[harrythook]

Hi Americano,
Still some removal to do, seems like you had a keylogger type of program at one time. If you do any type of financial transactions with this machine I would recommend alerting whatever banks or financial institutions you deal with. Also, its a good idea to change all passwords used on any account accessed via this machine (including email, ect.) Its a good idea to keep your passwords updated/changed every now and then.

Some of the things I am removing I could not find a lot of information on, so I do not think they are needed on your machine. Please look through the list of files and if you see something that you purchased stop and let me know.

The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry

• Go Here and download ERUNT
  (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
• Install ERUNT by following the prompts
  (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
• Start ERUNT
  (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
• Choose a location for the backup
  (the default location is C:\WINDOWS\ERDNT which is acceptable).
• Make sure that at least the first two check boxes are ticked
• Press OK
• Press YES to create the folder.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\cmdbkyhrsfxi.exe
C:\Documents and Settings\All Users\Application Data\Software rule flag owns\ooze long.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\DOCUME~1\matthew\APPLIC~1\THIRDF~1\waitgreat.exe
C:\WINDOWS\system32\TGVFDMsgservice.exe
c:\docume~1\matthew\applic~1\thirdf~1\Open Flaw Bleh.exe
C:\WINDOWS\Tasks\B4082258918FCBF4.job

Folder::
C:\PROGRA~1\MYWEBS~1

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmdbkyhrsfxi]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flag Owns Live Grim]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\popeq]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TGX2_VFD]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

Harry

[Advertisements]

Hi Harry,

I am fascinated by all of this. How you make sense of those logs I just don't know.

Like I said in my original post, it is my friends PC I am helping her with and it will be a couple of days before I can get back to her to do this step.

I will post the log as soon as I can.

Thanks again

Claire

[Americano]

Hi Harry,

I am fascinated by all of this. How you make sense of those logs I just don't know.

Like I said in my original post, it is my friends PC I am helping her with and it will be a couple of days before I can get back to her to do this step.

I will post the log as soon as I can.

Thanks again

Claire

[harrythook]

No problem Americano,
Post back when you get to the machine, I get an automatic notification when you reply

Harry

[Americano]

Hi Harry,

I have done what you asked and here is the ComboFix log. I will post the HiJackThis log seperately.

Thanks again
Claire



ComboFix 08-02-14.2 - matthew 2008-02-14 9:51:54.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526 [GMT 0:00]
Running from: C:\Documents and Settings\matthew\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\matthew\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
c:\docume~1\matthew\applic~1\thirdf~1\Open Flaw Bleh.exe
C:\DOCUME~1\matthew\APPLIC~1\THIRDF~1\waitgreat.exe
C:\Documents and Settings\All Users\Application Data\Software rule flag owns\ooze long.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\system32\cmdbkyhrsfxi.exe
C:\WINDOWS\system32\TGVFDMsgservice.exe
C:\WINDOWS\Tasks\B4082258918FCBF4.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\matthew\applic~1\thirdf~1\Open Flaw Bleh.exe
C:\DOCUME~1\matthew\APPLIC~1\THIRDF~1\waitgreat.exe
C:\Documents and Settings\All Users\Application Data\Software rule flag owns\ooze long.exe
C:\WINDOWS\system32\TGVFDMsgservice.exe
C:\WINDOWS\Tasks\B4082258918FCBF4.job

.
((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-14 09:47 . 2008-02-14 09:47 <DIR> d-------- C:\Program Files\ERUNT
2008-02-10 22:27 . 2008-02-10 22:27 268 --ah----- C:\sqmdata00.sqm
2008-02-10 22:27 . 2008-02-10 22:27 244 --ah----- C:\sqmnoopt00.sqm
2008-02-10 21:26 . 2004-08-10 19:00 388,608 --a------ C:\kmd.exe
2008-02-10 17:37 . 2008-02-10 17:37 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-02-10 17:25 . 2006-03-21 20:56 1,522,688 --a------ C:\ati2mtag.sys
2008-02-10 17:21 . 2008-02-10 17:21 10 --a------ C:\WINDOWS\WININIT.INI
2008-02-10 17:19 . 2008-02-13 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-10 17:13 . 2008-02-10 17:13 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-02-10 17:13 . 2008-02-10 17:09 178,872 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2008-02-10 17:13 . 2008-02-10 17:09 38,968 --a------ C:\WINDOWS\system32\drivers\ShlDrv51.sys
2008-02-10 17:04 . 2008-02-10 17:07 <DIR> d-------- C:\WINDOWS\system32\PAV
2008-02-10 17:04 . 2008-02-10 17:04 <DIR> d-------- C:\Program Files\Panda Security
2008-02-10 17:04 . 2007-09-28 13:24 83,896 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2008-02-10 17:04 . 2007-03-15 18:38 54,832 --a------ C:\WINDOWS\system32\pavcpl.cpl
2008-02-10 17:04 . 2007-02-15 20:02 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2008-02-10 17:04 . 2008-02-10 17:04 248 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-02-10 16:46 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-10 16:46 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-10 16:46 . 2008-02-08 23:55 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-10 16:46 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-10 16:46 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-10 16:46 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-10 16:46 . 2008-02-10 16:46 746 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-10 16:21 . 2008-02-10 16:21 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-06 12:35 . 2008-02-06 12:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 12:31 . 2008-02-06 12:31 <DIR> d-------- C:\Deckard
2008-01-29 16:04 . 2008-01-29 16:04 <DIR> d-------- C:\Program Files\Motive
2008-01-29 16:04 . 2008-01-29 16:07 <DIR> d-------- C:\Program Files\BT Total Broadband 220V
2008-01-29 14:42 . 2008-01-29 15:44 <DIR> d-------- C:\Program Files\Motive(2)
2008-01-26 17:19 . 2008-01-26 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2008-01-26 14:08 . 2008-02-10 17:52 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-26 14:08 . 2008-02-10 17:52 <DIR> d-------- C:\Documents and Settings\matthew\Application Data\SUPERAntiSpyware.com
2008-01-26 14:08 . 2008-01-26 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-26 11:42 . 2008-01-26 11:42 <DIR> d-------- C:\Documents and Settings\matthew\Application Data\Grisoft
2008-01-26 11:42 . 2008-01-26 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-21 19:27 . 2008-01-21 19:27 <DIR> d-------- C:\Documents and Settings\matthew\Application Data\Windows Live Writer
2008-01-19 20:18 . 2008-01-19 20:23 88 --a------ C:\WINDOWS\cdplayer.ini
2008-01-19 20:17 . 2008-01-19 20:17 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-19 20:17 . 2008-01-19 20:17 <DIR> d-------- C:\Documents and Settings\matthew\Application Data\Talkback
2008-01-19 18:52 . 2008-01-19 18:52 <DIR> d-------- C:\Program Files\iPod
2008-01-14 20:23 . 2008-01-14 20:23 <DIR> d-------- C:\Program Files\third flap bash

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 09:52 --------- d-----w C:\Documents and Settings\matthew\Application Data\third flap bash
2008-02-14 09:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Software rule flag owns
2008-02-13 22:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-10 17:20 --------- d-----w C:\Program Files\Google
2008-02-10 17:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 17:41 --------- d-----w C:\Documents and Settings\matthew\Application Data\Yahoo!
2008-01-29 16:05 --------- d-----w C:\Program Files\Common Files\Motive
2008-01-29 16:04 --------- d-----w C:\Program Files\BT Home Hub
2008-01-21 19:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-19 20:17 --------- d-----w C:\Program Files\Real
2008-01-19 20:17 --------- d-----w C:\Program Files\Common Files\Real
2008-01-19 18:52 --------- d-----w C:\Program Files\iTunes
2008-01-19 18:51 --------- d-----w C:\Program Files\QuickTime
2008-01-10 13:05 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-12-30 22:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-30 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-30 12:57 --------- d-----w C:\Program Files\Symantec
2007-12-30 11:27 --------- d-----w C:\Program Files\Alwil Software
2007-12-29 14:11 6,880 ----a-w C:\Documents and Settings\matthew\Application Data\wklnhst.dat
2007-12-26 16:16 --------- d-----w C:\Documents and Settings\matty's\Application Data\Teleca
2007-12-26 16:15 --------- d-----w C:\Documents and Settings\matty's\Application Data\PC Suite
2007-12-26 16:14 --------- d-----w C:\Documents and Settings\matty's\Application Data\Sony Ericsson
2007-12-26 15:24 --------- d-----w C:\Documents and Settings\matthew\Application Data\LimeWire
2007-12-26 15:23 --------- d-----w C:\Documents and Settings\matthew\Application Data\Nokia
2007-12-26 15:12 --------- d-----w C:\Documents and Settings\matthew\Application Data\PC Suite
2007-12-26 15:05 --------- d-----w C:\Documents and Settings\matthew\Application Data\Nokia Multimedia Player
2007-12-26 14:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-12-26 14:24 --------- d-----w C:\Program Files\PC Connectivity Solution
2007-12-26 14:24 --------- d-----w C:\Program Files\Nokia
2007-12-26 14:24 --------- d-----w C:\Program Files\DIFX
2007-12-26 14:24 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-12-26 14:24 --------- d-----w C:\Program Files\Common Files\Nokia
2007-12-25 21:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-12-25 21:06 --------- d-----w C:\Documents and Settings\matthew\Application Data\Teleca
2007-12-25 11:35 --------- d-----w C:\Documents and Settings\matthew\Application Data\Sony Ericsson
2007-12-25 11:24 --------- d-----w C:\Program Files\Sony Ericsson
2007-12-25 11:24 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-12-25 11:24 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2007-12-25 11:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2007-12-25 11:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-12-19 11:45 --------- d-----w C:\Program Files\MSN Messenger
2007-12-19 11:45 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-19 11:45 --------- d-----w C:\Program Files\Circle Developement
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-06-16 07:49 128 ----a-w C:\Documents and Settings\matty's\Application Data\wklnhst.dat
2006-05-13 15:12 430 ----a-w C:\Documents and Settings\fiona\Application Data\wklnhst.dat
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2006-07-28 13:04 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-10 17:19 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 19:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [2007-10-04 15:14 455984]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-19 20:16 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 19:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
FreeventsSchedule.lnk - C:\Freevents\FreeventsSchedule.exe [2006-01-13 12:13:40 16384]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-10 17:19:52 125624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Demo.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Demo.lnk
backup=C:\WINDOWS\pss\AOL Demo.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^FreeventsSchedule.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\FreeventsSchedule.lnk
backup=C:\WINDOWS\pss\FreeventsSchedule.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=C:\WINDOWS\pss\Ralink Wireless Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^matthew^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=C:\Documents and Settings\matthew\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=C:\WINDOWS\pss\Picture Motion Browser Media Check Tool.lnkStartup
--a------ 2002-09-13 21:42 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-10-08 02:50 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2007-01-10 11:06 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BTAgile]
--a------ 2007-06-18 08:39 61440 C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
--a------ 2005-12-29 10:22 543232 C:\Program Files\btbb_wcm\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtcMaestro]
--------- 2005-02-21 05:53 245760 C:\Program Files\KMaestro\KMaestro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 19:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 14:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Frontier]
--a------ 2007-06-18 08:36 12394496 C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-11-17 13:21 50736 C:\Program Files\Common Files\AOL\1176579861\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2005-01-26 09:47 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MFPrintServer]
--a------ 2005-04-05 02:37 65536 C:\Program Files\Companion Suite IH\MFPrintServer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MFServices]
--a------ 2005-04-05 02:29 159744 C:\Program Files\Companion Suite IH\MFServices.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2004-12-09 12:02 421888 C:\PROGRA~1\BTTOTA~1\Help\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2007-06-19 10:17 1241088 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
--a------ 2005-04-05 03:24 122880 C:\PROGRA~1\COMPAN~2\ONETOU~3.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-06-18 15:10 271360 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
--a------ 2005-07-08 16:01 1953887 C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-13 21:42 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
-ra------ 2003-08-27 21:20 94208 C:\WINDOWS\SM1BG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 01:06 487424 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2005-06-20 13:42 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 10:38 866816 C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-10-14 09:22 155648 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 02:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-19 20:16 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-08-31 17:11 2478080 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

R1 CXAVSAUD;Conexant 2388x Audio Capture;C:\WINDOWS\system32\DRIVERS\cxavsaud.sys [2005-10-25 01:56]
R1 mfxnt;mfxnt;C:\WINDOWS\system32\drivers\mfxnt.sys [2005-04-05 01:31]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2008-02-10 17:09]
R2 CX23880;Conexant 23880 Video Capture;C:\WINDOWS\system32\drivers\cx88vid.sys [2005-10-28 02:43]
R2 CXTUNE;Conexant 2388x Tuner;C:\WINDOWS\system32\drivers\CX88TUNE.sys [2005-11-14 03:19]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2008-02-10 17:09]
R3 CXAVSTS;Conexant 2388x AVStream TS Capture;C:\WINDOWS\system32\drivers\cxavsts.sys [2005-10-25 01:56]
R3 CXAVXBAR;Conexant 2388x AVStream Crossbar;C:\WINDOWS\system32\drivers\cxavxbar.sys [2005-10-25 01:56]
R3 CXBDATUNE;Conexant BDA DVB Tuner/Demod;C:\WINDOWS\system32\drivers\cxBDAtun.sys [2005-10-25 01:56]
R3 TGX263;TriGem X2 Device Driver;C:\WINDOWS\system32\Drivers\TGX263.sys [2004-11-03 14:16]
S3 HttpUsb;XML interface;C:\WINDOWS\system32\Drivers\HttpUsb.sys [2005-04-05 01:31]
S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 14:58]
S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 14:58]
S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 14:58]
S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 14:58]
S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 14:58]
S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 14:58]
S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 14:58]
S3 sgbx_device;sgbx_device;C:\WINDOWS\system32\sgbxcoms.exe [2005-04-05 01:14]
S3 UsbItf;MF F@X activities;C:\WINDOWS\system32\Drivers\UsbItf.sys [2005-04-05 01:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 09:56:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-14 9:57:01
ComboFix-quarantined-files.txt 2008-02-14 09:56:59
ComboFix2.txt 2008-02-10 21:30:59
ComboFix3.txt 2008-02-09 23:09:16
.
2008-02-13 22:39:49 --- E O F ---

[Americano]

Here is the HJT log.

Thanks again
Claire


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:36, on 14/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...arch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: FreeventsSchedule.lnk = C:\Freevents\FreeventsSchedule.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.mess.../Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrad...raderMediaX.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.bti...bcontrol028.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: sgbx_device - Sagem - C:\WINDOWS\system32\sgbxcoms.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11001 bytes

[harrythook]

Hi Claire,
Sorry for the delay, gotta work every now and then, I still cannot understand why my work requires me to show up

Things look a lot better there, is Matthew playing some online games there? Some files have been created since our last fix, just want to make sure this is from a valid online game site.

2008-02-14 09:52 --------- d-----w C:\Documents and Settings\matthew\Application Data\third flap bash
2008-02-14 09:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Software rule flag owns

Please let me know, as this seems to be new to me (the program files that is)

Other than that, how is that machine running???

Harry

[Americano]

Hi Harry

Work is such a pain isn't it!

Thanks so much for your time. I will find out if Matthew is doing online gaming. I know they play games over MSN but I'll have a word about those you specified.

Thanks again

Claire

[harrythook]

Ok Claire,
just post when you get a chance

H

[harrythook]

Hello Americano,
Still there?

Please let me know how things are there, still need help?

Harry

[Americano]

Hi Harry,
Sorry, it was the school holidays last week and we spent time away from the PC!

Matthew hadn't done any on-line gaming, and when I looked at the times the files were created it was the time I was running ComboFix etc?? So it must have been then that they were created and I definitely didn't do any gaming.

Thanks in advance

Claire

PS I am having a similar problem with my daughters laptop so would you be able to help me with that after this is fixed, or should I start a new post?

[harrythook]

Welcome back Claire,
Glad to hear some people took time away from the PC

Lets get another look at things since its been a while:
Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the WinPFind35u folder and double-click on WinPFind35u.exe to start the program.
• Check the box that says Scan All User Accounts
• Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
• Under Additional Scans check the following:
  • Reg - ActiveX StubPath
  • Reg - App Paths
  • Reg - Approved Shell Extensions
  • Reg - BotCheck
  • Reg - ColumnHandlers
  • Reg - ContextMenuHandlers
  • Reg - ControlSets
  • Reg - Desktop Components
  • Reg - Disabled MS Config Items
  • Reg - File Associations
  • Reg - IE CmdMapping
  • Reg - IE Zones & Template Policies Details
  • Reg - Print Monitors
  • Reg - Safeboot Options
  • Reg - Security Settings
  • Reg - Session Manager Settings
  • Reg - Shell Spawning
  • Reg - Software Policy Settings
  • Reg - Tcpip Persistant Routes
  • Reg - Uninstall List
  • Reg - WOW Settings
  • File - Additional Folder Scans
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EventViewer Errors/Warnings (last 7 days)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

If the log is too large to post, please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

PS I am having a similar problem with my daughters laptop so would you be able to help me with that after this is fixed, or should I start a new post?

Lets make some more progress here, then on to the next one

Harry

[harrythook]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.