Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! My Computer Is Being Attacked


  • This topic is locked This topic is locked
12 replies to this topic

#1 not2simple

not2simple

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 02 February 2008 - 04:10 PM

I have spent hours pouring over the posts, reading and rereading the information here. I have cleaned as much as I could or dared. My antivirus/internet security, Trend Micro 2007, keeps popping up a warning to close the browser because of a.doginhispen.com\148. With the cleaning the popups are fewer but still there. My computer has 5 desktops, two admin and 3 limited. Do I need to clean each desktop? Should I eliminate all but 1 to do this? The HijackThis log was run on this desktop. Any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:02:18 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - orer - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [AccuWeatherDesktopAlerts] C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopAlerts.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pcm: C:\PROGRA~1\INTERN~1\PLUGINS\NpCurMem.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: YExplorer1_8US.CAB -
O16 - DPF: {00C0A1F2-D492-4DBA-A8E2-76CB1B791724} (TNPLDownloader Control) - https://dtwx2.accuweather.com/tnpl_awda/cli...LDownloader.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...tallMgr_v01.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114w.bay114.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1187743574359
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133847430495
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182566215309
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AcDcToday.ocx
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AcPreview.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

--
End of file - 13573 bytes

What I would like to do is ground hubby and kids from my computer, but that is impossible.

Thanks!

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 05 February 2008 - 09:23 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum not2simple
My name is Richie and i'll be helping you to fix your problems.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 4'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation jre-6u4-windows-i586-p.exe' [15.12 MB] and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 not2simple

not2simple
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 05 February 2008 - 09:42 AM

:thumbsup: Thank you Richie, I will be back as soon as I get this done.

#4 not2simple

not2simple
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 05 February 2008 - 08:21 PM

Hope I did everything like I should. Here are the logs from ComboFix and Hijackthis:

ComboFix 08-02.05.3 - xyz 2008-02-05 18:29:14.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.81 [GMT -6:00]
Running from: C:\Documents and Settings\xyz\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\start.exe
C:\WINDOWS\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-05 13:07 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-02-02 23:51 . 2008-02-02 23:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-02-02 23:51 . 2008-02-03 00:41 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-02-02 23:51 . 2008-02-03 00:41 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-02-02 23:51 . 2008-02-03 00:41 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-02-01 15:39 . 2008-02-01 15:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-25 14:41 . 2008-01-25 14:41 0 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SET2.tmp
2008-01-24 09:13 . 2008-01-24 09:13 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-24 06:42 . 2008-01-30 15:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-24 06:42 . 2008-01-24 06:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-20 23:20 . 2008-01-20 23:20 <DIR> d-------- C:\Program Files\iPod
2008-01-17 14:29 . 2008-01-17 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-01-17 14:23 . 2008-01-17 14:31 102,416 --a------ C:\WINDOWS\hpqins13.dat
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 06:51 42,496 --sha-w C:\Program Files\Thumbs.db
2007-12-30 20:08 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-18 05:35 --------- d-----w C:\Program Files\iTunes
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2007-12-12 01:16 --------- d-----w C:\Program Files\Setup NetZero
2007-12-09 20:35 127,704 ----a-w C:\Documents and Settings\xyz\Application Data\GDIPFONTCACHEV1.DAT
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\lsasrv.dll
2007-03-07 23:41 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2007-03-07 23:40 0 ---ha-w C:\Documents and Settings\Kari Bjaastad\hpothb07.dat
2007-02-24 05:46 318 ---ha-w C:\Documents and Settings\xyz\hpothb07.dat
2007-02-06 02:56 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-02-04 06:02 4,958 ----a-w C:\Program Files\sdsk.dfm
2007-01-25 22:23 0 ---ha-w C:\Documents and Settings\Erika Bjaastad\hpothb07.dat
2006-10-21 05:14 57,344 ----a-w C:\Documents and Settings\xyz\iSetupNI.dll
2006-05-19 04:45 440 ----a-w C:\Program Files\acad2000i.cfg
2006-05-19 04:45 15 ----a-w C:\Program Files\acadmap.sys
2006-05-19 04:41 857 ----a-w C:\Program Files\lddt.arg
2006-05-19 04:41 572 ----a-w C:\Program Files\map.arg
2006-05-19 04:40 92 ----a-w C:\Program Files\acadmaps.cfg
2006-05-19 04:40 6,791,227 ----a-w C:\Program Files\acad.exe
2006-02-24 16:01 0 ---ha-w C:\Documents and Settings\Lacey Mathis\hpothb07.dat
2006-02-20 01:53 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2006-01-31 05:27 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2006-01-27 17:40 0 ---ha-w C:\Documents and Settings\Jeffrey Bjaastad\hpothb07.dat
2006-01-27 17:40 0 ---ha-w C:\Documents and Settings\Guest\hpothb07.dat
2005-12-07 05:30 111 ----a-w C:\Documents and Settings\xyz\Application Data\fusioncache.dat
2005-11-29 00:19 271 --sh--w C:\Program Files\desktop.ini
2005-11-29 00:19 23,357 ---h--w C:\Program Files\folder.htt
2005-08-06 22:58 491 ----a-w C:\Program Files\FTW.ini
2004-06-19 01:52 17,480 ---ha-w C:\Program Files\hpothb07.dat
2004-06-19 01:44 169,729 ---ha-w C:\Program Files\hpothb07.tif
2004-05-19 21:01 170,126 ---ha-w C:\Program Files\Ftw32.GID
2003-02-22 23:13 290 ----a-w C:\Program Files\Shortcut to Kyodai.lnk
2003-02-13 01:07 3,617 ----a-w C:\Program Files\DeIsL2.isu
2003-01-09 14:38 3,393 ----a-w C:\Program Files\DEISL1.ISU
2003-01-09 14:36 419 ----a-w C:\Program Files\DALMAT.INI
2001-10-30 15:00 77,824 ----a-w C:\Program Files\lffax10N.dll
2001-10-30 15:00 58,368 ----a-w C:\Program Files\lfwmf10N.dll
2001-10-30 15:00 56,320 ----a-w C:\Program Files\lfpsd10N.dll
2001-10-30 15:00 35,840 ----a-w C:\Program Files\lttwn10N.dll
2001-10-30 15:00 35,840 ----a-w C:\Program Files\lflma10N.dll
2001-10-30 15:00 34,304 ----a-w C:\Program Files\lfbmp10N.dll
2001-10-30 15:00 338,944 ----a-w C:\Program Files\lffpx7.dll
2001-10-30 15:00 33,280 ----a-w C:\Program Files\lfpcx10N.dll
2001-10-30 15:00 31,744 ----a-w C:\Program Files\lflmb10N.dll
2001-10-30 15:00 297,472 ----a-w C:\Program Files\ltkrn10N.dll
2001-10-30 15:00 27,136 ----a-w C:\Program Files\lfimg10N.dll
2001-10-30 15:00 266,752 ----a-w C:\Program Files\LFCMP10N.DLL
2001-10-30 15:00 26,112 ----a-w C:\Program Files\lfpcd10N.dll
2001-10-30 15:00 231,424 ----a-w C:\Program Files\LTDIS10N.dll
2001-10-30 15:00 212,480 ----a-w C:\Program Files\PCDLIB32.DLL
2001-10-30 15:00 122,368 ----a-w C:\Program Files\lftif10N.dll
2001-10-30 15:00 116,736 ----a-w C:\Program Files\LFKODAK.DLL
2001-10-30 15:00 114,176 ----a-w C:\Program Files\ltimg10N.dll
2001-10-30 15:00 103,424 ----a-w C:\Program Files\ltfil10N.DLL
2001-10-30 15:00 100,352 ----a-w C:\Program Files\lffpx10N.dll
2000-07-14 06:47 1,261,630 ----a-w C:\Program Files\acadres.dll
2000-07-14 06:44 883 ----a-w C:\Program Files\dt_init.lsp
2000-07-14 06:44 1,641 ----a-w C:\Program Files\cg_init.lsp
2000-07-14 06:43 791 ----a-w C:\Program Files\zz_init.lsp
2000-07-14 06:43 3,483 ----a-w C:\Program Files\BuildNotes.htm
2000-07-14 06:43 3,423 ----a-w C:\Program Files\coremnl.lsp
2000-07-14 06:43 290 ----a-w C:\Program Files\cr_init.lsp
2000-07-14 06:43 2 ----a-w C:\Program Files\zzldmacs.lsp
2000-07-14 06:40 86,016 ----a-w C:\Program Files\AecCTerrainModelEnu.dll
2000-07-14 06:40 446,464 ----a-w C:\Program Files\AecCAppEnu.dll
2000-07-14 06:40 425,984 ----a-w C:\Program Files\AecCTerrainModelSvr.dll
2000-07-14 06:40 364,544 ----a-w C:\Program Files\AecCAppSvr.dll
2000-07-14 06:40 303,104 ----a-w C:\Program Files\AecCDtKernel.dll
2000-07-14 06:40 24,576 ----a-w C:\Program Files\AecDraftEnu.dll
2000-07-14 06:40 24,576 ----a-w C:\Program Files\AecCTreeMgrEnu.dll
2000-07-14 06:40 172,032 ----a-w C:\Program Files\AecCBaseSvr.dll
2000-07-14 06:40 139,264 ----a-w C:\Program Files\AecDraft.arx
2000-07-14 06:40 139,264 ----a-w C:\Program Files\AecCTreeMgr.dll
2000-07-14 06:40 12,288 ----a-w C:\Program Files\AecCDtKernelEnu.dll
2000-07-14 06:40 114,688 ----a-w C:\Program Files\AecCLSEnu.dll
2000-07-14 06:40 1,298,432 ----a-w C:\Program Files\AecCLS.arx
2000-07-14 06:40 1,085,440 ----a-w C:\Program Files\AecCApp.arx
2000-07-14 06:40 1,056,768 ----a-w C:\Program Files\AecCTerrainModel.dll
2000-07-14 06:13 106,496 ----a-w C:\Program Files\AecCBon.arx
2000-07-14 04:55 162,892 ----a-w C:\Program Files\landauto.tlb
2000-07-14 04:38 16,384 ----a-w C:\Program Files\AecCBonusEnu.dll
2000-07-03 23:18 12,717 ----a-w C:\Program Files\macros.lsp
2000-06-30 17:33 69,632 ----a-w C:\Program Files\AecLayerManagerUIenu.dll
2000-06-30 17:33 466,944 ----a-w C:\Program Files\AecLayerManagerUI20.arx
2000-06-30 17:33 24,576 ----a-w C:\Program Files\AeclLM.dbx
2000-06-30 17:32 24,576 ----a-w C:\Program Files\AeclUIU.dbx
2000-06-30 17:32 163,840 ----a-w C:\Program Files\AecUtilitiesenu.dll
2000-06-30 17:31 995,328 ----a-w C:\Program Files\AecUtilities20.arx
2000-06-30 17:29 24,576 ----a-w C:\Program Files\AeclUIB.dbx
2000-06-30 17:29 221,184 ----a-w C:\Program Files\AecUiBaseenu.dll
2000-06-30 17:29 1,138,688 ----a-w C:\Program Files\AecUiBase20.arx
2000-06-30 17:07 28,672 ----a-w C:\Program Files\AecLoader20.arx
2000-06-30 17:06 61,440 ----a-w C:\Program Files\AecGfcsh20.dll
2000-06-30 17:06 61,440 ----a-w C:\Program Files\AecGfcfw20.dll
2000-06-30 17:06 40,960 ----a-w C:\Program Files\AecGfcwf20.dll
2000-06-30 17:06 143,360 ----a-w C:\Program Files\AecGfcxt20.dll
2000-06-22 00:21 928 ----a-w C:\Program Files\_register.bat
2000-06-17 04:56 106,496 ----a-w C:\Program Files\AecRegDll.dll
1997-06-23 09:00 123,664 --sha-w C:\WINDOWS\SYSTEM32\Msjint35.dll
1997-06-23 18:06 24,848 --sha-w C:\WINDOWS\SYSTEM32\Msjter35.dll
1997-06-23 18:06 252,176 --sha-w C:\WINDOWS\SYSTEM32\Msrd2x35.dll
1997-06-23 18:06 287,504 --sha-w C:\WINDOWS\SYSTEM32\Msxbse35.dll
2005-12-09 00:56 312 --sh--w C:\WINDOWS\DRM\v3ks.bla.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 172,032 2004-06-22 14:05:02 C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\bak\hpztsb10.exe
----a-w 14,348 2008-01-31 04:00:58 C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\hpztsb10.exe

----a-w 127,022 2002-12-10 23:54:04 C:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\Common Files\Logitech\QCDriver3\LVComS.exe

----a-w 204,288 2006-10-19 02:05:26 C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\Windows Media Player\WMPNSCFG.exe

----a-w 155,648 2002-12-11 00:32:12 C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\Logitech\ImageStudio\ISStart.exe

----a-w 61,440 2002-12-11 00:31:34 C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\Logitech\ImageStudio\LogiTray.exe

----a-w 57,344 2005-06-07 05:46:24 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

----a-w 39,792 2007-10-11 01:51:56 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

----a-w 80,896 2007-08-22 22:31:16 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\bak\hpqSRMon.exe
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe

----a-w 69,632 2002-06-20 21:30:04 C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

----a-w 49,152 2004-02-12 19:38:56 C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

----a-w 1,289,000 2006-11-13 19:39:52 C:\Program Files\Microsoft ActiveSync\bak\wcescomm.exe
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

----a-w 385,024 2008-01-10 21:27:36 C:\Program Files\QuickTime\bak\QTTask.exe
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\QuickTime\QTTask.exe

----a-w 132,496 2007-09-25 07:11:36 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 267,048 2008-01-15 09:22:56 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 241,664 2004-05-12 21:18:56 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

----a-w 172,032 2004-06-03 07:51:28 C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\Microsoft IntelliType Pro\type32.exe

----a-w 68,856 2007-07-05 19:41:30 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

----a-w 245,760 2006-01-07 01:56:38 C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\Xtras\bak\mssysmgr.exe
----a-w 14,348 2008-01-31 04:00:58 C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\Xtras\mssysmgr.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [ ]
"AccuWeatherDesktopAlerts"="C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopAlerts.exe" [ ]
"WebCamRT.exe"="" []
"Aim6"="" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2008-01-30 22:00 14348]
"Road Runner PhotoShow Media Manager"="C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe" [2007-06-22 16:08 357616]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-30 22:00 14348]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-30 22:00 14348]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2008-01-30 22:00 14348]
"CTHelper"="CTHELPER.EXE" [2007-04-09 12:32 19456 C:\WINDOWS\SYSTEM32\CtHelper.exe]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2008-01-30 22:00 14348]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2008-01-30 22:00 14348]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2008-01-30 22:00 14348]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2008-01-30 22:00 14348]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2008-01-30 22:00 14348]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2008-01-30 22:00 14348]
"HP Software Update"="c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2008-01-30 22:00 14348]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2008-01-30 22:00 14348]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 14:26 3429904]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-30 22:00 14348]
"hpqSRMon"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2008-01-30 22:00 14348]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-30 22:00 14348]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-30 22:00 14348]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 12:00 44544]

C:\Documents and Settings\xyz\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-01-14 18:27:50 256000]
PowerReg Scheduler V3.exe [2007-04-30 12:33:04 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 08:15:54 65588]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Hidserv"=Hidserv.exe run
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"HydarVisionDesktopManager"=desk98.exe
"AtiPTA"=Atiptaxx.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\SYSTEM32\hpztsb07.exe
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
"Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
"PiDunHk"="C:\PROGRAM FILES\PRODINET\BIN\PIDUNHK.EXE"
"QuickFinder Scheduler"="C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime



[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-02-03 05:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-02-05 21:41:40 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2008-01-30 03:43:24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-06 00:22:16 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 18:35:34
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-05 18:43:23
ComboFix-quarantined-files.txt 2008-02-06 00:43:18
.
2008-01-09 13:09:29 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:00 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - orer - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [AccuWeatherDesktopAlerts] C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopAlerts.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pcm: C:\PROGRA~1\INTERN~1\PLUGINS\NpCurMem.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: YExplorer1_8US.CAB -
O16 - DPF: {00C0A1F2-D492-4DBA-A8E2-76CB1B791724} (TNPLDownloader Control) - https://dtwx2.accuweather.com/tnpl_awda/cli...LDownloader.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...tallMgr_v01.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114w.bay114.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1187743574359
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133847430495
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182566215309
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AcPreview.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

--
End of file - 13545 bytes

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 06 February 2008 - 03:34 AM

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Documents and Settings\xyz\Start Menu\Programs\Startup\PowerReg Scheduler.exe
C:\Documents and Settings\xyz\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe


Return to OTMoveIt, right click on the "Paste Standard List of Files/Folders to be moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Download FindAWF.exe and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Double-click FindAWF.exe to start the tool.
Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
A text file will open up.
Please copy and paste ALL the following text inside the code box below into the text file:
"C:\Program Files\America Online 9.0a\bak\AOL.EXE"
"C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\bak\hpztsb10.exe"
"C:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
"C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
"C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
"C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\bak\hpqSRMon.exe"
"C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
"C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Microsoft ActiveSync\bak\wcescomm.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\Xtras\bak\mssysmgr.exe"
Close the files.txt and click Yes to save the changes.
FindAWF will now terminate the bad processes if running, delete the bad files and restore/replace them with the good files.
Then it will open a log.
Copy and paste the contents of that log in your next reply.
Posted Image
Posted Image

#6 not2simple

not2simple
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 07 February 2008 - 07:46 AM

Ok, it is done. Here are the reports!

C:\Documents and Settings\xyz\Start Menu\Programs\Startup\PowerReg Scheduler.exe moved successfully.
C:\Documents and Settings\xyz\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe moved successfully.



Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Wed 02/06/2008
The current time is: 20:45:03.96


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\WINDOW~1\BAK

10/18/2006 08:05 PM 204,288 WMPNSCFG.exe
1 File(s) 204,288 bytes

Directory of C:\PROGRA~1\MICROS~2\BAK

11/13/2006 01:39 PM 1,289,000 wcescomm.exe
1 File(s) 1,289,000 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

01/10/2008 03:27 PM 385,024 QTTask.exe
1 File(s) 385,024 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

01/15/2008 03:22 AM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes

Directory of C:\PROGRA~1\MI558C~1\BAK

06/03/2004 01:51 AM 172,032 type32.exe
1 File(s) 172,032 bytes

Directory of C:\PROGRA~1\LOGITECH\IMAGES~1\BAK

12/10/2002 06:32 PM 155,648 ISStart.exe
12/10/2002 06:31 PM 61,440 LogiTray.exe
2 File(s) 217,088 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

06/20/2002 03:30 PM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

02/12/2004 01:38 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

05/12/2004 03:18 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~2\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

07/05/2007 01:41 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\COMMON~1\LOGITECH\QCDRIV~2\BAK

12/10/2002 05:54 PM 127,022 LVCOMS.EXE
1 File(s) 127,022 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\BIN\BAK

08/22/2007 04:31 PM 80,896 hpqSRMon.exe
1 File(s) 80,896 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~3.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 11:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\ROADRU~1\ROADRU~1\DATA\XTRAS\BAK

01/06/2006 07:56 PM 245,760 mssysmgr.exe
1 File(s) 245,760 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

06/22/2004 08:05 AM 172,032 hpztsb10.exe
1 File(s) 172,032 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

204288 Oct 18 2006 "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
204288 Oct 18 2006 "C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
1289000 Nov 13 2006 "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
1289000 Nov 13 2006 "C:\Program Files\Microsoft ActiveSync\bak\wcescomm.exe"
385024 Jan 10 2008 "C:\Program Files\QuickTime\QTTask.exe"
385024 Jan 10 2008 "C:\Program Files\QuickTime\bak\QTTask.exe"
267048 Jan 15 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
102400 Jan 20 2008 "C:\WINDOWS\Installer\{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}\iTunesIco.exe"
267048 Jan 15 2008 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
79144 Jan 20 2008 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.0.29\iTunesSetupAdmin.exe"
172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"
172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro 5.2\IType\SETUP\Files\type32.exe"
155648 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\ISStart.exe"
155648 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
61440 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
61440 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
69632 Jun 20 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
69632 Jun 20 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
49152 Feb 12 2004 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
49152 Feb 12 2004 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
241664 May 12 2004 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 May 12 2004 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
52272 Apr 29 2007 "C:\Program Files\Google\googletoolbar1user.exe"
68856 Jul 5 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
559784 Jan 8 2006 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
68856 Jul 5 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
138168 Apr 29 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
33285592 Dec 1 2007 "C:\Documents and Settings\xyz\My Documents\Home\Download\GoogleSketchUpWEN.exe"
102400 Jun 10 2002 "C:\WINDOWS\SYSTEM32\LVComS.exe"
102400 Jun 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe"
90112 Sep 20 2002 "C:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe"
127022 Dec 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver3\LVComS.exe"
127022 Dec 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
80896 Aug 22 2007 "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe"
80896 Aug 22 2007 "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\bak\hpqSRMon.exe"
36975 Aug 26 2005 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
32881 Feb 22 2004 "C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
144784 Dec 14 2007 "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"
245760 Jan 6 2006 "C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\Xtras\mssysmgr.exe"
357616 Jun 22 2007 "C:\Program Files\Road Runner\PhotoShow 5\data\Xtras\mssysmgr.exe"
245760 Jan 6 2006 "C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\Xtras\bak\mssysmgr.exe"
172032 Jun 22 2004 "C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\hpztsb10.exe"
172032 Jun 22 2004 "C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\bak\hpztsb10.exe"


end of report

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 07 February 2008 - 09:33 AM

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Program Files\Windows Media Player\bak
C:\Program Files\Microsoft ActiveSync\bak
C:\Program Files\QuickTime\bak
C:\Program Files\iTunes\bak
C:\Program Files\Microsoft IntelliType Pro\bak
C:\Program Files\Logitech\ImageStudio\bak
C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak
C:\Program Files\Hewlett-Packard\HP Software Update\bak
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Common Files\Logitech\QCDriver3\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak
C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\Xtras\bak
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\bak


Return to OTMoveIt, right click on the "Paste Standard List of Files/Folders to be moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Post a new Hijackthis log please.
Posted Image
Posted Image

#8 not2simple

not2simple
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 07 February 2008 - 11:28 AM

Here are the results....

C:\Program Files\Windows Media Player\bak moved successfully.
C:\Program Files\Microsoft ActiveSync\bak moved successfully.
C:\Program Files\QuickTime\bak moved successfully.
C:\Program Files\iTunes\bak moved successfully.
C:\Program Files\Microsoft IntelliType Pro\bak moved successfully.
C:\Program Files\Logitech\ImageStudio\bak moved successfully.
C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak moved successfully.
C:\Program Files\Hewlett-Packard\HP Software Update\bak moved successfully.
C:\Program Files\HP\hpcoretech\bak moved successfully.
C:\Program Files\Google\GoogleToolbarNotifier\bak moved successfully.
C:\Program Files\Common Files\Logitech\QCDriver3\bak moved successfully.
C:\Program Files\Adobe\Reader 8.0\Reader\bak moved successfully.
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\bak moved successfully.
C:\Program Files\Java\jre1.6.0_03\bin\bak moved successfully.
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak moved successfully.
C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\Xtras\bak moved successfully.
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\bak moved successfully.

OTMoveIt2 v1.0.18 log created on 02072008_100951



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:56 AM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - orer - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [AccuWeatherDesktopAlerts] C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopAlerts.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pcm: C:\PROGRA~1\INTERN~1\PLUGINS\NpCurMem.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: YExplorer1_8US.CAB -
O16 - DPF: {00C0A1F2-D492-4DBA-A8E2-76CB1B791724} (TNPLDownloader Control) - https://dtwx2.accuweather.com/tnpl_awda/cli...LDownloader.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...tallMgr_v01.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114w.bay114.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1187743574359
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133847430495
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182566215309
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AcPreview.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

--
End of file - 14266 bytes

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 07 February 2008 - 12:11 PM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - orer - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: YExplorer1_8US.CAB -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#10 not2simple

not2simple
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 07 February 2008 - 05:06 PM

Hi Richie,
The computer is running better than it has in long time and I would like to thank you for all of your help. Here are the SUPER AntiSpyware Scan log and HijackThis log.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/07/2008 at 03:41 PM

Application Version : 3.9.1008

Core Rules Database Version : 3397
Trace Rules Database Version: 1389

Scan type : Complete Scan
Total Scan Time : 02:32:31

Memory items scanned : 500
Memory threats detected : 0
Registry items scanned : 7664
Registry threats detected : 0
File items scanned : 81358
File threats detected : 0


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:46 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [AccuWeatherDesktopAlerts] C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopAlerts.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-1993962763-1060284298-854245398-501\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'Guest')
O4 - HKUS\S-1-5-21-1993962763-1060284298-854245398-501\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Guest')
O4 - HKUS\S-1-5-21-1993962763-1060284298-854245398-501\..\Run: [Aim6] (User 'Guest')
O4 - HKUS\S-1-5-21-1993962763-1060284298-854245398-501\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'Guest')
O4 - HKUS\S-1-5-21-1993962763-1060284298-854245398-501\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\ROADRU~1\data\xtras\mssysmgr.exe (User 'Guest')
O4 - HKUS\S-1-5-21-1993962763-1060284298-854245398-501\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Guest')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pcm: C:\PROGRA~1\INTERN~1\PLUGINS\NpCurMem.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {00C0A1F2-D492-4DBA-A8E2-76CB1B791724} (TNPLDownloader Control) - https://dtwx2.accuweather.com/tnpl_awda/cli...LDownloader.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...tallMgr_v01.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114w.bay114.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1187743574359
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133847430495
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182566215309
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AcPreview.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

--
End of file - 14528 bytes


Let me know if what else to do,
Debbie

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 07 February 2008 - 06:15 PM

Your log is clean :thumbsup: ,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.
This will uninstall Combofix,delete its related folders and files,reset your clock settings,hide file extensions,hide the system/hidden files and resets System Restore again.

Posted Image


Please double-click OTMoveIt.exe again to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm

Hardening Windows Security - Part 1:
http://www.malwarehelp.org/Malware-Prevent...-Security1.html

Hardening Windows Security - Part 2:
http://www.malwarehelp.org/malware-prevent...-security2.html
Posted Image
Posted Image

#12 not2simple

not2simple
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 08 February 2008 - 10:18 PM

:thumbsup: Thank you RichieUK, this poor, old puter is running like it is new again (well, almost). :blink: I have spent the last 24 reading and scanning and removing stuff that I thought was long gone. I think I will hang around for a while and learn things that they don't teach in computer class.

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 09 February 2008 - 04:51 AM

You're most welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users