17:12 58,368 ----a-w C:\WINDOWS\system32\packager.exe
2007-10-27 17:12 56,832 ----a-w C:\WINDOWS\system32\sol.exe
2007-10-27 17:12 56,832 ----a-w C:\WINDOWS\system32\rasphone.exe
2007-10-27 17:12 51,200 ----a-w C:\WINDOWS\system32\syncapp.exe
2007-10-27 17:12 50,176 ----a-w C:\WINDOWS\system32\utilman.exe
2007-10-27 17:12 50,176 ----a-w C:\WINDOWS\system32\proquota.exe
2007-10-27 17:12 5,632 ----a-w C:\WINDOWS\system32\write.exe
2007-10-27 17:12 5,632 ----a-w C:\WINDOWS\system32\winver.exe
2007-10-27 17:12 49,664 ----a-w C:\WINDOWS\system32\w32tm.exe
2007-10-27 17:12 49,152 ----a-w C:\WINDOWS\system32\rsmui.exe
2007-10-27 17:12 49,152 ----a-w C:\WINDOWS\system32\rsm.exe
2007-10-27 17:12 49,152 ----a-w C:\WINDOWS\system32\powercfg.exe
2007-10-27 17:12 44,544 ----a-w C:\WINDOWS\system32\tscupgrd.exe
2007-10-27 17:12 40,448 ----a-w C:\WINDOWS\system32\osuninst.exe
2007-10-27 17:12 4,608 ----a-w C:\WINDOWS\system32\regwiz.exe
2007-10-27 17:12 4,096 ----a-w C:\WINDOWS\system32\unlodctr.exe
2007-10-27 17:12 4,096 ----a-w C:\WINDOWS\system32\nddeapir.exe
2007-10-27 17:12 36,864 ----a-w C:\WINDOWS\system32\syskey.exe
2007-10-27 17:12 36,864 ----a-w C:\WINDOWS\system32\netstat.exe
2007-10-27 17:12 36,352 ----a-w C:\WINDOWS\system32\typeperf.exe
2007-10-27 17:12 33,792 ----a-w C:\WINDOWS\system32\vssadmin.exe
2007-10-27 17:12 33,792 ----a-w C:\WINDOWS\system32\regini.exe
2007-10-27 17:12 33,280 ----a-w C:\WINDOWS\system32\ping6.exe
2007-10-27 17:12 32,768 ----a-w C:\WINDOWS\system32\relog.exe
2007-10-27 17:12 32,256 ----a-w C:\WINDOWS\system32\wpnpinst.exe
2007-10-27 17:12 32,256 ----a-w C:\WINDOWS\system32\wpabaln.exe
2007-10-27 17:12 31,744 ----a-w C:\WINDOWS\system32\tracert6.exe
2007-10-27 17:12 31,232 ----a-w C:\WINDOWS\system32\sethc.exe
2007-10-27 17:12 31,232 ----a-w C:\WINDOWS\system32\sc.exe
2007-10-27 17:12 30,720 ----a-w C:\WINDOWS\system32\xcopy.exe
2007-10-27 17:12 3,584 ----a-w C:\WINDOWS\system32\regedt32.exe
2007-10-27 17:12 3,072 ----a-w C:\WINDOWS\system32\systray.exe
2007-10-27 17:12 26,112 ----a-w C:\WINDOWS\system32\skeys.exe
2007-10-27 17:12 25,600 ----a-w C:\WINDOWS\system32\routemon.exe
2007-10-27 17:12 24,576 ----a-w C:\WINDOWS\system32\rsmsink.exe
2007-10-27 17:12 23,552 ----a-w C:\WINDOWS\system32\sort.exe
2007-10-27 17:12 23,040 ----a-w C:\WINDOWS\system32\setup.exe
2007-10-27 17:12 22,016 ----a-w C:\WINDOWS\system32\qwinsta.exe
2007-10-27 17:12 21,504 ----a-w C:\WINDOWS\system32\rcp.exe
2007-10-27 17:12 21,504 ----a-w C:\WINDOWS\system32\pathping.exe
2007-10-27 17:12 20,992 ----a-w C:\WINDOWS\system32\msg.exe
2007-10-27 17:12 20,480 ----a-w C:\WINDOWS\system32\qprocess.exe
2007-10-27 17:12 20,480 ----a-w C:\WINDOWS\system32\nbtstat.exe
2007-10-27 17:12 19,968 ----a-w C:\WINDOWS\system32\route.exe
2007-10-27 17:12 19,456 ----a-w C:\WINDOWS\system32\tcpsvcs.exe
2007-10-27 17:12 19,456 ----a-w C:\WINDOWS\system32\shutdown.exe
2007-10-27 17:12 18,432 ----a-w C:\WINDOWS\system32\secedit.exe
2007-10-27 17:12 17,920 ----a-w C:\WINDOWS\system32\ping.exe
2007-10-27 17:12 16,896 ----a-w C:\WINDOWS\system32\upnpcont.exe
2007-10-27 17:12 16,896 ----a-w C:\WINDOWS\system32\tsshutdn.exe
2007-10-27 17:12 16,896 ----a-w C:\WINDOWS\system32\tftp.exe
2007-10-27 17:12 16,896 ----a-w C:\WINDOWS\system32\qappsrv.exe
2007-10-27 17:12 16,384 ----a-w C:\WINDOWS\system32\tskill.exe
2007-10-27 17:12 16,384 ----a-w C:\WINDOWS\system32\runas.exe
2007-10-27 17:12 15,872 ----a-w C:\WINDOWS\system32\rwinsta.exe
2007-10-27 17:12 15,872 ----a-w C:\WINDOWS\system32\perfmon.exe
2007-10-27 17:12 15,360 ----a-w C:\WINDOWS\system32\taskman.exe
2007-10-27 17:12 15,360 ----a-w C:\WINDOWS\system32\pentnt.exe
2007-10-27 17:12 14,848 ----a-w C:\WINDOWS\system32\tsdiscon.exe
2007-10-27 17:12 14,848 ----a-w C:\WINDOWS\system32\tscon.exe
2007-10-27 17:12 14,848 ----a-w C:\WINDOWS\system32\stimon.exe
2007-10-27 17:12 14,848 ----a-w C:\WINDOWS\system32\shadow.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 08:27]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 19:49]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 15:28]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 15:26]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 08:31]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-27 16:21]
"TFncKy"="TFncKy.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 08:27]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"FileZilla Server Interface"="C:\Program Files\FileZilla Server\FileZilla Server Interface.exe" [2007-02-27 07:55]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 10:21]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 14:37 C:\WINDOWS\agrsmmsg.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Location Finder"="C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 18:25]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-10-27 09:58]

C:\Documents and Settings\me\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-16 20:16:30]
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-08-16 15:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byxwv.dll


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 22:18:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.


My WinfindPU is attached

Hello

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  • C:\WINDOWS\system32\iwpsetup.exe
• Click on the submit button
  
• Repeat it for this file as well C:\WINDOWS\twunk_32.exe
  
• Please post the results in your next reply.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log, and let me know if you can get back into Normal Mode now, and if not, then what error message do you get.


This post has been edited by Rorschach112: Oct 31 2007, 12:43 PM

When I ran the notepad through Combo, it restarted my computer and asked me for a password. I never set a password on my computer and have run a bootdisk trying to blank it out. There simply is no password to blank out the boot disk tells me. What is going on around here?

Hold on tight, will see about fixing that problem for you.

OK, I've gotten back into my computer by restore my lask known working sections, an option I unlocked by tripping an error or something in safe mode. I still have A LOT of spyware on my system and have backed up my files I want. I just think I'm going to reformat. It something can mess with my password I don't want to know what else it can do. ComboFix couldn't pull up a log when I restarted. Thanks for all your help.

This post has been edited by mathiasquimby: Nov 4 2007, 10:14 AM

Hello mathias

We can fix up your PC from malware, it was just an unfortunate accident that caused that problem. Let me know if you wish to try clean it up or to reformat. I am 100% sure that what happened before will not happen again.

My apologies again

Hey. I ran Avast and that deleted everything infected. Then I restored all the stuff I deleated with Recovery Console. Thanks for your help and I am all clear.

Thats good to hear. Sorry again about the problem.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.