Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Viruses


  • This topic is locked This topic is locked
12 replies to this topic

#1 playforfun23

playforfun23

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 06 September 2007 - 06:56 PM

ok, so I have done a few things and removed most of the threats and my computer is working much much better. But I just wanted to make sure that I am 100% clear of viruses. Also I am concered about the damage the viruses have left behind, my computer is slower and when I open my cpu I get a few random pop-up windows with headers that say something about system32. Anyways here is the hijack report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:10 PM, on 06/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\PokerStars\PokerStars.exe
C:\Program Files\PokerStars\PokerStarsCommunicate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\PROGRAM FILES\JEOKAYCN\CUFIIBBJ.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] "c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [kvslypyp] rundll32.exe "C:\Program Files\kvslypyp\mtqhsnox.dll",Init
O4 - HKLM\..\Run: [lajixexm] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lajixexm.dll"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Tbsa] "C:\PROGRA~1\SSEMBL~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Gufms] C:\WINDOWS\?dobe\w?nspool.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?c0583d8e961641ca945821d772521c10
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?c0583d8e961641ca945821d772521c10
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)
O21 - SSODL: qbkJOEOYgKk - {A42D19EC-0E87-B346-837B-1B989BAC8FC8} - C:\WINDOWS\system32\mmya.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Aacahapc.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12127 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:44 AM

Posted 07 September 2007 - 02:28 AM

Hello,

We're not finished here yet since malware is still active and running.

First of all, I see you have Pokerstars installed.
If you didn't install it with intension to play with, I suggest you uninstall it, because in most cases, these programs are supported by malware, getting installed without asking for it and also lead you to sites where malware is lurking.
If you do play it, then leave it alone.

Please disable SpySweeper, as it may hinder the removal of some HijackThis entries. You can re-enable it after you're clean.

To disable SpySweeper:

Open it, click > Options over to the left then > click the Program tab > Uncheck "Start Spy Sweeper at Windows startup".
Over to the left click "shields"
  • Click the "Internet Explorer" tab and and uncheck all there.
  • Click the "Windows System" tab and uncheck all there.
  • Click the "Host File" tab and uncheck all there.
  • Click the "Startup Programs" tab and uncheck "Startup Items Shield".
Remember after your system is clean to re-enable Spy Sweeper.

Then, * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\PROGRAM FILES\JEOKAYCN\CUFIIBBJ.DLL
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [kvslypyp] rundll32.exe "C:\Program Files\kvslypyp\mtqhsnox.dll",Init
O4 - HKLM\..\Run: [lajixexm] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lajixexm.dll"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Tbsa] "C:\PROGRA~1\SSEMBL~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Gufms] C:\WINDOWS\?dobe\w?nspool.exe
O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)
O21 - SSODL: qbkJOEOYgKk - {A42D19EC-0E87-B346-837B-1B989BAC8FC8} - C:\WINDOWS\system32\mmya.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Aacahapc.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 playforfun23

playforfun23
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 07 September 2007 - 02:54 PM

Hello and thanks for responding. I did intall pokerstars so thats ok. Also I followed your instructions and here are the results:

COMBOFIX:

ComboFix 07-08-30.3 - "hp" 2007-09-05 19:30:55.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.791 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\runtime2.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_RUNTIME2


((((((((((((((((((((((((( Files Created from 2007-08-05 to 2007-09-05 )))))))))))))))))))))))))))))))


2007-09-05 18:48 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-05 18:40 <DIR> d-------- C:\bintheredunthat
2007-09-05 18:22 <DIR> d-------- C:\BFU
2007-09-05 16:46 <DIR> d---s---- C:\DOCUME~1\NETWOR~1\Temporary Internet Files
2007-09-05 16:46 <DIR> d---s---- C:\DOCUME~1\NETWOR~1\History
2007-09-05 13:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-05 13:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-05 13:31 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\SUPERAntiSpyware.com
2007-09-05 13:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-05 12:25 955,437 ---hs---- C:\WINDOWS\system32\ycbeg.bak2
2007-09-05 12:18 <DIR> d---s---- C:\DOCUME~1\hp\UserData
2007-09-05 12:14 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\WinRAR
2007-09-05 03:38 56 --a------ C:\WINDOWS\system32\V0503365.dat
2007-09-05 03:13 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-05 03:10 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-09-05 03:10 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-09-05 03:10 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-09-05 03:06 <DIR> d-------- C:\Rustbfix
2007-09-05 03:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-05 02:07 1,775 --a------ C:\WINDOWS\mozver.dat
2007-09-05 02:06 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\Netscape
2007-09-05 01:08 <DIR> d---s---- C:\DOCUME~1\LOCALS~1\Temporary Internet Files
2007-09-05 01:08 <DIR> d---s---- C:\DOCUME~1\LOCALS~1\History
2007-09-05 01:06 102,912 --a------ C:\WINDOWS\system32\islzma.dll
2007-09-05 01:05 428,032 --a------ C:\WINDOWS\WRServices.dll
2007-09-05 01:04 <DIR> d-------- C:\Program Files\Webroot
2007-09-05 01:04 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\Webroot
2007-09-05 01:01 <DIR> d-------- C:\Program Files\AntispyStorm
2007-09-05 00:47 <DIR> d-------- C:\Program Files\e-zshopper
2007-09-05 00:47 <DIR> d-------- C:\Program Files\Accoona
2007-09-05 00:46 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-09-05 00:36 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-05 00:28 <DIR> d-------- C:\Program Files\PokerStars
2007-09-05 00:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-09-05 00:24 6,448 ---hs---- C:\WINDOWS\system32\ycbeg.bak1
2007-09-05 00:19 98,304 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\lajixexm.dll
2007-09-05 00:19 15,360 --a------ C:\WINDOWS\system32\drvrejr.dll
2007-09-05 00:19 <DIR> d-------- C:\Program Files\kvslypyp
2007-09-05 00:19 <DIR> d-------- C:\Program Files\Jeokaycn
2007-09-05 00:16 69,927 --a------ C:\Program Files\setup.exe
2007-09-04 21:36 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-09-04 21:36 <DIR> d-------- C:\Program Files\BitTorrent
2007-09-04 21:36 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\BitTorrent DNA
2007-09-04 21:36 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\BitTorrent
2007-09-04 21:31 <DIR> d-------- C:\Program Files\DivX
2007-09-04 21:04 <DIR> d-------- C:\DOCUME~1\hp\Contacts
2007-09-04 21:04 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\Google
2007-09-04 21:03 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-09-04 21:03 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-09-04 21:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Live Toolbar
2007-09-04 21:02 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-09-04 21:02 <DIR> d-------- C:\Program Files\MSN Messenger
2007-08-28 18:58 <DIR> d---s---- C:\DOCUME~1\hp\Temporary Internet Files
2007-08-28 18:58 <DIR> d---s---- C:\DOCUME~1\hp\History
2007-08-28 18:57 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\Symantec


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-05 19:33 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-05 12:16 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-05 02:01 --------- d-------- C:\Program Files\Google
2007-09-05 00:56 --------- d-------- C:\Program Files\Norton Internet Security
2007-09-05 00:47 9728 --a------ C:\WINDOWS\ngd.dll
2007-09-05 00:47 9216 --a------ C:\WINDOWS\jd2002.dll
2007-09-05 00:47 32256 --a------ C:\WINDOWS\kkcomp.dll
2007-09-05 00:47 31232 --a------ C:\WINDOWS\eventlowg.dll
2007-09-05 00:47 30464 --a------ C:\WINDOWS\kvnab$.exe
2007-09-05 00:47 28928 --a------ C:\WINDOWS\cbinst$.exe
2007-09-05 00:47 28416 --a------ C:\WINDOWS\liqad.dll
2007-09-05 00:47 28160 --a------ C:\WINDOWS\settn.dll
2007-09-05 00:47 27904 --a------ C:\WINDOWS\xxxvideo.exe
2007-09-05 00:47 25856 --a------ C:\WINDOWS\wbeCheck.exe
2007-09-05 00:47 25088 --a------ C:\WINDOWS\liqui-Uninstaller.exe
2007-09-05 00:47 24832 --a------ C:\WINDOWS\kkcomp.exe
2007-09-05 00:47 24064 --a------ C:\WINDOWS\kvnab.exe
2007-09-05 00:47 22272 --a------ C:\WINDOWS\system32\ace16win.dll
2007-09-05 00:47 21248 --a------ C:\WINDOWS\daxtime.dll
2007-09-05 00:47 20736 --a------ C:\WINDOWS\liqad$.exe
2007-09-05 00:47 19456 --a------ C:\WINDOWS\liqui.dll
2007-09-05 00:47 19456 --a------ C:\WINDOWS\kvnab.dll
2007-09-05 00:47 19200 --a------ C:\WINDOWS\adbar.dll
2007-09-05 00:47 18944 --a------ C:\WINDOWS\xadbrk.exe
2007-09-05 00:47 18944 --a------ C:\WINDOWS\hotporn.exe
2007-09-05 00:47 17408 --a------ C:\WINDOWS\xadbrk_.exe
2007-09-05 00:47 17408 --a------ C:\WINDOWS\pbsysie.dll
2007-09-05 00:47 16896 --a------ C:\WINDOWS\iexplorr23.dll
2007-09-05 00:47 15872 --a------ C:\WINDOWS\xadbrk.dll
2007-09-05 00:47 15872 --a------ C:\WINDOWS\fhfmm-Uninstaller.exe
2007-09-05 00:47 15616 --a------ C:\WINDOWS\hcwprn.exe
2007-09-05 00:47 15104 --a------ C:\WINDOWS\liqad.exe
2007-09-05 00:47 14592 --a------ C:\WINDOWS\wbeInst$.exe
2007-09-05 00:47 14336 --a------ C:\WINDOWS\dp0.dll
2007-09-05 00:47 14080 --a------ C:\WINDOWS\spredirect.dll
2007-09-05 00:47 14080 --a------ C:\WINDOWS\kkcomp$.exe
2007-09-05 00:47 12288 --a------ C:\WINDOWS\ie_32.exe
2007-09-05 00:47 12288 --a------ C:\WINDOWS\fhfmm.exe
2007-09-05 00:47 11008 --a------ C:\WINDOWS\liqui.exe
2007-09-05 00:19 8852 --a------ C:\WINDOWS\system32\drivers\download_btn.jpg
2007-09-05 00:19 877 --a------ C:\WINDOWS\system32\drivers\header_red_bg.gif
2007-09-05 00:19 838 --a------ C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
2007-09-05 00:19 821 --a------ C:\WINDOWS\system32\drivers\shadow_bg.gif
2007-09-05 00:19 72 --a------ C:\WINDOWS\system32\drivers\bg_bg.gif
2007-09-05 00:19 64 --a------ C:\WINDOWS\system32\drivers\close_ico.gif
2007-09-05 00:19 4448 --a------ C:\WINDOWS\system32\drivers\download_now_btn.gif
2007-09-05 00:19 4008 --a------ C:\WINDOWS\system32\drivers\rating.gif
2007-09-05 00:19 3552 --a------ C:\WINDOWS\system32\drivers\cell_header_remove.gif
2007-09-05 00:19 3479 --a------ C:\WINDOWS\system32\drivers\cell_header_scan.gif
2007-09-05 00:19 3313 --a------ C:\WINDOWS\system32\drivers\cell_header_block.gif
2007-09-05 00:19 3216 --a------ C:\WINDOWS\system32\drivers\header_red_free_scan.gif
2007-09-05 00:19 3031 --a------ C:\WINDOWS\system32\drivers\spyware_detected.gif
2007-09-05 00:19 26487 --a------ C:\WINDOWS\system32\drivers\screenshot.jpg
2007-09-05 00:19 1743 --a------ C:\WINDOWS\system32\drivers\remove_spyware_header.gif
2007-09-05 00:19 16977 --a------ C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
2007-09-05 00:19 16941 --a------ C:\WINDOWS\system32\drivers\icon_warning_big.gif
2007-09-05 00:19 1381 --a------ C:\WINDOWS\system32\drivers\warning_ico.gif
2007-09-05 00:19 1373 --a------ C:\WINDOWS\system32\drivers\cell_footer.gif
2007-09-05 00:19 1342 --a------ C:\WINDOWS\system32\drivers\cell_bg.gif
2007-09-05 00:19 1014 --a------ C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
2007-09-05 00:14 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-09-05 00:14 14336 --a------ C:\WINDOWS\system32\dllcache\svchost.exe
2007-08-28 18:57 1682 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_NTBK_HP Pavilion dv2000 (EZ649UA#ABL)_YN_0Pavi_Q2CE6271CNJ_E412558DB2_46_I30B5_SHP_V62.41_BF.07_T060622_WXH2_L409_M959_J80_7AMD_8Turion 64 X2_91.61_#060806_N14E44311_(EZ649UA#ABL)_XMOBILE_CN10_Z_2_G10DE0244.MRK
2007-08-28 18:52 --------- d-------- C:\Program Files\HPQ
2007-08-28 18:27 --------- d-------- C:\Program Files\WildTangent
2007-08-28 18:27 --------- d-------- C:\Program Files\Synaptics
2007-08-28 18:27 --------- d-------- C:\Program Files\Symantec
2007-08-28 18:27 --------- d-------- C:\Program Files\Sonic
2007-08-28 18:25 --------- d-------- C:\Program Files\NetWaiting
2007-08-28 18:25 --------- d-------- C:\Program Files\Netscape
2007-08-28 18:25 --------- d-------- C:\Program Files\muvee Technologies
2007-08-28 18:25 --------- d-------- C:\Program Files\MSN Encarta Plus
2007-08-28 18:25 --------- d-------- C:\Program Files\Microsoft.NET
2007-08-28 18:25 --------- d-------- C:\Program Files\Microsoft Works
2007-08-28 18:24 --------- d-------- C:\Program Files\Microsoft Office Trial Wizard
2007-08-28 18:24 --------- d-------- C:\Program Files\Microsoft Money 2006
2007-08-28 18:23 --------- d-------- C:\Program Files\microsoft frontpage
2007-08-28 18:23 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-08-28 18:23 --------- d-------- C:\Program Files\Hp
2007-08-28 18:22 --------- d-------- C:\Program Files\Hewlett-Packard
2007-08-28 18:22 --------- d-------- C:\Program Files\DIFX
2007-08-28 18:22 --------- d-------- C:\Program Files\CONEXANT
2007-08-28 18:22 --------- d-------- C:\Program Files\Common Files\TiVo Shared
2007-08-28 18:21 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2007-08-28 18:21 --------- d-------- C:\Program Files\Common Files\Sonic Shared
2007-08-28 18:21 --------- d-------- C:\Program Files\Common Files\muvee Technologies
2007-08-28 18:21 --------- d-------- C:\Program Files\Common Files\LightScribe
2007-08-28 18:20 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-28 18:20 --------- d-------- C:\Program Files\Common Files\HP
2007-08-28 18:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-28 18:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
2007-08-28 18:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SBSI
2007-08-28 18:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-08-28 18:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-08-28 18:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-07-30 22:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 22:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 22:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 22:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 22:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39C6B6C8-E01E-3175-B583-04FDA1EE088B}]
2007-09-05 00:19 98304 --a------ C:\PROGRAM FILES\JEOKAYCN\CUFIIBBJ.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 01:03]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 22:49]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-21 10:16]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 07:29 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 01:46]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-12 00:54]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 10:27]
"IS CfgWiz"="c:\Program Files\Norton Internet Security\cfgwiz.exe" [2005-09-30 08:33]
"SSC_UserPrompt"="c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-03 02:59]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 14:38]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 19:18]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" []
"kvslypyp"="C:\Program Files\kvslypyp\mtqhsnox.dll" [2007-09-05 00:19]
"lajixexm"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\lajixexm.dll" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-07-06 16:16]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-05 01:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 15:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-05 02:02]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" []
"Tbsa"="C:\PROGRA~1\SSEMBL~1\ati2evxx.exe" []
"Gufms"="C:\WINDOWS\?dobe\w?nspool.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"qbkJOEOYgKk"= {A42D19EC-0E87-B346-837B-1B989BAC8FC8} - C:\WINDOWS\system32\mmya.dll [ ]
"Internet Explorer"= {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Aacahapc.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winepi32]
winepi32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\gebcy

R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\INSTALL.EXE

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-09-05 22:27:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
2007-09-05 05:16:42 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - hp.job - c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
2006-08-07 00:25:08 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-05 19:34:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????U????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-05 19:37:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-05 19:37

--- E O F ---

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:46, on 2007-09-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] "c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?c0583d8e961641ca945821d772521c10
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?c0583d8e961641ca945821d772521c10
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8528 bytes

Edited by playforfun23, 07 September 2007 - 02:55 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:44 AM

Posted 07 September 2007 - 03:18 PM

Hi,

Your logs are confusing since you didn't perform my steps in the right order..

There was no need to perform this in safe mode either. So please perform my instructions in Windows Normal mode..

First of all, I notice from the log that there are running more than one different Anti-Virus programs with Auto-protect enabled. AVG Antivirus and Norton.
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.

I don't have a good feeling here when I see your Combofixlog. Not only because your system is terribly infected, but also because I have the feeling that you are dealing with a file infector :thumbsup:
This because I see a lot of folders being modified lately and they all have the same datestamp. Unless you have been messing with system restore/backups etc..

Anyway, we'll figure that out later. If you are indeed dealing with a File infector, then I rather suggest you format and reinstall Windows instead, this because when dealing with Fileinfectors - this means that they patch legit files as well, and even if scanners are able to disinfect, some may still stay corrupted.

Also, I see you are dealing with a lot of other nasty infections. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.
To be honest and now I see this log - if that was my computer, I would format and reinstall asap, because I know what damage this infections cause and you were not only dealing with a single infection, but you are dealin with several nasty infections.

Anyway, do next please


* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\ycbeg.bak2
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\ycbeg.bak1
C:\DOCUME~1\ALLUSE~1\APPLIC~1\lajixexm.dll
C:\WINDOWS\system32\drvrejr.dll
C:\Program Files\setup.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab.exe
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\daxtime.dll
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\kvnab.dll
C:\WINDOWS\adbar.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\liqad.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\dp0.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\liqui.exe
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif

Folder::
C:\Program Files\WildTangent
C:\Program Files\kvslypyp
C:\Program Files\Jeokaycn
C:\Rustbfix
C:\Program Files\AntispyStorm
C:\Program Files\e-zshopper
C:\Program Files\Accoona
C:\bintheredunthat

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecGuard"=-
"kvslypyp"=-
"lajixexm"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"=-
"Tbsa"=-
"Gufms"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"qbkJOEOYgKk"=-
"Internet Explorer"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winepi32]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 playforfun23

playforfun23
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 08 September 2007 - 03:11 PM

Hello I removed one of the anti-virus programs. The reason I ran it in safe mode is because everytime I try to open HijackThis in normal mode I get an error message saying "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.". Also my avg program keeps popping up saying there is a virus located in "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" - Virus identified Worm/Generic.DHT

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:44 AM

Posted 08 September 2007 - 03:29 PM

This is a false positive of AVG. Nothing wrong with HijackThis. I've already contacted AVG with this false detection, so normally they should fix this asap.
Please update your AVG and let me know if it's still flagging it as Worm/Generic.DHT

Also perform the rest of my steps with Combofix - because that steps doesn't need HijackThis :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 playforfun23

playforfun23
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 08 September 2007 - 03:52 PM

ok I have both complete:

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:57, on 2007-09-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?c0583d8e961641ca945821d772521c10
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?c0583d8e961641ca945821d772521c10
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

--
End of file - 7101 bytes

ComboFix:

ComboFix 07-09-08 - "hp" 2007-09-09 4:55:40.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.602 [GMT -4:00]
Command switches used :: C:\Documents and Settings\hp\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\ycbeg.bak2
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\ycbeg.bak1
C:\DOCUME~1\ALLUSE~1\APPLIC~1\lajixexm.dll
C:\WINDOWS\system32\drvrejr.dll
C:\Program Files\setup.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab.exe
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\daxtime.dll
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\kvnab.dll
C:\WINDOWS\adbar.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\liqad.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\dp0.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\liqui.exe
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
.

((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 )))))))))))))))))))))))))))))))
.

2007-09-06 19:23 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-06 18:02 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-06 18:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-06 00:00 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\HP
2007-09-05 23:52 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\DivX
2007-09-05 23:23 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-09-05 23:23 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-09-05 23:23 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-09-05 22:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-05 20:50 <DIR> d-------- C:\Program Files\QuickTime
2007-09-05 20:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-09-05 20:49 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-05 20:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-09-05 20:45 <DIR> d-------- C:\Program Files\Veoh Networks
2007-09-05 18:48 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-05 18:22 <DIR> d-------- C:\BFU
2007-09-05 16:46 <DIR> d---s---- C:\DOCUME~1\NETWOR~1\Temporary Internet Files
2007-09-05 16:46 <DIR> d---s---- C:\DOCUME~1\NETWOR~1\History
2007-09-05 13:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-05 13:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-05 13:31 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\SUPERAntiSpyware.com
2007-09-05 13:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-05 12:18 <DIR> d---s---- C:\DOCUME~1\hp\UserData
2007-09-05 12:14 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\WinRAR
2007-09-05 03:38 56 --a------ C:\WINDOWS\system32\V0503365.dat
2007-09-05 03:13 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-05 03:10 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-09-05 03:10 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-09-05 03:10 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-09-05 03:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-05 02:07 1,921 --a------ C:\WINDOWS\mozver.dat
2007-09-05 02:06 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\Netscape
2007-09-05 01:08 <DIR> d---s---- C:\DOCUME~1\LOCALS~1\Temporary Internet Files
2007-09-05 01:08 <DIR> d---s---- C:\DOCUME~1\LOCALS~1\History
2007-09-05 01:06 102,912 --a------ C:\WINDOWS\system32\islzma.dll
2007-09-05 01:05 428,032 --a------ C:\WINDOWS\WRServices.dll
2007-09-05 01:04 <DIR> d-------- C:\Program Files\Webroot
2007-09-05 01:04 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\Webroot
2007-09-05 00:47 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-09-05 00:36 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-05 00:28 <DIR> d-------- C:\Program Files\PokerStars
2007-09-05 00:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-09-04 21:36 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-09-04 21:36 <DIR> d-------- C:\Program Files\BitTorrent
2007-09-04 21:36 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\BitTorrent DNA
2007-09-04 21:36 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\BitTorrent
2007-09-04 21:31 <DIR> d-------- C:\Program Files\DivX
2007-09-04 21:04 <DIR> d-------- C:\DOCUME~1\hp\Contacts
2007-09-04 21:04 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\Google
2007-09-04 21:03 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-09-04 21:03 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-09-04 21:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Live Toolbar
2007-09-04 21:02 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-09-04 21:02 <DIR> d-------- C:\Program Files\MSN Messenger
2007-08-28 18:58 <DIR> d---s---- C:\DOCUME~1\hp\Temporary Internet Files
2007-08-28 18:58 <DIR> d---s---- C:\DOCUME~1\hp\History
2007-08-28 18:57 <DIR> d-------- C:\DOCUME~1\hp\APPLIC~1\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-09 02:47 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-09 02:47 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-06 14:26 --------- d-------- C:\Program Files\Google
2007-09-05 20:46 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-05 00:14 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-09-05 00:14 14336 --a------ C:\WINDOWS\system32\dllcache\svchost.exe
2007-08-28 18:57 1682 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_NTBK_HP Pavilion dv2000 (EZ649UA#ABL)_YN_0Pavi_Q2CE6271CNJ_E412558DB2_46_I30B5_SHP_V62.41_BF.07_T060622_WXH2_L409_M959_J80_7AMD_8Turion 64 X2_91.61_#060806_N14E44311_(EZ649UA#ABL)_XMOBILE_CN10_Z_2_G10DE0244.MRK
2007-08-28 18:52 --------- d-------- C:\Program Files\HPQ
2007-08-28 18:27 --------- d-------- C:\Program Files\Synaptics
2007-08-28 18:27 --------- d-------- C:\Program Files\Sonic
2007-08-28 18:25 --------- d-------- C:\Program Files\NetWaiting
2007-08-28 18:25 --------- d-------- C:\Program Files\Netscape
2007-08-28 18:25 --------- d-------- C:\Program Files\muvee Technologies
2007-08-28 18:25 --------- d-------- C:\Program Files\MSN Encarta Plus
2007-08-28 18:25 --------- d-------- C:\Program Files\Microsoft.NET
2007-08-28 18:25 --------- d-------- C:\Program Files\Microsoft Works
2007-08-28 18:24 --------- d-------- C:\Program Files\Microsoft Office Trial Wizard
2007-08-28 18:24 --------- d-------- C:\Program Files\Microsoft Money 2006
2007-08-28 18:23 --------- d-------- C:\Program Files\microsoft frontpage
2007-08-28 18:23 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-08-28 18:23 --------- d-------- C:\Program Files\Hp
2007-08-28 18:22 --------- d-------- C:\Program Files\Hewlett-Packard
2007-08-28 18:22 --------- d-------- C:\Program Files\DIFX
2007-08-28 18:22 --------- d-------- C:\Program Files\CONEXANT
2007-08-28 18:22 --------- d-------- C:\Program Files\Common Files\TiVo Shared
2007-08-28 18:21 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2007-08-28 18:21 --------- d-------- C:\Program Files\Common Files\Sonic Shared
2007-08-28 18:21 --------- d-------- C:\Program Files\Common Files\muvee Technologies
2007-08-28 18:21 --------- d-------- C:\Program Files\Common Files\LightScribe
2007-08-28 18:20 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-28 18:20 --------- d-------- C:\Program Files\Common Files\HP
2007-08-28 18:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
2007-08-28 18:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SBSI
2007-08-28 18:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-08-28 18:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-08-28 18:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 22:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 22:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 22:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 22:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 22:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 22:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 22:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 22:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 22:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 22:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 22:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 22:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 22:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 22:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 22:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-26 19:06 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-26 19:06 43528 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-07-26 19:06 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 19:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 19:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-26 19:06 120056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-26 19:06 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-26 19:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-26 19:03 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-26 19:03 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-26 19:03 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-26 19:03 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-26 19:03 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-26 19:03 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-26 19:03 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-26 19:03 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-26 19:03 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-26 19:03 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-26 19:03 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-26 19:03 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-26 19:03 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-26 11:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 10:09 658944 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-14 14:09 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-14 14:09 615424 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-14 14:09 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-14 14:09 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-14 14:09 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-14 14:09 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-14 14:09 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-14 14:09 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-14 14:09 3058688 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-14 14:09 251392 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-14 14:09 205312 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-14 14:09 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-14 14:09 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-14 14:09 1494528 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-14 14:09 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-14 14:09 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-14 14:09 1023488 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 10:07 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 01:03]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 22:49]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-21 10:16]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 07:29 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 01:46]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-12 00:54]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 14:38]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 19:18]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-05 01:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 15:54]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-08-24 17:37]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-24 13:39:30]

R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\INSTALL.EXE

.

Edited by playforfun23, 08 September 2007 - 03:59 PM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:44 AM

Posted 08 September 2007 - 04:07 PM

Hi,

Delete the C:\Qoobox folder and the C:\WINDOWS\system32\acespy folder.

* Download: HostsXpert
Unzip hoster to an own folder, eg C:\HostsXpert
Start HostsExpert.exe, click 'Restore MS Hosts file' and click OK.

Then, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 2.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 2".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.
Then * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
As a final Checkup... Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 playforfun23

playforfun23
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 09 September 2007 - 02:22 AM

ok here are the results:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, September 09, 2007 3:20:28 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 9/09/2007
Kaspersky Anti-Virus database records: 410476
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 50774
Number of viruses found: 3
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 01:03:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36B12009.dll Infected: Trojan-Proxy.Win32.Agent.df skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4F322F11.dll Infected: Backdoor.Win32.Padodor.gen skipped
C:\Documents and Settings\hp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\hp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\hp\History\History.IE5\MSHist012007090920070910\index.dat Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\hp\Local Settings\Temp\~DFBD59.tmp Object is locked skipped
C:\Documents and Settings\hp\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\hp\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\hp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP12\change.log Object is locked skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP7\A0002482.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.chd skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP7\A0002482.exe NSIS: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:44 AM

Posted 09 September 2007 - 03:57 AM

Hi,

What Kaspersky found was mainly in your Norton Quarantaine and System Restore Points.

So empty the contents of next folder:

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine

Then, Flush your system restore points:
To do this, you have to disable systemrestore and enable it afterwards again.
(note: this will delete all your system restore points and malware that were present in it).

How to disable system restore in XP <= click me for instructions with screenshots
After you disabled System Restore.... Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! :thumbsup:

Let me know in your next reply how things are now...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 playforfun23

playforfun23
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 09 September 2007 - 03:54 PM

Hey, thanks so much for all the help. :thumbsup: My computer is working very well now and I dont get any pop-up errors when I start computer.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:44 AM

Posted 09 September 2007 - 03:56 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:44 AM

Posted 11 September 2007 - 03:10 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users