Hi,

I am trying to clean up my laptop which unfortunately has become very infested with all types of viruses, adware, malware and so on. Basically I have tons of pop ups, lots of warnings, errors, a lot of warnings about some missing .dll file or another, very slow startup and respone times. I don't have the restore cd's anymore so i'm trying to clean it up.

Also for some reason in start under settings the Control Panel option is not there. So I can't get to Add or Remove Programs. Basically it's not giving me admin acess even though I am. When I boot into Safe Mode there is an Administration user that I can use to get into Add or Remove Programs but in Safe Mode I can't get rid of a lot of programs. So I need help in fixing that also.

I have followed the steps of the prework as listed. I have attached logs from Hijack This, AVG Antivirus, and SUPERAntiSpyware


Thanks for the help! It is very appreciated

Attached Files

	AVG Log 3-24-08.txt (32.0 KB, 3 views)
	HijackThis Log 3-24-08.log (10.5 KB, 4 views)
	SUPERAntiSpyware Log 3-24-08.log (23.6 KB, 3 views)

Please download SDFix from here and save it to your desktop
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Copy and paste that log in your next reply.
=================================

Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.
Please visit this webpage for download links, and instructions for running the tool

When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new HijackThis log so that we can continue to do any further cleaning that your system may require.
Caution: Never run and remove files with Combofix unless supervised by a security analyst.
NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

Ok I did what you said.

I've attached the SDFix Log, the ComboFix Log, and a new HJT Log.

Thanks again for your help.

Attached Files

	SDFix Log 3-25-08.txt (6.5 KB, 1 views)
	ComboFix Log 3-25-08.txt (15.3 KB, 1 views)
	HijackThis Log 3-25-08.txt (8.0 KB, 2 views)

Logs are best copied and pasted.It make it better for other to view.....




SDFix: Version 1.161
Run by SRIDHAR BYREDDY on Tue 03/25/2008 at 10:53 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting SecurityProviders Value
Rebooting

Checking Files :
Trojan Files Found:
C:\WINDOWS\Installer\{cda37dbd-5d70-47f8-aa90-2b7beb8f5c62}\SysMon.dll - Deleted
C:\PROGRA~1\PLATINUM\QUCA - Deleted
C:\Documents and Settings\SRIDHAR BYREDDY\Application Data\ultra\uninstall.bat - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\IE Extensions\cj.v2.dll - Deleted
C:\Program Files\tmp188093.exe - Deleted
C:\Program Files\tmp42173656.exe - Deleted
C:\Program Files\tmp5883890.exe - Deleted
C:\Program Files\tmp5884828.exe - Deleted
C:\Program Files\tmp5886156.exe - Deleted
C:\Program Files\ucleaner_setup.exe - Deleted
C:\WINDOWS\system32\pac.txt - Deleted

Folder C:\WINDOWS\Installer\{cda37dbd-5d70-47f8-aa90-2b7beb8f5c62} - Removed
Folder C:\Documents and Settings\SRIDHAR BYREDDY\Application Data\ultra - Removed
Folder C:\Program Files\IE Extensions - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed

Removing Temp Files
ADS Check :


Final Check :
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 23:08:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\SAS Institute\\SAS\\V8\\sas.exe"="C:\\Program Files\\SAS Institute\\SAS\\V8\\sas.exe:*:Enabled:The SAS System for Windows "
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yah oo! Messenger"
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"="C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE:*:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"="C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE:*:Enabled:ActiveSync Application"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Progra m Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Ya hoo! FT Server"
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\ \Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Ena bled:Yahoo! Messenger"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\printer.exe"="C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\trant.exe"="C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\hjkormjj.exe"="C:\\WINDOWS \\system32\\hjk"
"C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\spyguard.exe"="C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\spyguard.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\ WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:T rueVector Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\printer.exe"="C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\trant.exe"="C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\spyguard.exe"="C:\\Documents and Settings\\SRIDHAR BYREDDY\\Application Data\\spyguard.exe:*:Enabled:@xpsp2res.dll,-22019"
Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 4 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 4 Aug 2004 73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Mon 24 Mar 2008 22,794 ..SHR --- "C:\WINDOWS\Installer\{b54853e4-2872-4c1c-b9fc-66ebfb20c38c}\zip.dll"
Mon 24 Mar 2008 22,642 ..SHR --- "C:\WINDOWS\Installer\{c763be1a-c6d5-4b82-9610-c36ff89943ff}\zip.dll"
Tue 25 Mar 2008 22,690 ..SHR --- "C:\WINDOWS\Installer\{cc335bfa-4c01-4655-b71c-3c84c84c488a}\zip.dll"
Thu 1 Nov 2007 230,400 ..SHR --- "C:\Documents and Settings\SRIDHAR BYREDDY\Application Data\??pPatch\n?tdde.exe"
Finished!
====================================
ComboFix 08-03-25.1 - SRIDHAR BYREDDY 2008-03-25 23:34:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.122 [GMT -4:00]
Running from: C:\Documents and Settings\SRIDHAR BYREDDY\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\SRIDHAR BYREDDY\Application Data\PPATCH~1
C:\Documents and Settings\SRIDHAR BYREDDY\Application Data\PPATCH~1\n?tdde.exe
C:\Program Files\Common Files\smante~1
C:\Program Files\Common Files\smante~1\S?mantec\
C:\Temp\tpBe12
C:\Temp\tpBe12\etFr.log
C:\WINDOWS\BM49b40045.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\abc2
C:\WINDOWS\system32\ex1
C:\WINDOWS\system32\ineWc01
C:\WINDOWS\system32\lt2
C:\WINDOWS\system32\oc9
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CORE
-------\Legacy_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.
2008-03-25 22:50 . 2008-03-25 22:50 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-25 22:46 . 2008-03-25 23:23 <DIR> d-------- C:\SDFix
2008-03-25 20:03 . 2008-03-25 23:45 165,920 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-25 20:03 . 2008-03-25 23:40 2,972 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-25 19:03 . 2008-03-25 19:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-25 19:02 . 2008-03-25 19:02 <DIR> d-------- C:\Program Files\Zone Labs
2008-03-25 18:12 . 2008-03-25 23:44 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-03-25 05:56 . 2008-03-25 05:56 <DIR> d-------- C:\WINDOWS\Options
2008-03-25 05:48 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-25 04:20 . 2008-03-25 04:20 93 --a------ C:\WINDOWS\wininit.ini
2008-03-25 03:34 . 2008-03-25 03:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-25 03:11 . 2008-03-25 03:11 <DIR> d-------- C:\Program Files\ToniArts
2008-03-25 00:28 . 2008-03-25 00:28 <DIR> d-------- C:\Documents and Settings\RASHMI BYREDDY\Application Data\Grisoft
2008-03-25 00:20 . 2008-03-25 00:20 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-03-24 23:59 . 2008-03-24 23:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-03-24 23:06 . 2008-03-24 23:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-03-24 21:10 . 2008-03-24 21:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-24 21:03 . 2003-11-12 21:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-24 20:55 . 2008-03-25 00:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-24 20:55 . 2008-03-24 20:55 <DIR> d-------- C:\Documents and Settings\SRIDHAR BYREDDY\Application Data\SUPERAntiSpyware.com
2008-03-24 20:55 . 2008-03-24 20:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-24 20:49 . 2008-03-24 20:49 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-24 20:49 . 2008-03-24 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-24 20:46 . 2008-03-24 20:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-24 20:45 . 2008-03-24 20:45 <DIR> d-------- C:\Program Files\CCleaner
2008-03-24 20:43 . 2008-03-24 20:43 <DIR> d-------- C:\Documents and Settings\SRIDHAR BYREDDY\Application Data\Grisoft
2008-03-24 20:42 . 2008-03-24 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-24 20:42 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-24 19:28 . 2008-03-24 20:20 1,577,812 ---hs---- C:\WINDOWS\system32\nxodtqvb.ini
2008-03-24 19:20 . 2008-03-24 19:20 19,968 --a------ C:\Program Files\360171.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-26 03:04 --------- d-----w C:\Program Files\PLATINUM
2008-03-25 09:48 --------- d-----w C:\Program Files\Java
2008-03-25 08:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-25 08:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 07:23 --------- d-----w C:\Documents and Settings\SRIDHAR BYREDDY\Application Data\Yahoo!
2008-03-25 07:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-25 07:20 --------- d-----w C:\Program Files\Yahoo!
2008-03-25 07:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-14 03:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-14 03:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-09-22 14:08 389,120 ----a-w C:\Documents and Settings\SRIDHAR BYREDDY\GoToAssist_phone__268_en.exe
2006-03-05 12:09 563,712 ----a-w C:\Documents and Settings\SRIDHAR BYREDDY\370_gotomypc.exe
2005-12-23 02:03 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26bd699d-cca5-4362-b832-0189506f450f}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90851FA4-FFDF-4CE0-9A6D-949BE3BACA51}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A159031A-70AD-4E19-8C48-228BAE35B4D3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0A18A12-63F9-6823-892B-3DE675830A91}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7356731-5355-444A-E083-AC864B106B68}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B859CDF5-27B7-4CBB-B4D4-6B1E92FEC58D}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 23:40 159744]
"ATIModeChange"="Ati2mdxx.exe" [2003-10-07 23:41 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"BM49b40045"="C:\WINDOWS\system32\dkyvqiqe.dll " [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\M SConfig.exe" [2004-08-04 03:56 158208]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2003-09-12 01:10 335872 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-10-07 04:23 90112 C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2003-07-17 14:50 184412 C:\Program Files\HPQ\Default Settings\cpqset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2003-09-26 13:04 237568 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2004-02-03 14:42 401491 C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a------ 2003-05-22 23:55 483328 C:\WINDOWS\System32\hphmon05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-05-23 00:03 49152 C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-07-18 21:23 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-05-01 22:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2003-10-31 02:16 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SAS Institute\\SAS\\V8\\sas.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-02-27 10:56]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-02-27 10:56]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\SRIDHA~1\LOCALS~1\Temp\HPI SPz\hpdom\pciinfo.sys []
S3 ExtranetAccess;Contivity VPN Service;"C:\Program Files\Nortel Networks\Extranet_serv.exe" [2002-02-27 10:48]
S3 MicroStrategy Logging Client;MicroStrategy Logging Client;"C:\Program Files\MicroStrategy\Narrowcast Server\Delivery Engine\MCLogSvc.exe" -N -b -c C:20020 -a S:20009 -P "C:\Program Files\MicroStrategy\Narrowcast Server\Delivery Engine\CSGW_Connection_Config.txt" -C "C:\Program Files\MicroStrategy\Narrowcast Server\Delivery Engine\CSGW_Consumer_Config.txt" -Q 64 []
S3 MicroStrategy System Monitor;MicroStrategy System Monitor;"C:\Program Files\MicroStrategy\Narrowcast Server\Delivery Engine\MCMemUsg.EXE" [2004-04-16 17:19]
S3 OracleOraDb10g_home1SNMPPeerEncapsulator;OracleOra Db10g_home1SNMPPeerEncapsulator;C:\oracle\product\ 10.1.0\Db_1\BIN\ENCSVC.EXE [2006-08-13 15:25]
S3 OracleOraDb10g_home1SNMPPeerMasterAgent;OracleOraD b10g_home1SNMPPeerMasterAgent;C:\oracle\product\10 .1.0\Db_1\BIN\AGNTSVC.EXE [2006-08-13 15:25]
S3 OracleOraDb10g_home1TNSListener;OracleOraDb10g_hom e1TNSListener;C:\oracle\product\10.1.0\Db_1\BIN\TN SLSNR []
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCa che;C:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 20:34]
S3 OracleServiceORCL;OracleServiceORCL;c:\oracle\prod uct\10.1.0\db_1\bin\ORACLE.EXE ORCL []
S3 pmxscan;USB ScanModule V5.1 Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 01:58]
S3 XIRLINK;Veo PC Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [2001-08-01 15:49]
S4 OracleCSService;OracleCSService;C:\oracle\product\ 10.1.0\Db_1\bin\ocssd.exe service []
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;c:\o racle\product\10.1.0\db_1\Bin\extjob.exe ORCL []
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{cd09b656-4658-11db-850e-444553544200}]
\Shell\Auto\command - E:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 21:00:00 C:\WINDOWS\Tasks\{04DD23C6-5FD9-494F-8DAF-7BE4E55B6C96}_BYREDDY_SRIDHAR BYREDDY.job"
"2008-03-25 20:00:08 C:\WINDOWS\Tasks\{510928F9-A530-4CAA-97CC-8B0950D931C4}_BYREDDY_SRIDHAR BYREDDY.job"
"2008-03-25 13:00:11 C:\WINDOWS\Tasks\{F863E703-A06C-4BCB-90C3-AC9B1FCED89D}_BYREDDY_SRIDHAR BYREDDY.job"
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 23:43:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\M icroStrategy Logging Client]
"ImagePath"="\"C:\Program Files\MicroStrategy\Narrowcast Server\Delivery Engine\MCLogSvc.exe\" -N -b -c C:20020 -a S:20009 -P \"C:\Program Files\MicroStrategy\Narrowcast Server\Delivery Engine\CSGW_Connection_Config.txt\" -C \"C:\Program Files\MicroStrategy\Narrowcast Server\Delivery Engine\CSGW_Consumer_Config.txt\" -Q 64"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\O racleOraDb10g_home1TNSListener]
"ImagePath"="C:\oracle\product\10.1.0\Db_1\BIN\TNS LSNR "
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Apoint2K\Apntex.exe
.
************************************************** ************************
.
Completion time: 2008-03-25 23:53:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 03:53:29
.
2008-03-25 04:23:42 --- E O F ---
================================================== ======
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:46 AM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\SRIDHAR BYREDDY\Desktop\Clean UP\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = AOL.com - Welcome to AOL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {f054f605-9810-238b-2634-5accd996db62} - {26bd699d-cca5-4362-b832-0189506f450f} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {90851FA4-FFDF-4CE0-9A6D-949BE3BACA51} - (no file)
O2 - BHO: (no name) - {A159031A-70AD-4E19-8C48-228BAE35B4D3} - (no file)
O2 - BHO: (no name) - {B0A18A12-63F9-6823-892B-3DE675830A91} - (no file)
O2 - BHO: 0 - {B7356731-5355-444A-E083-AC864B106B68} - (no file)
O2 - BHO: (no name) - {B859CDF5-27B7-4CBB-B4D4-6B1E92FEC58D} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BM49b40045] Rundll32.exe "C:\WINDOWS\system32\dkyvqiqe.dll",s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .rx: C:\Program Files\Internet Explorer\Plugins\npwrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet Explorer\Plugins\npwrqxrx.dll
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SysMon - {cda37dbd-5d70-47f8-aa90-2b7beb8f5c62} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: MicroStrategy Logging Client - MicroStrategy Incorporated - C:\Program Files\MicroStrategy\Narrowcast Server\Delivery Engine\MCLogSvc.exe
O23 - Service: MicroStrategy System Monitor - MicroStrategy Incorporated - C:\Program Files\MicroStrategy\Narrowcast Server\Delivery Engine\MCMemUsg.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8157 bytes

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O2 - BHO: {f054f605-9810-238b-2634-5accd996db62} - {26bd699d-cca5-4362-b832-0189506f450f} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {90851FA4-FFDF-4CE0-9A6D-949BE3BACA51} - (no file)
O2 - BHO: (no name) - {A159031A-70AD-4E19-8C48-228BAE35B4D3} - (no file)
O2 - BHO: (no name) - {B0A18A12-63F9-6823-892B-3DE675830A91} - (no file)
O2 - BHO: 0 - {B7356731-5355-444A-E083-AC864B106B68} - (no file)
O2 - BHO: (no name) - {B859CDF5-27B7-4CBB-B4D4-6B1E92FEC58D} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [BM49b40045] Rundll32.exe "C:\WINDOWS\system32\dkyvqiqe.dll",s
O21 - SSODL: SysMon - {cda37dbd-5d70-47f8-aa90-2b7beb8f5c62} - (no file)

Reboot.......................

==================================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

I tried doing what you asked but ComboFix keeps stalling. I did not mouseclick on it or anything. I tried it twice and let it run for an hour both times. It got the part about Deleting File/Folders: and stalled. So not sure what to do now?

Also sorry about the attachments. In the PreWork Instructions it says to always post the logs as attachments. You should have them change that then if that's wrong.

Can you just run Combofix and post a new log....?