Virtumond

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post.

- BleepingComputer Management

BleepingComputer.com > Security > HijackThis Logs and Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Virtumond, VundoFix and VirtumondbeGone resistant.....

Options

hillie16 View Member Profile	Jul 22 2008, 07:20 PM Post #1
New Member Group: Members Posts: 7 Joined: 8-July 07 Member No.: 142,295	My parents have it on their computer, and I'm trying to remove it for them, my sister and all her friends use this computer too, so who knows what all is on it..... Kaspersky Scan... Tuesday, July 22, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Tuesday, July 22, 2008 23:34:08 Records in database: 987374 Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area My Computer C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ Scan statistics Files scanned 94354 Threat name 8 Infected objects 14 Suspicious objects 0 Duration of the scan 01:37:01 File name Threat name Threats count C:\Documents and Settings\HP_Administrator\Application Data\HouseCall 6.6\Backup\824223.dll.bac_a04032 Infected: not-a-virus:AdWare.Win32.E404.be 1 C:\Documents and Settings\HP_Administrator\Application Data\HouseCall 6.6\Backup\antvrs.exe.bac_a04032 Infected: Trojan-Downloader.Win32.FraudLoad.vaeg 1 C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\B5JM7KGC\kb671231[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.aawg 1 C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\GY1I6IPJ\AV2009Install_77052207[1].exe Infected: Trojan.Win32.Pakes.juu 1 C:\hp\bin\wbug\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2 C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i 1 C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe Infected: not-a-virus:AdWare.Win32.Agent.aeh 1 C:\WINDOWS\system32\hxrxomfd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abet 1 C:\WINDOWS\system32\wwujinlk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aawg 1 D:\I386\APPS\APP19557\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2 D:\I386\APPS\APP19557\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2 The selected area was scanned. HJT Scan Deckard's System Scanner v20071014.68 Run by HP_Administrator on 2008-07-22 20:11:05 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- System Restore is disabled; attempting to re-enable...success. -- Last 1 Restore Point(s) -- 1: 2008-07-23 00:11:08 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as HP_Administrator.exe) ------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:13:26, on 7/22/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\HP_Administrator\Local Settings\Temp\jkos-HP_Administrator\binaries\ScanningProcess.exe C:\Documents and Settings\HP_Administrator\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Administrator.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {149813CF-AFC1-4AC2-A404-B8AA402F323A} - C:\WINDOWS\system32\efcAPGaw.dll (file missing) O2 - BHO: (no name) - {2A3B1EF8-0695-4A04-AA6F-7DC2EFE4ACED} - C:\WINDOWS\system32\qoMfFVPf.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll O2 - BHO: {4e6f24a2-d754-8d4a-a5a4-b227148a576f} - {f675a841-722b-4a5a-a4d8-457d2a42f6e4} - C:\WINDOWS\system32\kffmnk.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM') O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user') O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://wpn.mlxchange.com/Control/SISC.cab O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://wpn.mlxchange.com/Control/MultiSelectComboBox.cab O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://wpn.mlxchange.com/Control/MLXClientUtils.cab O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://wpn.mlxchange.com/4.2.07.27/Control/IRCSharc.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- End of file - 7382 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7> S0 ftsata2 - c:\windows\system32\drivers\ftsata2.sys (file missing) S3 grmnusb - c:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS> S4 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A} Description: Nokia 5300 Device ID: ROOT\WPD\0000 Manufacturer: Nokia Name: Nokia 5300 PNP Device ID: ROOT\WPD\0000 Service: WUDFRd -- Scheduled Tasks ------------------------------------------------------------- 2008-07-11 14:22:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2008-06-22 and 2008-07-22 ----------------------------- 2008-07-22 20:13:13 0 d-------- C:\Program Files\Trend Micro 2008-07-22 00:39:55 81184 --a------ C:\WINDOWS\system32\hyaangte.dll 2008-07-22 00:37:44 105280 --a------ C:\WINDOWS\system32\kffmnk.dll 2008-07-22 00:37:42 105280 --a------ C:\WINDOWS\system32\tnfibhbx.dll 2008-07-20 22:57:09 105248 --a------ C:\WINDOWS\system32\vlcjbn.dll 2008-07-20 22:57:09 105248 --a------ C:\WINDOWS\system32\tdculypc.dll 2008-07-20 22:54:13 81216 --a------ C:\WINDOWS\system32\hxrxomfd.dll 2008-07-20 22:54:07 91520 --a------ C:\WINDOWS\system32\butkrhhx.dll 2008-07-20 22:51:27 105248 --a------ C:\WINDOWS\system32\eppisd.dll 2008-07-20 22:51:25 105248 --a------ C:\WINDOWS\system32\wojonikh.dll 2008-07-20 22:51:16 91520 --a------ C:\WINDOWS\system32\mardefgu.dll 2008-07-19 21:52:54 105296 --a------ C:\WINDOWS\system32\zvkkal.dll 2008-07-19 21:52:53 105296 --a------ C:\WINDOWS\system32\mymvyxnn.dll 2008-07-19 21:52:45 91456 --a------ C:\WINDOWS\system32\ongmhlac.dll 2008-07-19 06:17:44 105296 --a------ C:\WINDOWS\system32\zhzduw.dll 2008-07-19 06:17:43 105296 --a------ C:\WINDOWS\system32\xmtixapq.dll 2008-07-19 06:14:54 91456 --a------ C:\WINDOWS\system32\cxlmijet.dll 2008-07-17 22:22:07 105200 --a------ C:\WINDOWS\system32\tmydvc.dll 2008-07-17 22:22:06 105200 --a------ C:\WINDOWS\system32\nsthjneh.dll 2008-07-17 22:17:13 91440 --a------ C:\WINDOWS\system32\jjvwnyun.dll 2008-07-17 13:48:45 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\MSNInstaller 2008-07-16 21:15:58 105264 --a------ C:\WINDOWS\system32\cbkuma.dll 2008-07-16 21:15:57 105264 --a------ C:\WINDOWS\system32\jxrxpnwh.dll 2008-07-16 21:13:30 91440 --a------ C:\WINDOWS\system32\wwujinlk.dll 2008-07-15 22:59:43 0 dr-h----- C:\Documents and Settings\HP_Administrator\Recent 2008-07-15 21:50:09 81184 --a------ C:\WINDOWS\system32\pfejxqhh.dll 2008-07-15 21:47:10 105232 --a------ C:\WINDOWS\system32\dibozo.dll 2008-07-15 21:47:08 105232 --a------ C:\WINDOWS\system32\peindfwd.dll 2008-07-15 21:44:36 91440 --a------ C:\WINDOWS\system32\wrmfhmpb.dll 2008-07-11 04:01:22 751834 --ahs---- C:\WINDOWS\system32\fPVFfMoq.ini2 2008-07-11 04:01:14 314608 --a------ C:\WINDOWS\system32\qoMfFVPf.dll 2008-06-26 17:52:05 71127 --a------ C:\WINDOWS\hpqins01.dat 2008-06-26 17:39:10 71216 --a------ C:\WINDOWS\hpqins09.dat 2008-06-26 01:22:57 0 d-------- C:\fonts 2008-06-24 21:04:45 1782 --a------ C:\WINDOWS\system32\tmp.reg 2008-06-24 20:39:27 0 d-------- C:\VundoFix Backups 2008-06-24 20:05:39 691545 --a------ C:\WINDOWS\unins000.exe 2008-06-24 20:05:39 2561 --a------ C:\WINDOWS\unins000.dat 2008-06-24 19:03:24 0 d-------- C:\Program Files\Lavasoft 2008-06-24 19:03:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-24 19:03:00 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-24 15:09:45 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\HouseCall 6.6 2008-06-22 21:54:08 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Antivirus2008y -- Find3M Report --------------------------------------------------------------- 2008-07-17 13:43:24 0 d-------- C:\Program Files\Sonic 2008-07-17 13:43:17 0 d-------- C:\Program Files\Common Files 2008-07-17 13:41:51 0 d-------- C:\Program Files\Ahead 2008-07-17 13:41:50 0 d-------- C:\Program Files\Common Files\Ahead 2008-07-17 13:37:51 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-07-17 13:35:33 0 d-------- C:\Program Files\iPod 2008-07-16 22:10:52 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Nokia 2008-07-13 13:28:07 0 d-------- C:\Program Files\PokerStars.NET 2008-07-07 04:04:52 0 d-------- C:\Program Files\LimeWire 2008-06-27 12:39:52 95760 --a------ C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT 2008-06-26 17:56:30 89224 --a----c- C:\WINDOWS\hpoins06.dat 2008-06-26 17:27:02 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Image Zone Express 2008-06-26 17:21:01 0 d-------- C:\Program Files\HP 2008-06-24 19:27:37 0 d-------- C:\Program Files\Google 2008-06-24 18:57:30 0 d-------- C:\Program Files\Viewpoint 2008-06-24 18:56:47 0 d-------- C:\Program Files\Quicken 2008-06-24 18:56:05 0 d-------- C:\Program Files\muvee Technologies 2008-06-24 18:56:00 0 d-------- C:\Program Files\Common Files\muvee Technologies 2008-06-24 18:42:06 0 d-------- C:\Program Files\HP Games 2008-06-24 18:41:53 0 d-------- C:\Program Files\WildTangent 2008-06-24 18:36:35 0 d-------- C:\Program Files\Cosmi 2008-06-24 18:35:59 0 d-------- C:\Program Files\Common Files\Real 2008-06-24 18:35:31 0 d-------- C:\Program Files\Common Files\Symantec Shared 2008-06-24 18:32:48 0 d-------- C:\Program Files\InterActual 2008-06-24 18:30:19 0 d-------- C:\Program Files\Coupons 2008-06-11 20:03:07 150 --a------ C:\AUTOEXEC.BAT 2008-06-11 19:58:51 0 d-------- C:\Program Files\Sony Corporation 2008-06-11 19:50:33 0 d-------- C:\Program Files\Picture Package Applications 2008-06-11 19:50:30 0 d-------- C:\Program Files\Picture Package Viewer 2008-06-11 00:29:18 0 d-------- C:\Program Files\84_rock 2008-06-11 00:29:00 0 d-------- C:\Program Files\aftershockdebris 2008-06-11 00:28:53 0 d-------- C:\Program Files\ben_krush 2008-06-11 00:28:47 0 d-------- C:\Program Files\gravel 2008-06-11 00:28:42 0 d-------- C:\Program Files\jj_stencil 2008-06-11 00:28:35 0 d-------- C:\Program Files\rough_draft 2008-06-11 00:28:29 0 d-------- C:\Program Files\steel_town 2008-06-11 00:28:21 0 d-------- C:\Program Files\threedimensional 2008-06-11 00:28:05 0 d-------- C:\Program Files\weathered_brk 2008-06-11 00:27:06 22238 --a------ C:\Program Files\84_rock.zip 2008-06-11 00:26:58 32788 --a------ C:\Program Files\jj_stencil.zip 2008-06-11 00:23:33 61391 --a------ C:\Program Files\gravel.zip 2008-06-11 00:20:42 115697 --a------ C:\Program Files\weathered_brk.zip 2008-06-11 00:19:35 115172 --a------ C:\Program Files\steel_town.zip 2008-06-11 00:18:40 158464 --a------ C:\Program Files\threedimensional.zip 2008-06-11 00:17:46 30802 --a------ C:\Program Files\ben_krush.zip 2008-06-11 00:15:14 28609 --a------ C:\Program Files\rough_draft.zip 2008-06-11 00:04:48 130936 --a------ C:\Program Files\aftershockdebris.zip 2008-06-11 00:00:47 129556 --a------ C:\Program Files\CARBTIM.TTF 2008-06-10 23:38:16 0 d-------- C:\Program Files\wood2 2008-06-10 23:37:32 64428 --a------ C:\Program Files\wood2.zip 2008-06-10 23:31:51 0 d-------- C:\Program Files\boards 2008-06-10 23:29:49 139622 --a------ C:\Program Files\boards.zip 2008-05-07 19:27:10 1954 --a------ C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{149813CF-AFC1-4AC2-A404-B8AA402F323A}] C:\WINDOWS\system32\efcAPGaw.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A3B1EF8-0695-4A04-AA6F-7DC2EFE4ACED}] 07/11/2008 04:01 314608 --a------ C:\WINDOWS\system32\qoMfFVPf.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f675a841-722b-4a5a-a4d8-457d2a42f6e4}] 07/22/2008 00:37 105280 --a------ C:\WINDOWS\system32\kffmnk.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 17:01] "ftutil2"="ftutil2.dll" [06/07/2004 10:05 C:\WINDOWS\system32\ftutil2.dll] "RTHDCPL"="RTHDCPL.EXE" [06/13/2006 16:05 C:\WINDOWS\RTHDCPL.EXE] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [08/02/2005 19:19 C:\WINDOWS\arpwrmsg.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/09/2006 11:50] "nwiz"="nwiz.exe" [05/09/2006 11:50 C:\WINDOWS\system32\nwiz.exe] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [07/22/2005 18:14] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/2007 11:56] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 21:05] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/11/2005 11:23:26 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{149813CF-AFC1-4AC2-A404-B8AA402F323A}"= C:\WINDOWS\system32\efcAPGaw.dll [ ] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\qoMfFVPf [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\580416ab] rundll32.exe "C:\WINDOWS\system32\hyaangte.dll",b [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus2008y] C:\Program Files\Antivirus2008y\antvrs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM5b372537] Rundll32.exe "C:\WINDOWS\system32\xdbtfxjx.dll",s [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover] C:\Program Files\DISC\DISCover.exe nogui [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ImgTask] C:\WINDOWS\Imgtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] "C:\Windows\Creator\Remind_XP.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480 -- Hosts ----------------------------------------------------------------------- 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 8744 more entries in hosts file. -- End of Deckard's System Scanner: finished at 2008-07-22 20:13:55 ------------ extra.txt Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 4200+ CPU 1: AMD Athlon™ 64 X2 Dual Core Processor 4200+ Percentage of Memory in Use: 29% Physical Memory (total/avail): 1982.48 MiB / 1407.54 MiB Pagefile Memory (total/avail): 3875.78 MiB / 3325.72 MiB Virtual Memory (total/avail): 2047.88 MiB / 1923.54 MiB C: is Fixed (NTFS) - 289.23 GiB total, 270.63 GiB free. D: is Fixed (FAT32) - 8.83 GiB total, 0.61 GiB free. E: is CDROM (No Media) F: is Removable (No Media) G: is Removable (No Media) H: is Removable (No Media) I: is Removable (No Media) J: is Removable (No Media) \\.\PHYSICALDRIVE0 - ST3320820AS - 298.09 GiB - 2 partitions \PARTITION0 (bootable) - Installable File System - 289.23 GiB - C: \PARTITION1 - Unknown - 8.85 GiB - D: \\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device \\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device \\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device \\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device \\.\PHYSICALDRIVE5 - HP Photosmart 3210 USB Device -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. FirstRunDisabled is set. FW: Norton Internet Worm Protection v2006 (Symantec) Disabled [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe::Enabled:Updates from HP" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\\Program Files\\Activision Value\\World Series of Poker TOC\\WSOPTOC.exe"="C:\\Program Files\\Activision Value\\World Series of Poker TOC\\WSOPTOC.exe::Disabled:WSOPTOC" "E:\\setup\\HPZnet01.exe"="E:\\setup\\HPZnet01.exe::Disabled:Install Consumer Experience Network Plug in" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe::Disabled:AOL Loader" "C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe::Disabled:Earthlink" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe::Disabled:hpfccopy.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe::Disabled:hpoews01.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe::Disabled:hpofxm08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe::Disabled:hposfx08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe::Disabled:hposid01.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe::Disabled:hpqcopy.exe" "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe::Disabled:hpqdia.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe::Disabled:hpqkygrp.exe" "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe::Disabled:hpqphunl.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe::Disabled:hpqscnvw.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe::Disabled:hpqste08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe::Disabled:hpqtra08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe::Disabled:hpzwiz01.exe" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe::Disabled:LimeWire" "C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe::Disabled:@xpsp3res.dll,-20000" "C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe::Disabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe::Disabled:Updates from HP" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Disabled:Windows Messenger" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\HP_Administrator\Application Data CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=YOUR-4DACD0EA75 ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\HP_Administrator LOGONSERVER=\\YOUR-4DACD0EA75 NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\QuickTime\QTSystem\;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\PROGRA~1\COMMON~1\MUVEET~1\030625 PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 75 Stepping 2, AuthenticAMD PROCESSOR_LEVEL=15 PROCESSOR_REVISION=4b02 ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip SESSIONNAME=Console SonicCentral=c:\Program Files\Common Files\Sonic Shared\Sonic Central\ SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp TMP=C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp USERDOMAIN=YOUR-4DACD0EA75 USERNAME=HP_Administrator USERPROFILE=C:\Documents and Settings\HP_Administrator windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- HP_Administrator (admin)* Administrator (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu --> c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205} --> c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382} --> c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629} --> c:\WINDOWS\system32\\MSIEXEC.EXE /x {F80239D8-7811-4D5E-B033-0D0BBFE32920} --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf 1000 Solitaire Games --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Cosmi\1000 Solitaire Games\DeIsL1.isu" -c"C:\Program Files\Cosmi\1000 Solitaire Games\_ISREG32.DLL" Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7} Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003} Adobe Reader 8.1.2 Security Update 1 (KB403742) --> Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log Ahead InCD EasyWrite Reader --> C:\WINDOWS\unmrw.exe /UNINSTALL Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB} Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4} Cabela's Trophy Bucks --> MsiExec.exe /I{D17C4B85-A12C-442F-81A6-21EAB64F014A} CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe" Data Fax SoftModem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\HXFSETUP.EXE -U -ITrx200Ck.inf DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC Enhanced Multimedia Keyboard Solution --> C:\HP\KBD\Install.exe /u First Step Guide --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C797EAF2-707A-4239-BDF3-F2672314A734}\setup.exe" -l0x9 UNINSTALL High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe" Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" HouseCall 6.6 --> "C:\Documents and Settings\HP_Administrator\Application Data\HouseCall 6.6\uninstaller.exe" HP Boot Optimizer --> MsiExec.exe /X{1341D838-719C-4A05-B50F-49420CA1B4BB} HP DigitalMedia Archive --> MsiExec.exe /X{F80239D8-7811-4D5E-B033-0D0BBFE32920} HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat HP Photosmart Essential --> MsiExec.exe /X{856D4888-3B48-4D0C-99D4-39AA7CF9DB2E} HP Photosmart Premier Software 6.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat HP PSC & OfficeJet 5.3.A --> "C:\Program Files\HP\Digital Imaging\{3E386744-10FA-44b2-98C9-DF7A270DECB3}\setup\hpzscr01.exe" -datfile hposcr06.dat HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D} HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat HP Update --> MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F} HP Web Helper --> regsvr32 /u /s "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll" J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100} J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060} Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030} Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010} LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe" Microsoft Away Mode --> Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120 Microsoft Office Publisher 2003 --> MsiExec.exe /I{91190409-6000-11D3-8CFE-0150048383C9} Microsoft Office Standard Edition 2003 60 days trial --> c:\hp\bin\cloaker.exe c:\hp\bin\MSOffice\uninst.cmd Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9} Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe" Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44} MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP Nokia Connectivity Cable Driver --> MsiExec.exe /X{0A3D3C54-2EC0-4D67-B265-FF17926E6D67} Nokia PC Suite --> MsiExec.exe /I{D89AC4DF-7A00-4D0B-BA99-D582C7974A09} NVIDIA Drivers --> C:\WINDOWS\system32\nvunrm.exe UninstallGUI PC Connectivity Solution --> MsiExec.exe /I{AB2347E4-153B-4194-AA3B-97C0A662B369} Picture Package --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\setup.exe" -l0x9 UNINSTALL PokerStars.net --> C:\Program Files\PokerStars.NET\Uninstall.EXE /u:"PokerStars.net" QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335} Realtek High Definition Audio Driver --> RtlUpd.exe -r -m Remove WeatherBug Installer --> c:\hp\bin\cloaker.exe c:\hp\bin\commands.exe /c c:\hp\bin\wbug\clean.bat Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe" Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe" Sonic Express Labeler --> MsiExec.exe /X{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA} Sonic RecordNow Audio --> MsiExec.exe /X{AB708C9B-97C8-4AC9-899B-DBF226AC9382} Sonic RecordNow Copy --> MsiExec.exe /X{B12665F4-4E93-4AB4-B7FC-37053B524629} Sonic RecordNow Data --> MsiExec.exe /X{075473F5-846A-448B-BCB3-104AA1760205} Sonic Update Manager --> MsiExec.exe /X{30465B6C-B53F-49A1-9EBA-A3F187AD502E} Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe" Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe" Updates from HP (remove only) --> C:\WINDOWS\HPCPCUninstall-9972322\HPBWSetup.exe -appid 9972322 -uninstall Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_6B630EE2E66584353C6CD8683D447072872F34D8\pccswpddriver.inf Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_4EFFAAE27A08EDFDE145390033D8EF099DA65567\nokbtmdm.inf Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows XP Media Center Edition 2005 KB908246 --> "C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe" Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe" World Series of Poker: TOC --> C:\Program Files\Activision Value\World Series of Poker TOC\Uninstall.exe Yahoo! Toolbar for Internet Explorer --> C:\PROGRA~1\Yahoo!\Common\unyt.exe -- Application Event Log ------------------------------------------------------- Event Record #/Type3052 / Error Event Submitted/Written: 07/22/2008 03:46:59 PM Event ID/Source: 1000 / Application Error Event Description: Faulting application rundll32.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x10001c9e. Processing media-specific event for [rundll32.exe!ws!] Event Record #/Type3051 / Error Event Submitted/Written: 07/22/2008 01:45:02 AM Event ID/Source: 1002 / Application Hang Event Description: Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Event Record #/Type3050 / Error Event Submitted/Written: 07/22/2008 01:43:35 AM Event ID/Source: 1000 / Application Error Event Description: Faulting application iexplore.exe, version 7.0.6000.16674, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29. Processing media-specific event for [iexplore.exe!ws!] Event Record #/Type3049 / Error Event Submitted/Written: 07/22/2008 01:40:18 AM Event ID/Source: 1000 / Application Error Event Description: Faulting application acrord32.exe, version 8.1.0.137, faulting module acrord32.dll, version 8.1.2.86, fault address 0x000961a2. Processing media-specific event for [acrord32.exe!ws!] Event Record #/Type3048 / Error Event Submitted/Written: 07/22/2008 00:37:50 AM Event ID/Source: 1000 / Application Error Event Description: Faulting application iexplore.exe, version 7.0.6000.16674, faulting module unknown, version 0.0.0.0, fault address 0x079f1557. Processing media-specific event for [iexplore.exe!ws!] -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type66181 / Error Event Submitted/Written: 07/22/2008 06:23:17 PM Event ID/Source: 7026 / Service Control Manager Event Description: The following boot-start or system-start driver(s) failed to load: ftsata2 Event Record #/Type66176 / Error Event Submitted/Written: 07/22/2008 06:22:05 PM Event ID/Source: 10005 / DCOM Event Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Event Record #/Type66172 / Error Event Submitted/Written: 07/22/2008 05:25:40 PM Event ID/Source: 7026 / Service Control Manager Event Description: The following boot-start or system-start driver(s) failed to load: AmdK8 Fips ftsata2 Event Record #/Type66171 / Error Event Submitted/Written: 07/22/2008 05:24:25 PM Event ID/Source: 10005 / DCOM Event Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Event Record #/Type66146 / Error Event Submitted/Written: 07/22/2008 04:33:42 PM Event ID/Source: 7026 / Service Control Manager Event Description: The following boot-start or system-start driver(s) failed to load: ftsata2 -- End of Deckard's System Scanner: finished at 2008-07-22 20:13:55 ------------

fenzodahl512 View Member Profile	Jul 23 2008, 01:50 PM Post #2
Distinguished Member Group: HJT Team Posts: 850 Joined: 4-December 07 Member No.: 174,482	Hello, my name is fenzodahl512 and welcome to BC.. Please visit below webpage for instructions for downloading and running ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-combofix This includes installing the Windows XP Recovery Console in case you have not installed it yet. For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal. Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log. Regards fenzodahl512 -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Away 1 Nov - 1 Dec

hillie16 View Member Profile	Jul 24 2008, 06:47 AM Post #3
New Member Group: Members Posts: 7 Joined: 8-July 07 Member No.: 142,295	ComboFix 08-07-23.5 - HP_Administrator 2008-07-24 7:37:38.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1519 [GMT -4:00] Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\HP_Administrator\Application Data\Antivirus2008y C:\Documents and Settings\HP_Administrator\Application Data\Antivirus2008y\antvrs.exe C:\WINDOWS\cookies.ini C:\WINDOWS\pskt.ini C:\WINDOWS\system32\butkrhhx.dll C:\WINDOWS\system32\cbkuma.dll C:\WINDOWS\system32\ccnbfgcu.ini C:\WINDOWS\system32\cxlmijet.dll C:\WINDOWS\system32\dfmoxrxh.ini C:\WINDOWS\system32\dibozo.dll C:\WINDOWS\system32\eppisd.dll C:\WINDOWS\system32\etgnaayh.ini C:\WINDOWS\system32\fPVFfMoq.ini C:\WINDOWS\system32\fPVFfMoq.ini2 C:\WINDOWS\system32\hhqxjefp.ini C:\WINDOWS\system32\hvxagxwu.dll C:\WINDOWS\system32\hxrxomfd.dll C:\WINDOWS\system32\hyaangte.dll C:\WINDOWS\system32\iajpcdue.ini C:\WINDOWS\system32\jjvwnyun.dll C:\WINDOWS\system32\jxrxpnwh.dll C:\WINDOWS\system32\kffmnk.dll C:\WINDOWS\system32\mardefgu.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mymvyxnn.dll C:\WINDOWS\system32\nlwftykj.dll C:\WINDOWS\system32\npxehmrw.dll C:\WINDOWS\system32\nsthjneh.dll C:\WINDOWS\system32\ongmhlac.dll C:\WINDOWS\system32\owbusmxi.ini C:\WINDOWS\system32\peindfwd.dll C:\WINDOWS\system32\pfejxqhh.dll C:\WINDOWS\system32\qoMfFVPf.dll C:\WINDOWS\system32\tdculypc.dll C:\WINDOWS\system32\tmydvc.dll C:\WINDOWS\system32\tnfibhbx.dll C:\WINDOWS\system32\vlcjbn.dll C:\WINDOWS\system32\webpkyvp.ini C:\WINDOWS\system32\wojonikh.dll C:\WINDOWS\system32\wrmfhmpb.dll C:\WINDOWS\system32\wrmhexpn.ini C:\WINDOWS\system32\wwujinlk.dll C:\WINDOWS\system32\xmtixapq.dll C:\WINDOWS\system32\zhzduw.dll C:\WINDOWS\system32\zidtlr.dll C:\WINDOWS\system32\zvkkal.dll D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 ))))))))))))))))))))))))))))))) . 2008-07-22 20:13 . 2008-07-22 20:13 <DIR> d-------- C:\Program Files\Trend Micro 2008-07-22 20:10 . 2008-07-22 20:10 <DIR> d-------- C:\Deckard 2008-07-22 01:48 . 2008-07-22 01:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-07-22 01:48 . 2008-07-22 01:48 1,409 --a------ C:\WINDOWS\QTFont.for 2008-07-17 13:48 . 2008-07-17 13:48 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\MSNInstaller 2008-07-15 21:44 . 2008-07-24 07:09 110,428 --a------ C:\WINDOWS\BM5b372537.xml 2008-06-26 17:52 . 2008-06-26 17:53 71,127 --a------ C:\WINDOWS\hpqins01.dat 2008-06-26 17:39 . 2008-06-26 17:40 71,216 --a------ C:\WINDOWS\hpqins09.dat 2008-06-26 17:37 . 2008-06-26 17:38 362 --a------ C:\WINDOWS\hpntwksetup.ini 2008-06-26 01:22 . 2008-06-26 02:59 <DIR> d-------- C:\fonts 2008-06-24 21:04 . 2008-06-24 21:06 1,782 --a------ C:\WINDOWS\system32\tmp.reg 2008-06-24 20:39 . 2008-06-24 20:39 <DIR> d-------- C:\VundoFix Backups 2008-06-24 20:05 . 2008-06-24 20:04 691,545 --a------ C:\WINDOWS\unins000.exe 2008-06-24 20:05 . 2008-06-24 20:05 2,561 --a------ C:\WINDOWS\unins000.dat 2008-06-24 19:03 . 2008-06-24 19:03 <DIR> d-------- C:\Program Files\Lavasoft 2008-06-24 19:03 . 2008-06-24 19:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-24 19:03 . 2008-06-24 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-24 15:10 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2008-06-24 15:09 . 2008-06-24 18:29 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\HouseCall 6.6 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-17 17:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-07-17 17:43 --------- d-----w C:\Program Files\Sonic 2008-07-17 17:41 --------- d-----w C:\Program Files\Common Files\Ahead 2008-07-17 17:41 --------- d-----w C:\Program Files\Ahead 2008-07-17 17:37 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-17 17:35 --------- d-----w C:\Program Files\iPod 2008-07-17 02:10 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Nokia 2008-07-13 17:28 --------- d-----w C:\Program Files\PokerStars.NET 2008-07-07 08:04 --------- d-----w C:\Program Files\LimeWire 2008-06-27 16:39 95,760 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT 2008-06-26 21:27 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Image Zone Express 2008-06-26 21:21 --------- d-----w C:\Program Files\HP 2008-06-25 00:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-24 23:27 --------- d-----w C:\Program Files\Google 2008-06-24 22:57 --------- d-----w C:\Program Files\Viewpoint 2008-06-24 22:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-06-24 22:56 --------- d-----w C:\Program Files\Quicken 2008-06-24 22:56 --------- d-----w C:\Program Files\muvee Technologies 2008-06-24 22:56 --------- d-----w C:\Program Files\Common Files\muvee Technologies 2008-06-24 22:42 --------- d-----w C:\Program Files\HP Games 2008-06-24 22:41 --------- d-----w C:\Program Files\WildTangent 2008-06-24 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent 2008-06-24 22:36 --------- d-----w C:\Program Files\Cosmi 2008-06-24 22:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-06-24 22:35 --------- d-----w C:\Program Files\Common Files\Real 2008-06-24 22:32 --------- d-----w C:\Program Files\InterActual 2008-06-24 22:30 --------- d-----w C:\Program Files\Coupons 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 23:58 --------- d-----w C:\Program Files\Sony Corporation 2008-06-11 23:50 --------- d-----w C:\Program Files\Picture Package Viewer 2008-06-11 23:50 --------- d-----w C:\Program Files\Picture Package Applications 2008-06-11 04:29 --------- d-----w C:\Program Files\aftershockdebris 2008-06-11 04:29 --------- d-----w C:\Program Files\84_rock 2008-06-11 04:28 --------- d-----w C:\Program Files\weathered_brk 2008-06-11 04:28 --------- d-----w C:\Program Files\threedimensional 2008-06-11 04:28 --------- d-----w C:\Program Files\steel_town 2008-06-11 04:28 --------- d-----w C:\Program Files\rough_draft 2008-06-11 04:28 --------- d-----w C:\Program Files\jj_stencil 2008-06-11 04:28 --------- d-----w C:\Program Files\gravel 2008-06-11 04:28 --------- d-----w C:\Program Files\ben_krush 2008-06-11 04:27 22,238 ----a-w C:\Program Files\84_rock.zip 2008-06-11 04:26 32,788 ----a-w C:\Program Files\jj_stencil.zip 2008-06-11 04:23 61,391 ----a-w C:\Program Files\gravel.zip 2008-06-11 04:20 115,697 ----a-w C:\Program Files\weathered_brk.zip 2008-06-11 04:19 115,172 ----a-w C:\Program Files\steel_town.zip 2008-06-11 04:18 158,464 ----a-w C:\Program Files\threedimensional.zip 2008-06-11 04:17 30,802 ----a-w C:\Program Files\ben_krush.zip 2008-06-11 04:15 28,609 ----a-w C:\Program Files\rough_draft.zip 2008-06-11 04:04 130,936 ----a-w C:\Program Files\aftershockdebris.zip 2008-06-11 04:00 129,556 ----a-w C:\Program Files\CARBTIM.TTF 2008-06-11 03:38 --------- d-----w C:\Program Files\wood2 2008-06-11 03:37 64,428 ----a-w C:\Program Files\wood2.zip 2008-06-11 03:31 --------- d-----w C:\Program Files\boards 2008-06-11 03:29 139,622 ----a-w C:\Program Files\boards.zip 2008-06-05 13:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-07 23:27 1,954 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat 2006-12-17 01:13 774,144 -c--a-w C:\Program Files\RngInterstitial.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 17:01 67584] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 11:50 7311360] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 18:14 237568] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720] "ftutil2"="ftutil2.dll" [2004-06-07 10:05 106496 C:\WINDOWS\system32\ftutil2.dll] "RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16:05 16239616 C:\WINDOWS\RTHDCPL.EXE] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 19:19 77312 C:\WINDOWS\arpwrmsg.exe] "nwiz"="nwiz.exe" [2006-05-09 11:50 1519616 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304] C:\Documents and Settings\Default User\Start Menu\Programs\Startup\ Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-10-28 01:28:58 27136] PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-10-28 01:28:58 27136] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler] --a------ 2006-04-13 05:05 90112 c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2007-05-08 16:24 54840 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp] --a------ 2006-02-15 18:34 249856 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ImgTask] -ra------ 2006-12-12 23:26 20480 C:\WINDOWS\Imgtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] --a------ 2006-11-08 13:27 222208 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] --a--c--- 2004-12-13 22:23 663552 C:\WINDOWS\CREATOR\Remind_XP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] --------- 2006-10-18 21:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Activision Value\\World Series of Poker TOC\\WSOPTOC.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys [2006-04-20 10:35] S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480 . Contents of the 'Scheduled Tasks' folder "2008-07-11 18:22:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . - - - - ORPHANS REMOVED - - - - BHO-{149813CF-AFC1-4AC2-A404-B8AA402F323A} - C:\WINDOWS\system32\efcAPGaw.dll HKLM-Run-580416ab - C:\WINDOWS\system32\npxehmrw.dll HKLM-Run-BM5b372537 - C:\WINDOWS\system32\hvxagxwu.dll ShellExecuteHooks-{149813CF-AFC1-4AC2-A404-B8AA402F323A} - C:\WINDOWS\system32\efcAPGaw.dll MSConfigStartUp-580416ab - C:\WINDOWS\system32\hyaangte.dll MSConfigStartUp-Antivirus2008y - C:\Program Files\Antivirus2008y\antvrs.exe MSConfigStartUp-BM5b372537 - C:\WINDOWS\system32\xdbtfxjx.dll MSConfigStartUp-DISCover - C:\Program Files\DISC\DISCover.exe MSConfigStartUp-Google Desktop Search - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe MSConfigStartUp-NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/ O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O16 -: {284DAE3C-A691-11D3-AD58-00E0B8107A24} - hxxp://wpn.mlxchange.com/Control/SISC.cab C:\WINDOWS\Downloaded Program Files\SISCCab.inf C:\WINDOWS\Downloaded Program Files\SISC.dll O16 -: {4989312D-58CF-11D5-A7D7-00E02911103E} - hxxp://wpn.mlxchange.com/Control/MultiSelectComboBox.cab C:\WINDOWS\Downloaded Program Files\MultiSelectComboBoxCab.inf C:\WINDOWS\system32\msvcr71.dll C:\WINDOWS\system32\MFC71.dll C:\WINDOWS\Downloaded Program Files\MultiSelectComboBox.dll O16 -: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://wpn.mlxchange.com/Control/MLXClientUtils.cab C:\WINDOWS\Downloaded Program Files\MLXClientUtilsCab.inf C:\WINDOWS\system32\msvcr71.dll C:\WINDOWS\system32\MFC71.dll C:\WINDOWS\Downloaded Program Files\MLXClientUtils.dll O16 -: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://wpn.mlxchange.com/4.2.07.27/Control/IRCSharc.cab C:\WINDOWS\Downloaded Program Files\IRCSharcCab.inf C:\WINDOWS\system32\msvcr71.dll C:\WINDOWS\system32\MFC71.dll C:\WINDOWS\system32\missouri.dll C:\WINDOWS\system32\GeacView.dll C:\WINDOWS\Downloaded Program Files\GeacRevw.ocx ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-24 07:42:13 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\WINDOWS\ehome\ehrecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehmsas.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe . ************************************************************************ . Completion time: 2008-07-24 7:45:03 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-24 11:45:00 Pre-Run: 290,486,493,184 bytes free Post-Run: 290,459,729,920 bytes free 310 --- E O F --- 2008-07-10 07:00:36 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 07:45:31, on 7/24/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM') O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user') O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://wpn.mlxchange.com/Control/SISC.cab O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://wpn.mlxchange.com/Control/MultiSelectComboBox.cab O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://wpn.mlxchange.com/Control/MLXClientUtils.cab O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://wpn.mlxchange.com/4.2.07.27/Control/IRCSharc.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- End of file - 7276 bytes

fenzodahl512