Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Zlob.G infection


  • This topic is locked This topic is locked
34 replies to this topic

#1 anthony914

anthony914

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 07 December 2008 - 01:50 AM

What happened first was my computer started to close all programs and then it restarted. upon restart I received a message that said i was infected with trojan.zlob.g and gave me the option to 'enable protection' i did not click that.
here is my hijack this log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:51 PM, on 12/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Smax4] "C:\Documents and Settings\HP_Administrator\Application Data\Google\kjzna1562565.exe"
O4 - S-1-5-18 Startup: DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF62BB3E-3067-490A-8D10-43068B59A8AB}: NameServer = 68.87.69.146,68.87.85.98
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12161 bytes

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:35 AM

Posted 12 December 2008 - 07:04 AM

Hi anthony914,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Tell me if you have run any other tools and post the logs if you have them. Please give a description about the current condition of your computer and the problem you are facing.

  • We need to see some information about what is happening in your machine. Please perform the following scan:
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results. Save the result to a notepad text file and click yes to the Optional_Scan
  • Save the scan result and copy and paste both logs to your replay.
Please note: If the scanner fails to run. Disconnect from the internet and disable all antivirus protection. Run the scan, enable your antivirus and reconnect to the internet. Information on antivirus control HERE


#3 anthony914

anthony914
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 12 December 2008 - 06:19 PM

1. I have combofix, should i run that?
Basically what happened is my computer radomly began to restart and then when it turned back on i got a security waring that will keeps coming back even after i close it. a screen shot is attached
2. DDS log


DDS (Version 1.0.1) - NTFSx86
Run by HP_Administrator at 15:10:39.82 on Fri 12/12/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1475 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\HP_Administrator\Application Data\Google\kjzna1562565.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\vghd\vghd.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\eHome\ehmsas.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
K:\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [Smax4] "c:\documents and settings\hp_administrator\application data\google\kjzna1562565.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\vghd\vghd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {FF62BB3E-3067-490A-8D10-43068B59A8AB} = 68.87.69.146,68.87.85.98
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;\??\c:\program files\avira\antivir personaledition classic\avgio.sys [2008-9-20 11840]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;"c:\program files\avira\antivir personaledition classic\sched.exe" [2008-9-20 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;"c:\program files\avira\antivir personaledition classic\avguard.exe" [2008-9-20 151297]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2007-8-24 149352]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2007-8-24 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2007-8-24 149352]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-1-17 24652]
R3 avgntflt;avgntflt;\??\c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-9-20 52032]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-8-18 99376]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 EraserUtilDrv10633;EraserUtilDrv10633;\??\c:\program files\common files\symantec shared\eengine\EraserUtilDrv10633.sys []
S3 mam4410c;mam4410c;c:\windows\system32\drivers\mam4410c.sys [2008-6-18 24784]
S3 mam4410m;mam4410m;c:\windows\system32\drivers\mam4410m.sys [2008-6-18 25044]
S3 mam4410u;mam4410u;c:\windows\system32\drivers\mam4410u.sys [2008-6-18 52309]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20080822.053\NAVENG.SYS [2008-8-23 89104]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20080822.053\NAVEX15.SYS [2008-8-23 873552]
S3 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2008-8-17 1251720]

=============== Created Last 30 ================

2008-12-12 15:07 <DIR> --d----- C:\ComboFix
2008-12-12 15:07 388,608 a------- c:\windows\system32\CF14344.exe
2008-12-12 15:07 388,608 a------- c:\windows\system32\CF14338.exe
2008-12-06 22:47 <DIR> --d----- c:\program files\Trend Micro
2008-12-05 17:42 <DIR> --d----- c:\program files\NVIDIA Corporation
2008-12-05 17:41 <DIR> --d----- c:\program files\NVIDIA nTune Performance Application
2008-12-04 18:08 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-04 17:38 32,592 a------- c:\windows\system32\msonpmon.dll
2008-12-04 17:31 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2008-12-04 17:30 <DIR> --d----- c:\windows\SHELLNEW
2008-11-25 19:47 33,846 a------- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2008-11-25 19:47 2,987 a------- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2008-11-25 19:46 513,400 a------- c:\windows\system32\SpoonUninstall.exe
2008-11-25 19:46 33,846 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2008-11-25 19:46 13,785 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-11-25 19:46 <DIR> --d----- c:\program files\Illustrate
2008-11-25 15:38 7,533 a------- c:\windows\system32\dopdf6.ctm
2008-11-25 15:38 20,632 a------- c:\windows\system32\dopdfmn6.dll
2008-11-25 15:38 18,072 a------- c:\windows\system32\dopdfmi6.dll
2008-11-25 15:38 <DIR> --d----- c:\program files\Softland
2008-11-25 07:00 <DIR> --d----- c:\program files\iPod
2008-11-25 07:00 <DIR> --d----- c:\program files\iTunes
2008-11-25 07:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-18 19:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2008-11-16 13:33 <DIR> --d----- C:\BMW M3 Challenge

==================== Find3M ====================

2008-12-02 00:00 7,162 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2008-11-02 11:22 152,904 a------- c:\windows\system32\vghd.scr
2008-10-24 20:54 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-24 20:54 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-10-24 20:54 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-24 20:54 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-10-24 03:10 453,632 a------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-24 03:10 453,632 -------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 08:57 332,800 a------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 09:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-20 12:57 118,784 a------- c:\windows\system32\blphcpmvj0ej3t.scr
2008-09-15 03:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-15 03:57 1,846,016 a------- c:\windows\system32\dllcache\win32k.sys

============= FINISH: 15:11:12.87 ===============

Attached Files


Edited by anthony914, 12 December 2008 - 06:23 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:35 AM

Posted 12 December 2008 - 07:21 PM

Hi again,

Please copy and paste the logs to your reply unless it is asked otherwise. Thanks.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

Removal Instructions
  • Please tell me if VirtuaGirl HD is installed on your computer with your consent.

  • I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    If your Norton Internet Security has subscription you might keep it as it has also a firewall and uninstall Avira. If you wanted to keep Avira you need also to install a firewall later on. Please tell me your decision. Avira can be uninstalled from Add/Remove Programs but Norton should be removed with a removal tool I'll provide you.

  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    • Then download ResetTeaTimer.exe to your desktop. (In case you use Firefox, rightclick the link and choose "Save Link As").
      • Doubleclick ResetTeaTimer.exe and let it run.
    This will only take a few seconds.

  • Open notepad (start-all programs-accessories-notepad). Copy and paste the text in the code box into the notepad.

    @ECHO OFF
    attrib -h -r -s c:\windows\Tasks\At*.job
    del /q c:\windows\Tasks\At*.job
    del remove.bat
    • Select save in:desktop
    • Fill in File name: remove.bat
    • Save as type: All file types (*.*)
    • Click Save and close the Notepad.
    • Double-click remove.bat on the desktop.
  • Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

    Please download SDFix by AndyManchesta and save it to your desktop.
    When using this tool, you must use the Administrator's account or an account with "Administrative rights"
    • Double click SDFix.exe and it will extract the files to %systemdrive%
    • (this is the drive that contains the Windows Directory, typically C:\SDFix).
    • DO NOT use it just yet.
    Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

    Open the SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    • Copy and paste the contents of the results file Report.txt in your next reply.
  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • A fresh first log of DDS. The second log is not required.
Please copy/paste in your next reply:
  • Feedback about the questions asked.
  • The SDFix log.
  • The log of MBAM.
  • A fresh DDS log.
  • Any comment or feedback about how it went.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:35 AM

Posted 12 December 2008 - 08:23 PM

You asked if you should run Combofix. I see from the screenshot it was preparing to scan the system. Please wait on it until the next post.

#6 anthony914

anthony914
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 13 December 2008 - 03:49 PM

When i try to run MBAM it says there is no database so it starts its update and then a box pops up and says MBAM has encountered a problem and needs to close.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:35 AM

Posted 14 December 2008 - 07:19 AM

Please post what you have up to now.

So I suppose you could install MBAM? Please tell from in detail how it went and when MBAM refused to run.

#8 anthony914

anthony914
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 15 December 2008 - 07:05 PM

Here is the SDfix log:

SDFix: Version 1.240
Run by HP_Administrator on Fri 12/12/2008 at 07:24 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default ScreenSaver value

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\blphcpmvj0ej3t.scr - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 22:00:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\DISC\\DISCover.exe"="C:\\Program Files\\DISC\\DISCover.exe:*:Enabled:DISCover Drop & Play System"
"C:\\Program Files\\DISC\\DiscStreamHub.exe"="C:\\Program Files\\DISC\\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\\Program Files\\DISC\\myFTP.exe"="C:\\Program Files\\DISC\\myFTP.exe:*:Enabled:DISCover FTP"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Documents and Settings\\HP_Administrator\\Desktop\\uTorrent.exe"="C:\\Documents and Settings\\HP_Administrator\\Desktop\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"="C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe:*:Disabled:Firefox"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 17 Jan 2008 211 A.SHR --- "C:\BOOT.BAK"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 9 May 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 9 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 8 Aug 2007 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Wed 8 Aug 2007 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Sun 18 Sep 2005 788,568 A..H. --- "C:\Program Files\Online Services\Canada\KOL\client.exe"
Wed 17 Aug 2005 13,459,528 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\nsb-install-8-0.exe"
Wed 17 Aug 2005 233,472 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\webutil8.exe"
Wed 17 Aug 2005 389,120 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\WinsockFix.exe"
Wed 14 Dec 2005 200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\ACST4.DLL"
Tue 22 Nov 2005 81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLFIREWALLMGR.DLL"
Tue 22 Nov 2005 73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLINSTALLERFW.DLL"
Wed 14 Dec 2005 88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\INSTPH.DLL"
Wed 14 Dec 2005 200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\ACST4.DLL"
Tue 22 Nov 2005 81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLFIREWALLMGR.DLL"
Tue 22 Nov 2005 73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLINSTALLERFW.DLL"
Wed 14 Dec 2005 88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\INSTPH.DLL"
Fri 12 Dec 2008 5,946 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE4.tmp"
Sun 18 Sep 2005 77,824 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\AcsInstN.dll"
Sun 18 Sep 2005 6,961,146 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\acsnet.zip"
Sun 18 Sep 2005 3,058,888 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\acssetup.exe"
Sun 18 Sep 2005 307,289 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\asp\aspcheck.dll"
Sun 18 Sep 2005 7,083,361 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\asp\aspsetup.exe"
Wed 21 Sep 2005 1,960,296 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\autoit\autoit-v3.zip"
Sun 18 Sep 2005 550,488 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\deskbar\deskbr.exe"
Sun 18 Sep 2005 553,984 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\flash\FlashAX.exe"
Sun 18 Sep 2005 2,242,759 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\fw\nisale.exe"
Sun 18 Sep 2005 24,064 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\fw\NISChk.dll"
Sun 18 Sep 2005 57,344 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpchk.dll"
Sun 18 Sep 2005 748,728 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpinst.exe"
Sun 18 Sep 2005 7,515,304 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\qt\qt.exe"
Sun 18 Sep 2005 86,016 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\qt\QTInsInf.dll"
Sun 18 Sep 2005 45,056 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\RealChk.dll"
Sun 18 Sep 2005 5,111,296 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\RealPl8.EXE"
Sun 18 Sep 2005 4,378,673 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\real_upd.exe"
Sun 18 Sep 2005 360,448 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\rp9codec.exe"
Sun 18 Sep 2005 40,960 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SiNdInst.dll"
Sun 18 Sep 2005 473,736 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SinfInst.exe"
Sun 18 Sep 2005 12,288 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tb\tbinst.dll"
Sun 18 Sep 2005 516,032 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tb\tbsetup.exe"
Sun 18 Sep 2005 597,080 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\toolbar\toolbr.exe"
Sun 18 Sep 2005 590,688 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tpspd\TSsetup.exe"
Sun 18 Sep 2005 57,344 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tpspd\tsverchk.dll"
Sun 18 Sep 2005 49,152 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\AOLVPChk.dll"
Sun 18 Sep 2005 61,440 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\VPPrePop.exe"
Sun 18 Sep 2005 3,858,056 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\Vwpt.exe"

Finished!



here is a DDS log:


DDS (Version 1.0.1) - NTFSx86
Run by HP_Administrator at 15:19:10.26 on Mon 12/15/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1466 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\HP_Administrator\Application Data\Google\kjzna1562565.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\vghd\vghd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {FF62BB3E-3067-490A-8D10-43068B59A8AB} = 68.87.69.146,68.87.85.98
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;\??\c:\program files\avira\antivir personaledition classic\avgio.sys [2008-9-20 11840]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;"c:\program files\avira\antivir personaledition classic\sched.exe" [2008-9-20 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;"c:\program files\avira\antivir personaledition classic\avguard.exe" [2008-9-20 151297]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2007-8-24 149352]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2007-8-24 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2007-8-24 149352]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-1-17 24652]
R3 avgntflt;avgntflt;\??\c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-9-20 52032]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-8-18 99376]
R3 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2008-8-17 1251720]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 EraserUtilDrv10633;EraserUtilDrv10633;\??\c:\program files\common files\symantec shared\eengine\EraserUtilDrv10633.sys []
S3 mam4410c;mam4410c;c:\windows\system32\drivers\mam4410c.sys [2008-6-18 24784]
S3 mam4410m;mam4410m;c:\windows\system32\drivers\mam4410m.sys [2008-6-18 25044]
S3 mam4410u;mam4410u;c:\windows\system32\drivers\mam4410u.sys [2008-6-18 52309]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20080822.053\NAVENG.SYS [2008-8-23 89104]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20080822.053\NAVEX15.SYS [2008-8-23 873552]

=============== Created Last 30 ================

2008-12-14 18:37 <DIR> --d----- C:\ComboFix
2008-12-13 07:17 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2008-12-13 07:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-13 07:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-13 07:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-13 07:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 19:20 <DIR> --d----- c:\windows\ERUNT
2008-12-12 19:17 <DIR> --d----- C:\SDFix
2008-12-12 15:07 388,608 a------- c:\windows\system32\CF14344.exe
2008-12-12 15:07 388,608 a------- c:\windows\system32\CF14338.exe
2008-12-06 22:47 <DIR> --d----- c:\program files\Trend Micro
2008-12-05 17:42 <DIR> --d----- c:\program files\NVIDIA Corporation
2008-12-05 17:41 <DIR> --d----- c:\program files\NVIDIA nTune Performance Application
2008-12-04 18:08 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-04 17:38 32,592 a------- c:\windows\system32\msonpmon.dll
2008-12-04 17:31 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2008-12-04 17:30 <DIR> --d----- c:\windows\SHELLNEW
2008-11-25 19:47 33,846 a------- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2008-11-25 19:47 2,987 a------- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2008-11-25 19:46 513,400 a------- c:\windows\system32\SpoonUninstall.exe
2008-11-25 19:46 33,846 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2008-11-25 19:46 13,785 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-11-25 19:46 <DIR> --d----- c:\program files\Illustrate
2008-11-25 15:38 7,533 a------- c:\windows\system32\dopdf6.ctm
2008-11-25 15:38 20,632 a------- c:\windows\system32\dopdfmn6.dll
2008-11-25 15:38 18,072 a------- c:\windows\system32\dopdfmi6.dll
2008-11-25 15:38 <DIR> --d----- c:\program files\Softland
2008-11-25 07:00 <DIR> --d----- c:\program files\iPod
2008-11-25 07:00 <DIR> --d----- c:\program files\iTunes
2008-11-25 07:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-18 19:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2008-11-16 13:33 <DIR> --d----- C:\BMW M3 Challenge

==================== Find3M ====================

2008-12-02 00:00 7,162 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2008-11-02 11:22 152,904 a------- c:\windows\system32\vghd.scr
2008-10-24 20:54 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-24 20:54 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-10-24 20:54 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-24 20:54 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-10-24 03:10 453,632 a------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-24 03:10 453,632 -------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 08:57 332,800 a------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 09:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll

============= FINISH: 15:19:32.26 ===============

questions:

# Please tell me if VirtuaGirl HD is installed on your computer with your consent.
yes

# I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
If your Norton Internet Security has subscription you might keep it as it has also a firewall and uninstall Avira. If you wanted to keep Avira you need also to install a firewall later on. Please tell me your decision. Avira can be uninstalled from Add/Remove Programs but Norton should be removed with a removal tool I'll provide you.

I want to keep Avira, as the norton doesn't have a subscription

#9 anthony914

anthony914
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 15 December 2008 - 07:46 PM

and yes, MBAM did install, but it says it needs to up date because there is no database so i click ok and it starts to update over the internet b ut then it says its needs to close

Edited by anthony914, 15 December 2008 - 07:47 PM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:35 AM

Posted 15 December 2008 - 08:45 PM

Please read the instructions carefully before doing it.
  • The TeatTimer is running again and protecting the malware. Please keep it disabled until I give you the clean sign. So please follow the instruction once more, disable it and run ResetTeaTimer.exe to empty its cache from malware entries.

  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKCU\..\Run: [Smax4] "C:\Documents and Settings\HP_Administrator\Application Data\Google\kjzna1562565.exe"


    Optional: The following sites are set to the safe zone. It means that the traffic created by these sites won't be checked by security checkpoints any more. While these site are safe to visit they might not be safe all the time and their traffic better pass through the security checkpoint. If you decided to remove these sites from the trusted zone check the boxes next to the following entries:

    O15 - Trusted Zone: http://*.trymedia.com (HKLM)

    Note: The startup entry pointing at ALCMTR.EXE is an "Sypware" entry related to Realtek used silently to monitor one's actions. It is not a sinister one and you can remove the start up entry without affecting the function of Realtek software. We have just removed the start up entry but not the file itself.Notice that you should not remove the file itself because it is needed for the subsequent updating of the software.

  • Important: Reboot your computer now.

  • Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you remove the program if you are not using it.
    If you decided to uninstall it click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist:

    Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    Also remove the folder in bold: C:\Program Files\Viewpoint

  • To remove Norton please download and run the Norton Removal Tool.

    Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.

    Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

  • You forgot to give me feedback about the question I asked about MBAM. We try it once more. See if MBAM is installed and there is a folder here: C:\Program Files\Malwarebytes' Anti-Malware and it that folder there is a file mbam.exe?
    You might have to enable Windows to show the file extensions. To do that:

    Please set your system to show file extensions:
    • Click Start, open Computer, select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Uncheck: Hide file extensions for known file types
    • Click Apply and OK.
    If MBAM is installed open it again, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply. If you couldn't run it proceed with the next step.

  • Delete your copy of Combofix from your desktop and download an updated ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Please copy and paste a fresh Hijackthis log to your reply.
Please copy/paste in your next reply:
  • The log of MBAM if it run.
  • The Combofix log.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went.


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:35 AM

Posted 15 December 2008 - 08:53 PM

I see You have given me feedback in your next post. I'm sorry I've missed it. Something is preventing it, either the malware or the firewall. This time it might run though. If not we are going to use a workaround. Please do the steps in the order they are written.

Thanks for the feedback.

#12 anthony914

anthony914
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 15 December 2008 - 10:57 PM

after i check the boxes for those entries in HJT, do i click the "fix checked" button?

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:35 AM

Posted 16 December 2008 - 03:52 AM

Yes pleas, I'm sorry.

#14 anthony914

anthony914
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 16 December 2008 - 10:06 PM

MBAM LOG:

Malwarebytes' Anti-Malware 1.31
Database version: 1510
Windows 5.1.2600 Service Pack 2

12/16/2008 6:55:33 PM
mbam-log-2008-12-16 (18-55-33).txt

Scan type: Quick Scan
Objects scanned: 59815
Time elapsed: 5 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\KOcStb7I.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\Google\kjzna1562565.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\Google\spcffwl.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.


ComboFix:

ComboFix 08-12-16.03 - HP_Administrator 2008-12-16 18:58:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1401 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\_000013_.tmp.dll
c:\windows\system32\x64
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.

2008-12-16 17:58 . 2008-12-16 17:58 <DIR> d-------- c:\windows\LastGood
2008-12-13 07:17 . 2008-12-13 07:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-13 07:17 . 2008-12-13 07:17 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2008-12-13 07:17 . 2008-12-13 07:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-13 07:17 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-13 07:17 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 19:20 . 2008-12-12 19:20 <DIR> d-------- c:\windows\ERUNT
2008-12-12 19:17 . 2008-12-12 22:03 <DIR> d-------- C:\SDFix
2008-12-06 22:47 . 2008-12-06 22:47 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 17:42 . 2008-12-05 17:42 <DIR> d-------- c:\program files\NVIDIA Corporation
2008-12-05 17:41 . 2008-12-05 17:41 <DIR> d-------- c:\program files\NVIDIA nTune Performance Application
2008-12-04 17:38 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-12-04 17:36 . 2008-12-04 17:36 <DIR> d-------- c:\program files\MSBuild
2008-12-04 17:34 . 2008-12-04 17:34 <DIR> d-------- c:\program files\Microsoft.NET
2008-12-04 17:31 . 2008-12-04 17:31 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-12-04 17:30 . 2008-12-04 17:35 <DIR> d-------- c:\windows\SHELLNEW
2008-12-04 17:29 . 2008-12-04 17:29 <DIR> dr-h----- C:\MSOCache
2008-12-04 17:29 . 2008-12-04 18:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-02 20:08 . 2008-12-06 12:47 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\dvdcss
2008-11-25 19:47 . 2008-11-25 19:47 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2008-11-25 19:47 . 2008-11-25 19:47 2,987 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2008-11-25 19:46 . 2008-11-25 19:46 <DIR> d-------- c:\program files\Illustrate
2008-11-25 19:46 . 2008-08-06 04:42 513,400 --a------ c:\windows\system32\SpoonUninstall.exe
2008-11-25 19:46 . 2008-11-25 19:46 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2008-11-25 19:46 . 2008-11-25 19:46 13,785 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-11-25 15:38 . 2008-11-25 15:38 <DIR> d-------- c:\program files\Softland
2008-11-25 15:38 . 2008-11-25 15:38 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Softland
2008-11-25 15:38 . 2008-11-18 17:09 20,632 --a------ c:\windows\system32\dopdfmn6.dll
2008-11-25 15:38 . 2008-11-18 17:09 18,072 --a------ c:\windows\system32\dopdfmi6.dll
2008-11-25 15:38 . 2008-10-13 15:23 7,533 --a------ c:\windows\system32\dopdf6.ctm
2008-11-25 07:00 . 2008-11-25 07:01 <DIR> d-------- c:\program files\iTunes
2008-11-25 07:00 . 2008-11-25 07:00 <DIR> d-------- c:\program files\iPod
2008-11-25 07:00 . 2008-11-25 07:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 06:58 . 2008-11-25 06:59 <DIR> d-------- c:\program files\QuickTime
2008-11-18 19:33 . 2008-11-18 19:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-18 19:28 . 2008-11-18 19:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL Downloads

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 02:56 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2008-12-17 01:50 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-17 00:33 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-16 07:58 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\U3
2008-12-15 23:32 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\uTorrent
2008-12-09 07:19 --------- d-----w c:\program files\FLAC
2008-12-07 05:49 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2008-12-07 05:49 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2008-12-07 05:49 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\AD ON Multimedia
2008-12-07 05:49 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\AccurateRip
2008-12-07 05:49 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\acccore
2008-12-07 03:06 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\LimeWire
2008-12-07 00:57 --------- d-----w c:\program files\LimeWire
2008-12-06 02:10 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-06 01:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 02:13 --------- d-----w c:\program files\Windows Live
2008-12-05 02:09 --------- d-----w c:\program files\Active GIF Creator 3.1
2008-12-05 02:08 --------- d-----w c:\program files\Yahoo!
2008-12-05 02:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-05 02:08 --------- d-----w c:\program files\AMD
2008-12-05 01:36 --------- d-----w c:\program files\Microsoft Works
2008-12-02 08:00 7,162 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2008-11-25 15:00 --------- d-----w c:\program files\Common Files\Apple
2008-11-19 03:35 --------- d-----w c:\program files\AIM6
2008-11-12 22:14 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\mIRC
2008-11-02 19:22 152,904 ----a-w c:\windows\system32\vghd.scr
2008-11-02 19:22 --------- d-----w c:\program files\vghd
2008-10-31 01:15 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\vghd
2008-10-25 18:11 --------- d-----w c:\program files\HP
2008-10-25 18:11 --------- d-----w c:\program files\Hewlett-Packard
2008-10-25 04:54 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-25 04:54 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 10:07 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2006-10-03 10:43 2,402,550 ------w c:\windows\inf\SET904.tmp
2006-10-03 10:43 2,402,550 ------w c:\windows\inf\SET1A5.tmp
2004-08-10 04:00 1,431,144 ----a-w c:\windows\inf\SET977.tmp
2004-08-10 04:00 1,431,144 ----a-w c:\windows\inf\SET218.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-18 68856]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-23 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-24 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
DesktopVideoPlayer.LNK - c:\program files\vghd\vghd.exe [2008-10-30 357712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-08-24 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2008-03-17 16:59 2289664 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

S3 mam4410c;mam4410c;c:\windows\system32\Drivers\mam4410c.sys [2008-06-18 24784]
S3 mam4410m;mam4410m;c:\windows\system32\Drivers\mam4410m.sys [2008-06-18 25044]
S3 mam4410u;mam4410u;c:\windows\system32\Drivers\mam4410u.sys [2008-06-18 52309]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-16 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - HP_Administrator.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)
MSConfigStartUp-Google Update - c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe


.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {FF62BB3E-3067-490A-8D10-43068B59A8AB} = 68.87.69.146,68.87.85.98
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\tnc9n3g6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://forums.bimmerforums.com/forum/index.php
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 19:01:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-16 19:02:42
ComboFix-quarantined-files.txt 2008-12-17 03:01:56

Pre-Run: 49,200,422,912 bytes free
Post-Run: 49,214,373,888 bytes free

238 --- E O F --- 2008-12-05 02:42:58


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:42 PM, on 12/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - S-1-5-18 Startup: DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF62BB3E-3067-490A-8D10-43068B59A8AB}: NameServer = 68.87.69.146,68.87.85.98
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11556 bytes



I seem to no longer be getting the fake alert.

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:35 AM

Posted 17 December 2008 - 02:23 AM

Please read and comply to step 3# from post #4 and step #1 from post #10 and post a fresh RSIT log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users