Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is Lowpower.exe In Windows Prefetch A Virus?


  • This topic is locked This topic is locked
9 replies to this topic

#1 SarvatiTN

SarvatiTN

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 08 July 2008 - 07:21 PM

I was hit with a redirect virus a few days ago. First it started redirecting me from any website that I attempted to access by popping up a new window and showing me links. Virus Alert! appeared in the taskbar. I could access some websites by copying and pasting the URL in the address box with the exception of any security software which would result in a window saying that the internet site could not be found. At some point it started removing items from the desktop and locking up the computer.

Somehow, I managed to remove the Virus Alert! part by checking for entries that were created on a certain date. My virus software, Panda, did not catch this as it seems to be a scripting virus(does that sound right...although I am an engineer, I know nothing about programming). Eventually, it locked up Panda. I was able to get around this by disabling the internet connection, removing strange entries created on that date, and running Panda which still did not find anything. I ran VirtumondoBeGone and it told me what the problem entries were. At first, I was not even able to download HijackThis or anything similar.

I removed Panda and installed a trial version of Nod32. I ended up running a Windows Xp Recovery Console (mistake). Installed and ran HijackThis. Removed what I could and can use the computer but I think that it is still lurking there. In my Windows Prefetch is a file called LOWPOWER.EXE. I wonder if it is supposed to be there because it was created on the date and at the time all of the problems began. It cannot be removed. I removed entries with "ie.redirect..." but don't know if that was right. Okay, chastise me at will but I was just trying not to bother anyone.

Here is my current HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:25 PM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1215454362312
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 4832 bytes


I have removed the IPod services several time but they keep coming back. I don't even have an IPod. Any help would be appreciated as I have tried for 4 days to fix this and me and my teenage granddaughters have been installing a hardwood floor and I do get distracted about it all. Frustration=running recovery console and losing your emails+your laptop power connector breaks!

Thanks for any help.

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 AM

Posted 09 July 2008 - 07:07 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 SarvatiTN

SarvatiTN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 10 July 2008 - 11:10 PM

Hi, I just now read that you had replied. I have run DSS. Here are the logs:

Main.txt...

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2008-07-10 23:02:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
11: 2008-07-11 04:02:23 UTC - RP11 - Deckard's System Scanner Restore Point
10: 2008-07-10 14:49:36 UTC - RP10 - Installed HP Marketing Assistant
9: 2008-07-10 08:02:36 UTC - RP9 - Software Distribution Service 3.0
8: 2008-07-09 18:49:27 UTC - RP8 - Configured iTunes
7: 2008-07-09 08:00:22 UTC - RP7 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-07-07 07:25:30 UTC - RP1 - Printer Driver HP Officejet 7200 series fax Installed


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:21 PM, on 7/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
C:\Documents and Settings\HP_Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TrayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_14\TrayServer.exe
O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1215454362312
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 5244 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080708-130822-623 O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
backup-20080708-140014-100 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
backup-20080708-140014-126 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
backup-20080708-140014-137 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
backup-20080708-140014-160 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20080708-140014-186 O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080708-140014-216 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
backup-20080708-140014-218 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080708-140014-220 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
backup-20080708-140014-223 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080708-140014-260 O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
backup-20080708-140014-312 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
backup-20080708-140014-415 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
backup-20080708-140014-491 O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
backup-20080708-140014-513 O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
backup-20080708-140014-522 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
backup-20080708-140014-530 O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
backup-20080708-140014-541 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080708-140014-568 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
backup-20080708-140014-598 O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
backup-20080708-140014-605 O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
backup-20080708-140014-682 O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
backup-20080708-140014-684 O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
backup-20080708-140014-754 O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
backup-20080708-140014-762 O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
backup-20080708-140014-763 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
backup-20080708-140014-816 O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
backup-20080708-140014-831 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
backup-20080708-140014-865 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080708-140014-917 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
backup-20080708-140014-949 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
backup-20080708-140014-955 O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
backup-20080708-140014-983 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 catchme - c:\combofix\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R0 Pml Driver HPZ12 - \systemroot\c:\windows\system32\hpzipm12.exe (file missing)
R3 FirebirdServerMAGIXInstance (Firebird Server - MAGIX Instance) - c:\program files\magix\common\database\bin\fbserver.exe <Not Verified; MAGIX®; Firebird SQL Server - MAGIX Edition>

S3 UPnPService - c:\program files\common files\magix shared\upnpservice\upnpservice.exe <Not Verified; Magix AG; UPnPService Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\6EB5E711D800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\6EB5E711D800
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2008-07-07 02:21:09 296 --a------ C:\WINDOWS\Tasks\HPCeeSchedule.job
2008-07-07 02:20:59 338 --a------ C:\WINDOWS\Tasks\Easy Internet Sign-up.job
2008-07-04 01:00:00 436 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DEBRA-HP_Administrator).job


-- Files created between 2008-06-10 and 2008-07-10 -----------------------------

2008-07-10 19:22:46 0 d-------- C:\Program Files\ProtectDisc Driver Installer
2008-07-10 19:22:18 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\MAGIX
2008-07-10 19:15:53 0 d-------- C:\WINDOWS\LastGood
2008-07-10 19:14:39 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-07-10 19:14:38 24576 --a------ C:\WINDOWS\system32\TTIC32.dll <Not Verified; PoINT Software & Systems GmbH; TTIC32>
2008-07-10 19:14:38 24576 --a------ C:\WINDOWS\system32\TTI32.dll <Not Verified; PoINT Software & Systems GmbH; TTI32>
2008-07-10 19:14:38 32768 --a------ C:\WINDOWS\system32\STRING32.dll <Not Verified; PoINT Software & Systems GmbH; STRING32>
2008-07-10 19:14:38 430080 --a------ C:\WINDOWS\system32\MXRestore.exe <Not Verified; MAGIX AG; MAGIX Restore>
2008-07-10 19:14:38 57344 --a------ C:\WINDOWS\system32\DLLTPO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLTPO32>
2008-07-10 19:14:38 192512 --a------ C:\WINDOWS\system32\DLLRES32.dll <Not Verified; PoINT Software & Systems GmbH; DLLRES32>
2008-07-10 19:14:38 40960 --a------ C:\WINDOWS\system32\DLLRD32.dll <Not Verified; PoINT Software & Systems GmbH; DLLRD32>
2008-07-10 19:14:38 65536 --a------ C:\WINDOWS\system32\DLLPTL32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPTL32>
2008-07-10 19:14:38 53248 --a------ C:\WINDOWS\system32\DLLPRJ32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPRJ32>
2008-07-10 19:14:38 49152 --a------ C:\WINDOWS\system32\DLLPRF32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPRF32>
2008-07-10 19:14:38 36864 --a------ C:\WINDOWS\system32\DLLPNT32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPNT32>
2008-07-10 19:14:38 32768 --a------ C:\WINDOWS\system32\DLLMSC32.dll <Not Verified; PoINT Software & Systems GmbH; DLLMSC32>
2008-07-10 19:14:38 24576 --a------ C:\WINDOWS\system32\DLLIX.dll <Not Verified; PoINT Software & Systems GmbH; DLLIX>
2008-07-10 19:14:38 32768 --a------ C:\WINDOWS\system32\DLLISO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLISO32>
2008-07-10 19:14:38 53248 --a------ C:\WINDOWS\system32\DLLIO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLIO32>
2008-07-10 19:14:38 45056 --a------ C:\WINDOWS\system32\DLLIMG32.dll <Not Verified; PoINT Software & Systems GmbH; DLLIMG32>
2008-07-10 19:14:38 151552 --a------ C:\WINDOWS\system32\DLLDRV32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDRV32>
2008-07-10 19:14:38 32768 --a------ C:\WINDOWS\system32\DLLDIR32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDIR32>
2008-07-10 19:14:38 167936 --a------ C:\WINDOWS\system32\DLLDEV32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDEV32>
2008-07-10 19:14:38 98304 --a------ C:\WINDOWS\system32\DLLCPY32.dll <Not Verified; PoINT Software & Systems GmbH; DLLCPY32>
2008-07-10 19:14:38 61440 --a------ C:\WINDOWS\system32\DLLCDF32.dll <Not Verified; PoINT Software & Systems GmbH; DLLCDF32>
2008-07-10 19:14:38 114688 --a------ C:\WINDOWS\system32\DLLCDA32.dll <Not Verified; PoINT Software & Systems GmbH; PoINT CDarchive for Windows>
2008-07-10 19:14:38 618496 --a------ C:\WINDOWS\system32\DLLAV32.dll <Not Verified; PoINT Software & Systems GmbH; PoINT CD/DVD Audio/Video SDK for Windows>
2008-07-10 19:02:45 120200 --a------ C:\WINDOWS\system32\DLLDEV32i.dll <Not Verified; ; DLLDEV32i>
2008-07-10 18:59:34 700416 --a------ C:\WINDOWS\system32\mgxoschk.dll <Not Verified; MAGIX AG; mgxoschk>
2008-07-10 18:59:34 0 d-------- C:\WINDOWS\system32\MAGIX
2008-07-10 09:53:42 0 d-------- C:\WINDOWS\Hewlett-Packard
2008-07-10 09:53:37 1617920 --a------ C:\WINDOWS\system32\cdintf250.dll <Not Verified; Amyuni Technologies
http://www.amyuni.com; Amyuni Common Driver Interface>
2008-07-10 03:21:07 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-09 15:27:55 0 d-------- C:\Program Files\Yahoo SiteBuilder
2008-07-09 03:00:52 0 d-------- C:\WINDOWS\system32\PreInstall
2008-07-09 02:16:46 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Leadertech
2008-07-08 14:36:16 0 d-------- C:\Program Files\Windows Live Safety Center
2008-07-08 12:50:12 0 d-------- C:\Program Files\Trend Micro
2008-07-08 12:41:03 68096 --a------ C:\WINDOWS\zip.exe
2008-07-08 12:41:03 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-08 12:41:03 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-08 12:41:03 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-08 12:41:03 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-08 12:41:03 98816 --a------ C:\WINDOWS\sed.exe
2008-07-08 12:41:03 80412 --a------ C:\WINDOWS\grep.exe
2008-07-08 12:41:03 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-08 02:09:03 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Sun
2008-07-08 00:41:15 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-07-08 00:41:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-08 00:41:09 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-07 15:45:46 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2008-07-07 13:29:44 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\ESET
2008-07-07 13:27:02 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-07 12:30:57 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-07 12:00:06 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-07-07 04:15:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Macromedia
2008-07-07 04:15:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Intuit
2008-07-07 04:15:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Identities
2008-07-07 04:15:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\ATI
2008-07-07 04:15:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Apple Computer
2008-07-07 04:15:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Adobe
2008-07-07 04:15:18 0 d-------- C:\Documents and Settings\HP_Administrator\WINDOWS
2008-07-07 04:15:18 0 d--h----- C:\Documents and Settings\HP_Administrator\Templates
2008-07-07 04:15:18 0 dr------- C:\Documents and Settings\HP_Administrator\Start Menu
2008-07-07 04:15:18 0 dr-h----- C:\Documents and Settings\HP_Administrator\SendTo
2008-07-07 04:15:18 0 d--h----- C:\Documents and Settings\HP_Administrator\PrintHood
2008-07-07 04:15:18 1572864 --a------ C:\Documents and Settings\HP_Administrator\NTUSER.DAT
2008-07-07 04:15:18 0 d--h----- C:\Documents and Settings\HP_Administrator\NetHood
2008-07-07 04:15:18 0 dr------- C:\Documents and Settings\HP_Administrator\My Documents
2008-07-07 04:15:18 0 d--h----- C:\Documents and Settings\HP_Administrator\Local Settings
2008-07-07 04:15:18 0 dr------- C:\Documents and Settings\HP_Administrator\Favorites
2008-07-07 04:15:18 0 d-------- C:\Documents and Settings\HP_Administrator\Desktop
2008-07-07 04:15:18 0 d---s---- C:\Documents and Settings\HP_Administrator\Cookies
2008-07-07 04:15:18 0 dr-h----- C:\Documents and Settings\HP_Administrator\Application Data
2008-07-07 04:15:18 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Symantec
2008-07-07 04:15:18 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\SampleView
2008-07-07 04:15:18 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Real
2008-07-07 04:10:58 0 d-------- C:\Documents and Settings\Default User\Application Data\Macromedia
2008-07-07 04:10:58 0 d-------- C:\Documents and Settings\Default User\Application Data\Adobe
2008-07-07 03:26:19 0 dr-hs---- C:\WINDOWS\system32\dllcache
2008-07-07 02:34:37 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\HPQ
2008-07-07 02:29:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\HP
2008-07-07 02:25:45 0 dr-h----- C:\Documents and Settings\HP_Administrator\Recent
2008-07-07 02:25:43 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Help
2008-07-07 02:25:32 0 dr-hs---- C:\cmdcons
2008-07-07 02:24:58 0 d-------- C:\WINDOWS\setupupd
2008-07-06 23:51:44 0 d-------- C:\VundoFix Backups
2008-07-06 23:16:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-03 13:59:22 0 d-------- C:\SMCLpav
2008-07-03 13:13:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-07-03 13:13:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-18 23:42:56 0 d-------- C:\Program Files\Sun
2008-06-10 22:17:33 0 d-------- C:\Program Files\MySpace


-- Find3M Report ---------------------------------------------------------------

2008-07-10 09:54:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-10 09:50:05 0 d-------- C:\Program Files\HP
2008-07-07 13:06:20 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-07-07 12:34:53 0 d-------- C:\Program Files\Common Files\Panda Software
2008-07-07 12:31:54 0 d-------- C:\Program Files\Symantec
2008-07-07 12:30:53 0 d-------- C:\Program Files\Common Files
2008-07-07 02:28:41 112954 --a------ C:\WINDOWS\hpoins07.dat
2008-07-07 02:21:00 0 d-------- C:\Program Files\Easy Internet signup
2008-07-04 22:43:48 0 d-------- C:\Program Files\Schmap
2008-07-04 22:04:58 0 d-------- C:\Program Files\DVDFab Decrypter 3
2008-06-22 03:02:01 0 d-------- C:\Program Files\Viewpoint
2008-06-09 13:01:39 0 d-------- C:\Program Files\Common Files\MAGIX Shared
2008-05-24 14:52:57 0 d-------- C:\Program Files\MAGIX


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/10/2005 09:33 AM]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [06/02/2005 01:35 AM]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/26/2005 12:34 AM]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [06/10/2008 06:52 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/18/2005 05:54 PM]
"TrayServer"="C:\Program Files\MAGIX\Movie_Edit_Pro_14\TrayServer.exe" [12/04/2007 12:34 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 06:24 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"GrpConv"=grpconv.exe -o

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 8:23:26 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b47d674-4c01-11dd-b379-806d6172696f}]
AutoRun\command- E:\start.exe /checksection

*Newly Created Service* - ACEDRV11
*Newly Created Service* - EHRECVR
*Newly Created Service* - EHSCHED
*Newly Created Service* - FIREBIRDSERVERMAGIXINSTANCE



-- End of Deckard's System Scanner: finished at 2008-07-10 23:03:56 ------------

AND THE EXTRA.TXT...

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.80GHz
CPU 1: Intel® Pentium® D CPU 2.80GHz
Percentage of Memory in Use: 47%
Physical Memory (total/avail): 1022.41 MiB / 540.34 MiB
Pagefile Memory (total/avail): 2459.08 MiB / 2130.29 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.26 MiB

C: is Fixed (NTFS) - 224.86 GiB total, 71.46 GiB free.
D: is Fixed (FAT32) - 8 GiB total, 0.86 GiB free.
E: is CDROM (CDFS)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2500JS-60MHB1 - 232.88 GiB - 2 partitions
\PARTITION0 - Unknown - 8.01 GiB - D:
\PARTITION1 (bootable) - Installable File System - 224.86 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

\\.\PHYSICALDRIVE5 - HP Officejet 7210 USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ESET Personal firewall v3.0.667.0 (ESET, spol. s r. o.)
AV: ESET Smart Security 3.0 v3.0 (ESET, spol. s r. o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\HP_Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-55E5F9E3D2
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\HP_Administrator
LOGONSERVER=\\YOUR-55E5F9E3D2
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\Python22;C:\Program Files\ATI Technologies\ATI.ACE;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\Python22;C:\Program Files\ATI Technologies\ATI.ACE;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0404
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp
USERDOMAIN=YOUR-55E5F9E3D2
USERNAME=HP_Administrator
USERPROFILE=C:\Documents and Settings\HP_Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

HP_Administrator (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {F80239D8-7811-4D5E-B033-0D0BBFE32920}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Agere Systems PCI Soft Modem --> agrsmdel
ATI Catalyst Control Center --> MsiExec.exe /I{9A945BB0-FB9C-4DAA-9C72-789E4B97C595}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Barnyard Invasion from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\049D60AF-B425-4F8A-BD66-9D8C1B519D59\Uninstall.exe"
Bejeweled 2 Deluxe from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\47D5A62B-1B41-4DB1-8267-ADA434FA782B\Uninstall.exe"
Big Kahuna Reef from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\D77E8A46-BEB4-49ED-B2D3-B77180169FA3\Uninstall.exe"
Blackhawk Striker 2 from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\758619C0-7C97-42BB-B1E9-775F72FDAD1E\Uninstall.exe"
Blasterball 2 from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\D2DACBCD-E1FE-4C32-A49B-1EB0743D1E79\Uninstall.exe"
Blasterball 2 Holidays from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\1B497FAA-E53E-420D-8408-FFDD3278CD50\Uninstall.exe"
Boggle Supreme from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\90EA5584-4290-407B-B8F2-D6E6D65A4796\Uninstall.exe"
Bookworm Deluxe from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E59F75D0-A38B-40F4-ABA2-CA35A7735473\Uninstall.exe"
Bounce Symphony from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\5DAA9E44-1B31-41CD-88A8-228EDED6E36E\Uninstall.exe"
Crystal Maze from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\3D61540E-C88C-4358-B6A1-DC26648F2A3D\Uninstall.exe"
Digby's Donuts from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\A51671BD-9BE5-4944-AC62-A2A0B6FF5E54\Uninstall.exe"
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
ESET Smart Security --> MsiExec.exe /I{58E05C78-4785-443D-8A1B-CBFF49C2A84E}
FATE Demo from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\B68BB501-10CD-46E2-BB45-075A2ABFD242\Uninstall.exe"
Firebird SQL Server - MAGIX Edition --> C:\Program Files\MAGIX\Common\Database\instslct.exe /p
Flip Words from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\1280194E-E9D5-4253-95E7-40169E2A4848\Uninstall.exe"
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Boot Optimizer --> MsiExec.exe /I{3BA95526-6AE0-4B87-A62D-17187EF565FC}
HP Deskjet Printer Preload --> MsiExec.exe /I{2C5D07FB-31A2-4F2D-9FDA-0B24ACD42BD0}
HP DigitalMedia Archive --> MsiExec.exe /I{F80239D8-7811-4D5E-B033-0D0BBFE32920}
HP Document Viewer 5.3 --> C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Game Console and games --> C:\Program Files\WildTangent\Apps\hpuninstall.exe
HP Image Zone 5.3 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone for Media Center PC --> c:\Program Files\HP\Digital Imaging\bin\mcpc\setupmcl.exe /u
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Marketing Assistant --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6FFDFDB6-A660-41A3-997A-EB061C5F6C60} /l1033
HP Multimedia Keyboard Software --> C:\HP\KBD\KBD.EXE uninstalled
HP Photosmart 330,380,420,470,7800,8000,8200 Series --> C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\setup\hpzscr01.exe -d MsiRollbackUninstaller -datfile hphscr08.dat
HP Photosmart Cameras 5.0 --> C:\Program Files\HP\Digital Imaging\{C83A12B9-B31B-461A-BBD4-CE9B988094F1}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP PSC & OfficeJet 5.3.B --> "C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Software Update --> MsiExec.exe /X{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Tunes --> MsiExec.exe /X{D54193B7-D2DF-4977-B546-86CA48DB214E}
HPTunesAddIn --> MsiExec.exe /I{69CF01AD-9E35-4BD7-9036-7B8478BEB839}
Insaniquarium Deluxe from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\A09026AE-8F16-4929-B4E6-1825535844DB\Uninstall.exe"
Intel® PRO Network Connections Drivers --> Prounstl.exe
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Jewel Quest from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\A73FAC36-8925-465D-8FA2-4DA98BD9B441\Uninstall.exe"
MAGIX Goya burnR 1.3.1.3 (US) --> C:\Program Files\MAGIX\Goya_burnR\instslct.exe /p
MAGIX Movie Edit Pro 14 7.5.2.11 (US) --> C:\Program Files\MAGIX\Movie_Edit_Pro_14\instslct.exe /p
MAGIX PC Visit --> C:\Program Files\MAGIX\PCVisit\instslct.exe /p
MAGIX Photo Manager 2007 4.1.1.77 (US) --> C:\Program Files\MAGIX\Photo_Manager_2007\instslct.exe /p
Mah Jong Quest from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\538B9061-0C77-4FB2-903F-EC42A1FF5DD8\Uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Away Mode -->
Microsoft Money 2005 --> C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Standard --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0050048383C9}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mufin MusicFinder Base 1.0.1.240 (UK) --> C:\Program Files\MAGIX\Mufin MusicFinder\instslct.exe /p
muvee autoProducer 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C3D719A-92C7-4323-89CC-C937D0267B84}\setup.exe" -l0x9
muvee autoProducer unPlugged 1.1 - HPD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B1931B3A-29E9-4F91-9B61-BE2CF05E84F1}\setup.exe" -l0x9
Office 2003 Tour --> MsiExec.exe /I{BE9FEFBA-F2F8-468B-A108-4356F73A3E9C}
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
PC-Doctor 5 for Windows --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{AB61A692-5543-4C48-979B-8CEA1C52FE9C} /l1033
Polar Bowler from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\1FFA88DF-0AC3-4D9E-9139-5FF98813C12C\Uninstall.exe"
Polar Golfer from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\55275778-F7D9-4BA0-95F4-DEFD71ADDFD9\Uninstall.exe"
ProtectDisc Driver, Version 11 --> C:\Program Files\ProtectDisc Driver Installer\uninstall_v11.exe
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Puzzle Express from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\0814ADC6-5B36-4144-A8EA-439C36B1BB11\Uninstall.exe"
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2005 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2DBE41DD-2129-4C65-A3D3-5647236A60F3} anything
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Ricochet Lost Worlds from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\0AA27562-3C4E-4860-8742-7ADEBE2EFC43\Uninstall.exe"
SCRABBLE Blast from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\2BA80327-9385-4EC8-9796-47C49BD73352\Uninstall.exe"
SCRABBLE from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\B7217206-A362-446B-A0F7-A2622B82F821\Uninstall.exe"
SCRABBLE Rack Attack from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\EC03679F-C9F0-46E8-864D-FCCF83F4EB86\Uninstall.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shrek 2 Ogre Bowler from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\581538B9-2ED3-45E2-96CB-22AD8F811D2A\Uninstall.exe"
Slingo Deluxe from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E0998E52-9D08-4AEE-A4F5-0BB1D8537F6E\Uninstall.exe"
Slyder from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\600C800C-5985-4E74-AFE7-571001AC3FA4\Uninstall.exe"
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Super Granny from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\0C20CAB1-F8BC-4AC1-A796-535B005C1B83\Uninstall.exe"
Swarm from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\133F647D-B454-42BC-ADBE-387482A29B88\Uninstall.exe"
Tradewinds from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\B3FF79F4-CDA8-4845-A7C0-9CE017719F36\Uninstall.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005 -->
Updates from HP (remove only) --> C:\WINDOWS\HPCPCUninstall-9972322\HPBWSetup.exe -appid 9972322 -uninstall
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows XP Media Center Edition 2005 KB908250 --> "C:\WINDOWS\$NtUninstallKB908250$\spuninst\spuninst.exe"
Yahoo! SiteBuilder --> "C:\Program Files\Yahoo SiteBuilder\uninstall.exe"
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type154 / Error
Event Submitted/Written: 07/10/2008 10:08:21 AM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 201349564.

Event Record #/Type153 / Error
Event Submitted/Written: 07/10/2008 10:08:11 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application hpqimzone.exe, version 53.0.13.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type144 / Success
Event Submitted/Written: 07/10/2008 03:48:17 AM
Event ID/Source: 1 / Media Center Receiver
Event Description:
Service registration successful.

Event Record #/Type125 / Warning
Event Submitted/Written: 07/09/2008 10:44:39 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{91120409-6000-11D3-8CFE-0050048383C9}', feature 'WordMacrosFiles' failed during request for component '{4421A6E0-A07C-11D1-A45D-0000F8027324}'

Event Record #/Type123 / Error
Event Submitted/Written: 07/09/2008 10:33:47 PM
Event ID/Source: 11706 / MsiInstaller
Event Description:
Product: Microsoft Office XP Standard -- Error 1706. Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see C:\Program Files\Microsoft Office\Office10\1033\SETUP.HLP.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type673 / Warning
Event Submitted/Written: 07/10/2008 05:27:14 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type671 / Error
Event Submitted/Written: 07/10/2008 04:06:19 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type670 / Error
Event Submitted/Written: 07/10/2008 04:04:58 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type664 / Warning
Event Submitted/Written: 07/10/2008 09:53:37 AM
Event ID/Source: 20 / Print
Event Description:
Printer Driver Amyuni Document Converter 2.50 for Windows NT x86 Version-3 was added or updated. Files:- acpdf250.dll, acpdfui250.dll, acfpdf.txt.

Event Record #/Type419 / Warning
Event Submitted/Written: 07/10/2008 02:35:20 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.



-- End of Deckard's System Scanner: finished at 2008-07-10 23:03:56 ------------

Okay, that's it. Thanks so much.

#4 SarvatiTN

SarvatiTN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 10 July 2008 - 11:14 PM

Also, another thing that started today, my TaskManager shows that "javaw.exe" is using huge amounts of memory...132,000 or so. I don't remember seeing it on my process list before especially not using that kind of memory. I did install Yahoo! SiteBuilder yesterday. Today the program is hanging up. I thought maybe because of the javaw program but I have no clue. Thanks so much for the assistance.

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 AM

Posted 11 July 2008 - 03:29 PM

Hopefully this next step will help resolve that issue with javaw.exe

You are running an older version of Java. This can be a security risk so let's get you the latest version.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

================


Download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


================



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Please post a new log from DSS.
How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 SarvatiTN

SarvatiTN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 12 July 2008 - 01:16 PM

Here's the Kasperkey

Saturday, July 12, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, July 12, 2008 07:58:42
Records in database: 944071


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics
Files scanned 228796
Threat name 2
Infected objects 2
Suspicious objects 0
Duration of the scan 04:39:11

File name Threat name Threats count
C:\Program Files\Online Services\AOL\United States\AOL90\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S1YR8XU7\kb456456[1] Infected: Trojan.Win32.Monder.alh 1

The selected area was scanned.



I don't know if the program disinfected those two items or not. But my computer has been running better. I was getting these video popups that I had not asked for and they would say "click here to install media video codec" I would just close the page under the task manager to get rid of them.

Thanks so much for the assistance. I will try the computer out today and see how it does.

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 AM

Posted 12 July 2008 - 05:06 PM

Make sure you run DSS once again and post that log back here also.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 SarvatiTN

SarvatiTN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 12 July 2008 - 08:35 PM

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2008-07-12 20:31:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:08 PM, on 7/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\HP_Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_ADM~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TrayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_14\TrayServer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1215454362312
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 6184 bytes

-- Files created between 2008-06-12 and 2008-07-12 -----------------------------

2008-07-12 02:08:18 0 drahs---- C:\autorun.inf
2008-07-11 20:56:52 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\acccore
2008-07-11 00:15:12 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Uniblue
2008-07-10 19:22:46 0 d-------- C:\Program Files\ProtectDisc Driver Installer
2008-07-10 19:22:18 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\MAGIX
2008-07-10 19:14:39 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-07-10 19:14:38 24576 --a------ C:\WINDOWS\system32\TTIC32.dll <Not Verified; PoINT Software & Systems GmbH; TTIC32>
2008-07-10 19:14:38 24576 --a------ C:\WINDOWS\system32\TTI32.dll <Not Verified; PoINT Software & Systems GmbH; TTI32>
2008-07-10 19:14:38 32768 --a------ C:\WINDOWS\system32\STRING32.dll <Not Verified; PoINT Software & Systems GmbH; STRING32>
2008-07-10 19:14:38 430080 --a------ C:\WINDOWS\system32\MXRestore.exe <Not Verified; MAGIX AG; MAGIX Restore>
2008-07-10 19:14:38 57344 --a------ C:\WINDOWS\system32\DLLTPO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLTPO32>
2008-07-10 19:14:38 192512 --a------ C:\WINDOWS\system32\DLLRES32.dll <Not Verified; PoINT Software & Systems GmbH; DLLRES32>
2008-07-10 19:14:38 40960 --a------ C:\WINDOWS\system32\DLLRD32.dll <Not Verified; PoINT Software & Systems GmbH; DLLRD32>
2008-07-10 19:14:38 65536 --a------ C:\WINDOWS\system32\DLLPTL32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPTL32>
2008-07-10 19:14:38 53248 --a------ C:\WINDOWS\system32\DLLPRJ32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPRJ32>
2008-07-10 19:14:38 49152 --a------ C:\WINDOWS\system32\DLLPRF32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPRF32>
2008-07-10 19:14:38 36864 --a------ C:\WINDOWS\system32\DLLPNT32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPNT32>
2008-07-10 19:14:38 32768 --a------ C:\WINDOWS\system32\DLLMSC32.dll <Not Verified; PoINT Software & Systems GmbH; DLLMSC32>
2008-07-10 19:14:38 24576 --a------ C:\WINDOWS\system32\DLLIX.dll <Not Verified; PoINT Software & Systems GmbH; DLLIX>
2008-07-10 19:14:38 32768 --a------ C:\WINDOWS\system32\DLLISO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLISO32>
2008-07-10 19:14:38 53248 --a------ C:\WINDOWS\system32\DLLIO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLIO32>
2008-07-10 19:14:38 45056 --a------ C:\WINDOWS\system32\DLLIMG32.dll <Not Verified; PoINT Software & Systems GmbH; DLLIMG32>
2008-07-10 19:14:38 151552 --a------ C:\WINDOWS\system32\DLLDRV32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDRV32>
2008-07-10 19:14:38 32768 --a------ C:\WINDOWS\system32\DLLDIR32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDIR32>
2008-07-10 19:14:38 167936 --a------ C:\WINDOWS\system32\DLLDEV32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDEV32>
2008-07-10 19:14:38 98304 --a------ C:\WINDOWS\system32\DLLCPY32.dll <Not Verified; PoINT Software & Systems GmbH; DLLCPY32>
2008-07-10 19:14:38 61440 --a------ C:\WINDOWS\system32\DLLCDF32.dll <Not Verified; PoINT Software & Systems GmbH; DLLCDF32>
2008-07-10 19:14:38 114688 --a------ C:\WINDOWS\system32\DLLCDA32.dll <Not Verified; PoINT Software & Systems GmbH; PoINT CDarchive for Windows>
2008-07-10 19:14:38 618496 --a------ C:\WINDOWS\system32\DLLAV32.dll <Not Verified; PoINT Software & Systems GmbH; PoINT CD/DVD Audio/Video SDK for Windows>
2008-07-10 19:02:45 120200 --a------ C:\WINDOWS\system32\DLLDEV32i.dll <Not Verified; ; DLLDEV32i>
2008-07-10 18:59:34 700416 --a------ C:\WINDOWS\system32\mgxoschk.dll <Not Verified; MAGIX AG; mgxoschk>
2008-07-10 18:59:34 0 d-------- C:\WINDOWS\system32\MAGIX
2008-07-10 09:53:42 0 d-------- C:\WINDOWS\Hewlett-Packard
2008-07-10 09:53:37 1617920 --a------ C:\WINDOWS\system32\cdintf250.dll <Not Verified; Amyuni Technologies
http://www.amyuni.com; Amyuni Common Driver Interface>
2008-07-10 03:21:07 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-09 15:27:55 0 d-------- C:\Program Files\Yahoo SiteBuilder
2008-07-09 03:00:52 0 d-------- C:\WINDOWS\system32\PreInstall
2008-07-09 02:16:46 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Leadertech
2008-07-08 14:36:16 0 d-------- C:\Program Files\Windows Live Safety Center
2008-07-08 12:50:12 0 d-------- C:\Program Files\Trend Micro
2008-07-08 12:41:03 68096 --a------ C:\WINDOWS\zip.exe
2008-07-08 12:41:03 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-08 12:41:03 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-08 12:41:03 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-08 12:41:03 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-08 12:41:03 98816 --a------ C:\WINDOWS\sed.exe
2008-07-08 12:41:03 80412 --a------ C:\WINDOWS\grep.exe
2008-07-08 12:41:03 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-08 02:09:03 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Sun
2008-07-08 00:41:15 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-07-08 00:41:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-08 00:41:09 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-07 15:45:46 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2008-07-07 13:29:44 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\ESET
2008-07-07 13:27:02 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-07 12:30:57 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-07 12:00:06 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-07-07 04:15:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Macromedia
2008-07-07 04:15:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Intuit
2008-07-07 04:15:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Identities
2008-07-07 04:15:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\ATI
2008-07-07 04:15:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Apple Computer
2008-07-07 04:15:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Adobe
2008-07-07 04:15:18 0 d-------- C:\Documents and Settings\HP_Administrator\WINDOWS
2008-07-07 04:15:18 0 d--h----- C:\Documents and Settings\HP_Administrator\Templates
2008-07-07 04:15:18 0 dr------- C:\Documents and Settings\HP_Administrator\Start Menu
2008-07-07 04:15:18 0 dr-h----- C:\Documents and Settings\HP_Administrator\SendTo
2008-07-07 04:15:18 0 d--h----- C:\Documents and Settings\HP_Administrator\PrintHood
2008-07-07 04:15:18 1835008 --a------ C:\Documents and Settings\HP_Administrator\NTUSER.DAT
2008-07-07 04:15:18 0 d--h----- C:\Documents and Settings\HP_Administrator\NetHood
2008-07-07 04:15:18 0 dr------- C:\Documents and Settings\HP_Administrator\My Documents
2008-07-07 04:15:18 0 d--h----- C:\Documents and Settings\HP_Administrator\Local Settings
2008-07-07 04:15:18 0 dr------- C:\Documents and Settings\HP_Administrator\Favorites
2008-07-07 04:15:18 0 d-------- C:\Documents and Settings\HP_Administrator\Desktop
2008-07-07 04:15:18 0 d---s---- C:\Documents and Settings\HP_Administrator\Cookies
2008-07-07 04:15:18 0 dr-h----- C:\Documents and Settings\HP_Administrator\Application Data
2008-07-07 04:15:18 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Symantec
2008-07-07 04:15:18 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\SampleView
2008-07-07 04:15:18 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Real
2008-07-07 04:10:58 0 d-------- C:\Documents and Settings\Default User\Application Data\Macromedia
2008-07-07 04:10:58 0 d-------- C:\Documents and Settings\Default User\Application Data\Adobe
2008-07-07 03:26:19 0 dr-hs---- C:\WINDOWS\system32\dllcache
2008-07-07 02:34:37 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\HPQ
2008-07-07 02:29:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\HP
2008-07-07 02:25:45 0 dr-h----- C:\Documents and Settings\HP_Administrator\Recent
2008-07-07 02:25:43 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Help
2008-07-07 02:25:32 0 dr-hs---- C:\cmdcons
2008-07-07 02:24:58 0 d-------- C:\WINDOWS\setupupd
2008-07-06 23:51:44 0 d-------- C:\VundoFix Backups
2008-07-06 23:16:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-03 13:59:22 0 d-------- C:\SMCLpav
2008-07-03 13:13:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-07-03 13:13:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-18 23:42:56 0 d-------- C:\Program Files\Sun


-- Find3M Report ---------------------------------------------------------------

2008-07-12 02:04:34 0 d-------- C:\Program Files\Java
2008-07-10 23:32:36 0 d-------- C:\Program Files\Easy Internet signup
2008-07-10 09:54:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-10 09:50:05 0 d-------- C:\Program Files\HP
2008-07-07 13:06:20 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-07-07 12:34:53 0 d-------- C:\Program Files\Common Files\Panda Software
2008-07-07 12:31:54 0 d-------- C:\Program Files\Symantec
2008-07-07 12:30:53 0 d-------- C:\Program Files\Common Files
2008-07-07 02:28:41 112954 --a------ C:\WINDOWS\hpoins07.dat
2008-07-04 22:43:48 0 d-------- C:\Program Files\Schmap
2008-07-04 22:04:58 0 d-------- C:\Program Files\DVDFab Decrypter 3
2008-06-22 03:02:01 0 d-------- C:\Program Files\Viewpoint
2008-06-10 22:17:33 0 d-------- C:\Program Files\MySpace
2008-06-09 13:01:39 0 d-------- C:\Program Files\Common Files\MAGIX Shared
2008-05-24 14:52:57 0 d-------- C:\Program Files\MAGIX


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/10/2005 09:33 AM]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [06/02/2005 01:35 AM]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/26/2005 12:34 AM]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [06/10/2008 06:52 PM]
"TrayServer"="C:\Program Files\MAGIX\Movie_Edit_Pro_14\TrayServer.exe" [12/04/2007 12:34 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/18/2005 06:08 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/18/2005 05:54 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 06:24 PM]
"Ncr"="" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/03/2008 11:15 AM]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 8:23:26 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)




-- End of Deckard's System Scanner: finished at 2008-07-12 20:31:32 ------------

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 AM

Posted 13 July 2008 - 09:31 AM

Your log looks pretty good. As long as you are not having any issues, I'd say you are clean. :)

Now it's time to clean up.
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 AM

Posted 25 July 2008 - 06:42 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users