rond.starsdoor.com pop ups!Moved from WinNT by Murray

[crzeguy]

My computer has been slowing down lately and I have been getting these annoying popups! What can I do to get the rond.starsdoor.com pop ups to stop!!

Rey

[Jintan]

Duplicate request - see here.

[crzeguy]

I havent been helped yet

[Jintan]

I hadn't seen - you had posted in someone else's thread there. Yes, let's take a look at your system here.

Please download HijackThis from Here. Then click on the downloaded file to install HijackThis. After it is installed open HijackThis and select Do a system scan and save logfile. Use copy/paste and post that log back here for review.


Also go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. You can use separate posts here if needed.

[crzeguy]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:26 PM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mrofinu72.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rey O\Local Settings\Temporary Internet Files\Content.IE5\YLAH4PKR\hijackthis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06C7CAB4-39AC-499F-BCD2-D487DAC7A73C} - C:\WINDOWS\system32\mljgh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {abd24352-7661-4260-894d-e3b7e698e811} - C:\WINDOWS\system32\c_1th3.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\s wg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C61794F7-112C-476C-89F0-EB7DA80D239C} - C:\Program Files\NetMeeting\mevofumyt24418.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227 A755E9C2933154389A284662E901F3D29332016DC76C5C01F3 7D84BBFD566D55F8540B30A647BA9CC625102CCE7003
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presar io&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O20 - Winlogon Notify: c_1th3 - c_1th3.dll (file missing)
O20 - Winlogon Notify: mljgh - mljgh.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rteqem.html

--
End of file - 10442 bytes

[Jintan]

Did you have problems doing the Silent Runners step? Infection Is very much showing there, so we'll pass on that and start repairs here.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Make sure you take the time to do this before proceeding.

Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)

Post back the C:\ComboFix.txt log as well as a new HijackThis log please.

[crzeguy]

ComboFix 08-01-10.2 - Rey O 2008-01-10 10:25:35.1 - NTFSx86
Running from: C:\Documents and Settings\Rey O\Local Settings\Temporary Internet Files\Content.IE5\WDQV416R\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\inetget2
C:\Program Files\MSN\rteqem.html
C:\Program Files\NetMeeting\mevofumyt24418.dll
C:\Program Files\QdrDrive
C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\Program Files\WinAble
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\wnsxs~1

.
((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 10:24 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-21 21:21 . 2007-12-21 21:21 146,944 --a------ C:\WINDOWS\system32\1wiintemp.exe
2007-12-21 21:21 . 2007-12-30 20:41 130,048 --a------ C:\WINDOWS\system32\winskff11.dll
2007-12-21 21:21 . 2007-12-30 20:41 35,328 --a------ C:\WINDOWS\system32\winskwow.dll
2007-12-21 21:20 . 2007-12-21 21:20 52,224 --a------ C:\WINDOWS\system32\0wiintemp.exe
2007-12-21 21:20 . 2007-12-30 20:41 25,088 --a------ C:\WINDOWS\system32\winsckdo.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-10 07:11 --------- d-----w C:\Program Files\Semagic
2008-01-10 04:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-15 05:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-15 05:23 --------- d-----w C:\Program Files\Viewpoint
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 19:37 --------- d-----w C:\Program Files\Java
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 10:16 3,058,688 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-11 23:47 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-10-11 06:13 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 06:13 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 06:13 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 06:13 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 06:13 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 06:13 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 06:13 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 06:13 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 06:13 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 06:13 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 06:13 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 06:13 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 06:13 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 06:13 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 06:13 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 06:13 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 06:13 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 11:16 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-21 05:21 642 ----a-w C:\Documents and Settings\Rey O\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{abd24352-7661-4260-894d-e3b7e698e811}]
C:\WINDOWS\system32\c_1th3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-06-16 08:29 68856]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 17:16 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 09:00 339968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 14:11 794624]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 04:12 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 04:11 692316]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 15:04 278528]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-28 04:22 58488]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2004-10-28 22:58 33936]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 12:24 290816]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 13:01 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwat cher.exe" [2004-10-14 12:54 253952]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-03 19:50 180269]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86 \3\hpztsb10.exe" [2004-06-21 02:40 172032]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-05 14:54 282624]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38]
HP Image Zone Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c_1th3]
c_1th3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgh]
mljgh.dll

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFH WATI.sys [2004-12-15 07:18]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sy s [2001-08-17 14:05]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 14:05]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-10 15:46:34 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 10:29:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????6?5?6?7??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-10 10:30:46
ComboFix-quarantined-files.txt 2008-01-10 18:30:44
.
2008-01-09 11:03:06 --- E O F ---

[Jintan]

Progress, and more to go.

Be sure to temporarily disable any protective software when running the scan tools we use here.

You will need to move HijackThis from that temp location on your desktop so that changes made will be saved. Just create/select a permanent folder (not temp or desktop) and move the HijackThis.exe file there to click/run from that location.

Once you have done that Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rteqem.html

------------------------------------------


Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\system32\1wiintemp.exe
C:\WINDOWS\system32\winskff11.dll
C:\WINDOWS\system32\winskwow.dll
C:\WINDOWS\system32\0wiintemp.exe
C:\WINDOWS\system32\winsckdo.dll
C:\WINDOWS\system32\c_1th3.dll
C:\WINDOWS\system32\mljgh.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{abd24352-7661-4260-894d-e3b7e698e811}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c_1th3]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgh]

Save this as "CFScript"

(include the "quotation marks" with the name)




Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

-----------------------

Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

Post back that log along with with ComboFix log and a new HijackThis log please.

[crzeguy]

I did the scan but didnt see:

O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rteqem.html

[Jintan]

Stay with a flow there - doing good. Just move on to the next steps so we don't allow malware a chance to regroup.