Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • This topic is locked This topic is locked
16 replies to this topic

#1 Pecoi

Pecoi

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:37 PM

Posted 31 December 2008 - 11:16 AM

My friend's laptop just got hit by a slew of junk out of nowhere last night, despite being decently protected and regularly maintained by the appropriate programs (ZoneAlarm, Avast!, S&D, et cetera), and never visiting any potentially dangerous websites.

I did what I could with said programs to rid the machine of most of it (and because I couldn't roll back the machine since she had turned System Restore off then back on to make space days prior), but hit a snag when Avast!, scanning at boot up, couldn't Delete/Repair/or Move Monder.GB/ddcby0pg.dll. I hit Ignore, went back into Safe Mode, created a HJT log, and now here I am, hoping someone can guide me to victory with their expert malware smiting techniques.

Just knowing it's there but not gone, lurking in the operating memory is driving me a bit batty, so thank you in advance to anyone who can help me get rid of this blasted thing!

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:28 AM, on 12/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5030 bytes

BC AdBot (Login to Remove)

 


#2 BHowett

BHowett

    Malware Hunter


  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 10 January 2009 - 06:49 PM

Hello and welcome to Bleeping Computer my name is BHowett and I will be helping you get sorted.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know.

If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Thanks and again sorry for the delay.

Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

Posted Image

Please do not PM me asking for support. Post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Search the Forums | Forum Help
Posted Image
My help is always free, but if you feel I have helped you and would like to make a small donation, please click ---> Posted Image


#3 Pecoi

Pecoi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:37 PM

Posted 13 January 2009 - 03:56 AM

Attached File  Attach.txt   10.45KB   3 downloadsThank you very much, BHowett, and I don't mind the belated reply, seeing how it's entirely understandable. I did as you instructed, and now I'm posting the DDS in my reply:


DDS (Version 1.1.0) - NTFSx86 MINIMAL
Run by Marisa at 23:19:27.75 on Thu 01/08/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.207 [GMT -8:00]

AV: avast! antivirus 4.8.1296 [VPS 081230-0] *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Marisa\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=laptop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\ddcbYoPg.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - No File
BHO: {a3e3f49c-71e9-4a90-bcbc-84c9cd84036e} - c:\windows\system32\geBUkklL.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: ddcbYoPg - ddcbYoPg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\ddcbYoPg.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\geBUkklL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marisa\applic~1\mozilla\firefox\profiles\oxaajfcq.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - component: c:\documents and settings\marisa\application data\mozilla\firefox\profiles\oxaajfcq.default\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}\components\FFAlert.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-9-27 111184]
S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-5 353680]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-9-27 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-9-27 352920]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2004-12-15 200192]
S4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-9-27 20560]
S4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-9-27 155160]
S4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-23 603904]
S4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-01-03 22:07 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-31 06:26 <DIR> --d----- c:\program files\Trend Micro
2008-12-31 05:04 82,944 a------- c:\windows\system32\msiconf.exe
2008-12-31 05:03 680,798 a--sh--- c:\windows\system32\LlkkUBeg.ini2
2008-12-31 05:03 681,472 a--sh--- c:\windows\system32\LlkkUBeg.ini
2008-12-31 05:03 290,304 a------- c:\windows\system32\geBUkklL.dll
2008-12-31 04:58 72,192 a------- c:\windows\system32\urqPhhhE.dll
2008-12-31 04:48 114,688 a------- c:\windows\system32\prunnet.exe
2008-12-23 23:31 603,904 a------- c:\windows\system32\TUProgSt.exe
2008-12-23 23:31 27,904 a------- c:\windows\system32\uxtuneup.dll
2008-12-23 23:31 360,192 a------- c:\windows\system32\TuneUpDefragService.exe
2008-12-23 23:28 <DIR> --d----- c:\program files\TuneUp Utilities 2009
2008-12-23 23:27 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
2008-12-22 21:51 0 a------- c:\windows\pcfriend.INI

==================== Find3M ====================

2008-12-31 07:23 90,112 a------- c:\windows\DUMP4efa.tmp
2008-12-31 07:22 90,112 a------- c:\windows\DUMP4e9d.tmp
2008-12-31 07:21 90,112 a------- c:\windows\DUMP5c29.tmp
2008-12-12 22:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-06 23:49 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-05 20:28 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-11-13 15:18 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-10-28 23:06 4,031 a------- c:\windows\mozver.dat
2008-10-24 03:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 04:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 05:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 05:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 08:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-14 23:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-14 23:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-06-25 00:42 526 a------- c:\docume~1\marisa\applic~1\wklnhst.dat
2006-02-07 23:27 89 a------- c:\program files\INSTALL.LOG
1999-07-06 16:00 6 ---shr-- c:\windows\@desktop@.dat
2008-09-27 19:09 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092720080928\index.dat

============= FINISH: 23:21:13.28 ===============


I don't think the anti-virus or firewall got in the way of the scan, but if you need me to disable them both and rescan, I will. If this doesn't work, if the system is too damaged or compromised, I'll probably just reformat the thing. It's getting worse, it seems, seeing how explorer won't pop up in Safe Mode unless I start it manually, and I more often than not get blue screened when I boot into Safe Mode. Bah. Either way, thanks for your help. :thumbsup:

#4 BHowett

BHowett

    Malware Hunter


  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 13 January 2009 - 01:14 PM

Hi Pecoi,

Not looking to bad, but there is some junk in there, please do the following...


ComboFix

Please download ComboFix from Here or Here

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Do not mouse-click Combofix's window while it is running. That may cause it to stall.

Posted Image

Please do not PM me asking for support. Post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Search the Forums | Forum Help
Posted Image
My help is always free, but if you feel I have helped you and would like to make a small donation, please click ---> Posted Image


#5 Pecoi

Pecoi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:37 PM

Posted 13 January 2009 - 11:30 PM

Okay, here are the ComboFix results. FYI: I entirely spaced on disabling the firewall, but I don't think it interfered. If you want me to rescan though, I will. If I'm reading the results as correctly as I can being a neophyte when it comes to things such as, was I infected by seneka? Because if so, would it be better just to reformat and reinstall completely? I'm just asking because compromising infections like that scare the bejeebus out of me, even if the laptop didn't have much of anything of value on it.


ComboFix 09-01-13.03 - Marisa 2009-01-13 18:58:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.109 [GMT -8:00]
Running from: c:\documents and settings\Marisa\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090113-1] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekavjiyanlx.sys
c:\windows\system32\geBUkklL.dll
c:\windows\system32\gpzhrv.dll
c:\windows\system32\iqehuvfp.ini
c:\windows\system32\LlkkUBeg.ini
c:\windows\system32\LlkkUBeg.ini2
c:\windows\system32\msiconf.exe
c:\windows\system32\pfvuheqi.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekajereijbg.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekasdmwdpom.dll
c:\windows\system32\xnmmbeva.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-03 22:07 . 2009-01-03 22:07 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-31 06:26 . 2008-12-31 06:26 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 05:16 . 2005-04-29 21:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-12-31 05:16 . 2005-04-29 21:39 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-12-31 05:16 . 2008-12-31 05:16 <DIR> d-------- c:\documents and settings\Administrator
2008-12-31 04:58 . 2008-12-31 04:58 72,192 --a------ c:\windows\system32\urqPhhhE.dll
2008-12-23 23:31 . 2008-12-23 23:31 603,904 --a------ c:\windows\system32\TUProgSt.exe
2008-12-23 23:31 . 2008-12-23 23:31 360,192 --a------ c:\windows\system32\TuneUpDefragService.exe
2008-12-23 23:31 . 2008-12-11 13:31 27,904 --a------ c:\windows\system32\uxtuneup.dll
2008-12-23 23:28 . 2008-12-23 23:53 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2008-12-23 23:27 . 2008-12-23 23:27 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-12-22 21:51 . 2008-12-22 21:51 0 --a------ c:\windows\pcfriend.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 10:48 90,112 ----a-w c:\windows\DUMP5265.tmp
2009-01-09 10:46 90,112 ----a-w c:\windows\DUMP4d16.tmp
2008-12-31 15:23 90,112 ----a-w c:\windows\DUMP4efa.tmp
2008-12-31 15:22 90,112 ----a-w c:\windows\DUMP4e9d.tmp
2008-12-31 15:21 90,112 ----a-w c:\windows\DUMP5c29.tmp
2008-12-31 13:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-26 08:08 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-24 07:29 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-12-24 04:52 --------- d-----w c:\program files\CCleaner
2008-12-23 11:11 --------- d-----w c:\documents and settings\Marisa\Application Data\LimeWire
2008-12-07 07:49 --------- d-----w c:\program files\Java
2008-11-14 13:34 --------- d-----w c:\program files\LimeWire
2008-06-25 08:42 526 ----a-w c:\documents and settings\Marisa\Application Data\wklnhst.dat
1999-07-07 00:00 6 --sh--r c:\windows\@desktop@.dat
2008-09-28 03:09 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092720080928\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-02 113664]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2008-10-27 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gpzhrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2005-02-17 13:01 233534 c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2004-12-03 12:24 290816 c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 07:38 241664 c:\program files\Hp\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 16:28 49152 c:\program files\Hp\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"prunnet"="c:\windows\system32\prunnet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LSBWatcher"=c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"prunnet"="c:\windows\system32\prunnet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-09-27 111184]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2004-12-15 200192]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-09-27 20560]

--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - aswUpdSv
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - avast! Antivirus
*Deregistered* - avast! Mail Scanner
*Deregistered* - avast! Web Scanner
*Deregistered* - BITS
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - hpqwmi
*Deregistered* - HTTPFilter
*Deregistered* - ImapiService
*Deregistered* - JavaQuickStarterService
*Deregistered* - LightScribeService
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Pml Driver HPZ12
*Deregistered* - ProtectedStorage
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TabletService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - TuneUp.ProgramStatisticsSvc
*Deregistered* - UxTuneUp
*Deregistered* - vsmon
*Deregistered* - W32Time
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 21:36]

2008-12-31 c:\windows\Tasks\rhjpzonn.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{45c74525-1f15-42eb-a067-e1bf1f4a9734} - c:\windows\system32\gpzhrv.dll
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
BHO-{F2F85263-ED90-447D-8B86-5C2AAA3A8873} - c:\windows\system32\geBUkklL.dll
Notify-ddcbYoPg - ddcbYoPg.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 -: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
FF - ProfilePath - c:\documents and settings\Marisa\Application Data\Mozilla\Firefox\Profiles\oxaajfcq.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - component: c:\documents and settings\Marisa\Application Data\Mozilla\Firefox\Profiles\oxaajfcq.default\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}\components\FFAlert.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 19:11:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1792)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\Tablet.exe
c:\windows\system32\TUProgSt.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\ati2evxx.exe
c:\program files\HPQ\Shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 2009-01-13 19:23:15 - machine was rebooted [Marisa]
ComboFix-quarantined-files.txt 2009-01-14 03:23:01

Pre-Run: 23,040,880,640 bytes free
Post-Run: 22,927,503,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

249 --- E O F --- 2008-12-18 05:02:53

#6 BHowett

BHowett

    Malware Hunter


  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 14 January 2009 - 08:33 AM

Hi Pecoi,

would it be better just to reformat and reinstall completely? I'm just asking because compromising infections like that scare the bejeebus out of me, even if the laptop didn't have much of anything of value on it.

No need for a reformat we can take care of it :thumbsup: please do the followingů..

Combofix Script.txt

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\urqPhhhE.dll
c:\windows\pcfriend.INI
c:\windows\Tasks\rhjpzonn.job
c:\windows\system32\prunnet.exe
c:\windows\DUMP5265.tmp
c:\windows\DUMP4d16.tmp
c:\windows\DUMP4efa.tmp
c:\windows\DUMP4e9d.tmp
c:\windows\DUMP5c29.tmp
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"prunnet"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"prunnet"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
===============================================

P2P Warning!

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur. Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current problem/infection. I would strongly suggest you remove LimeWire Removing can be done through Add/Remove Programs.

===============================================

ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===============================================

Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 2 (Fix + Hosts)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

===============================================

Needed in your next reply:

Combofix log
Lop S&D log

And let me know how things are running now :)

Posted Image

Please do not PM me asking for support. Post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Search the Forums | Forum Help
Posted Image
My help is always free, but if you feel I have helped you and would like to make a small donation, please click ---> Posted Image


#7 Pecoi

Pecoi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:37 PM

Posted 17 January 2009 - 02:27 AM

Here's the new ComboFix log:

ComboFix 09-01-16.02 - Marisa 2009-01-16 21:30:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.147 [GMT -8:00]
Running from: c:\documents and settings\Marisa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marisa\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090116-1] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\DUMP4d16.tmp
c:\windows\DUMP4e9d.tmp
c:\windows\DUMP4efa.tmp
c:\windows\DUMP5265.tmp
c:\windows\DUMP5c29.tmp
c:\windows\pcfriend.INI
c:\windows\system32\prunnet.exe
c:\windows\system32\urqPhhhE.dll
c:\windows\Tasks\rhjpzonn.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\DUMP4d16.tmp
c:\windows\DUMP4e9d.tmp
c:\windows\DUMP4efa.tmp
c:\windows\DUMP5265.tmp
c:\windows\DUMP5c29.tmp
c:\windows\pcfriend.INI
c:\windows\system32\urqPhhhE.dll
c:\windows\Tasks\rhjpzonn.job

.
((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-03 22:07 . 2009-01-03 22:07 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-31 06:26 . 2008-12-31 06:26 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 05:16 . 2005-04-29 21:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-12-31 05:16 . 2005-04-29 21:39 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-12-31 05:16 . 2008-12-31 05:16 <DIR> d-------- c:\documents and settings\Administrator
2008-12-23 23:31 . 2008-12-23 23:31 603,904 --a------ c:\windows\system32\TUProgSt.exe
2008-12-23 23:31 . 2008-12-23 23:31 360,192 --a------ c:\windows\system32\TuneUpDefragService.exe
2008-12-23 23:31 . 2008-12-11 13:31 27,904 --a------ c:\windows\system32\uxtuneup.dll
2008-12-23 23:28 . 2008-12-23 23:53 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2008-12-23 23:27 . 2008-12-23 23:27 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 13:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-28 12:43 2,084,864 ----a-w c:\windows\Internet Logs\xDBF.tmp
2008-12-26 08:08 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-24 07:29 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-12-24 04:52 --------- d-----w c:\program files\CCleaner
2008-12-23 11:11 --------- d-----w c:\documents and settings\Marisa\Application Data\LimeWire
2008-12-20 00:39 4,663,009 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-19 14:11 2,031,616 ----a-w c:\windows\Internet Logs\xDBE.tmp
2008-12-18 10:28 2,031,104 ----a-w c:\windows\Internet Logs\xDBD.tmp
2008-12-17 13:26 2,027,520 ----a-w c:\windows\Internet Logs\xDBC.tmp
2008-12-17 04:14 2,027,008 ----a-w c:\windows\Internet Logs\xDBB.tmp
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-10 04:05 2,016,768 ----a-w c:\windows\Internet Logs\xDB9.tmp
2008-12-09 15:04 2,015,232 ----a-w c:\windows\Internet Logs\xDB8.tmp
2008-12-07 14:04 2,014,208 ----a-w c:\windows\Internet Logs\xDB7.tmp
2008-12-07 07:49 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-07 07:49 --------- d-----w c:\program files\Java
2008-11-14 10:42 1,893,376 ----a-w c:\windows\Internet Logs\xDB6.tmp
2008-11-13 23:18 1,221,008 ----a-w c:\windows\system32\zpeng25.dll
2008-11-01 01:20 1,846,784 ----a-w c:\windows\Internet Logs\xDB5.tmp
2008-10-26 12:24 2,790,912 ----a-w c:\windows\Internet Logs\xDB4.tmp
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 22:42 3,143,168 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-10-23 22:42 1,725,440 ----a-w c:\windows\Internet Logs\xDB3.tmp
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-06-25 08:42 526 ----a-w c:\documents and settings\Marisa\Application Data\wklnhst.dat
1999-07-07 00:00 6 --sh--r c:\windows\@desktop@.dat
2008-09-28 03:09 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092720080928\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-13_19.20.52.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-17 05:09:40 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2a0.dat
+ 2009-01-17 05:09:18 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_98.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-02 113664]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2008-10-27 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcbYoPg]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2005-02-17 13:01 233534 c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2004-12-03 12:24 290816 c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 07:38 241664 c:\program files\Hp\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 16:28 49152 c:\program files\Hp\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LSBWatcher"=c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-09-27 111184]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2004-12-15 200192]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-09-27 20560]
R4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-23 603904]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 21:36]
.
- - - - ORPHANS REMOVED - - - -

BHO-{45c74525-1f15-42eb-a067-e1bf1f4a9734} - (no file)
BHO-{F2F85263-ED90-447D-8B86-5C2AAA3A8873} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 21:34:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1640)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-16 21:37:34
ComboFix-quarantined-files.txt 2009-01-17 05:37:18
ComboFix2.txt 2009-01-14 03:23:19

Pre-Run: 22,892,339,200 bytes free
Post-Run: 22,870,769,664 bytes free

180 --- E O F --- 2008-12-18 05:02:53


And here's the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:02 PM, on 1/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O20 - Winlogon Notify: ddcbYoPg - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6518 bytes


And I will post the other logs after I use ATF Cleaner and Lop S&D, too. Thank you very much for your help, BHowett.

#8 Pecoi

Pecoi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:37 PM

Posted 17 January 2009 - 08:07 AM

All right, here are the most recent logs. I'll start with Lop S&D log:


--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Uniprocessor Free : Mobile AMD Sempron™ Processor 3000+ )
BIOS : Phoenix NoteBIOS 4.0 Release 6.1
USER : Marisa ( Administrator )
BOOT : Normal boot
Antivirus : avast! antivirus 4.8.1296 [VPS 090116-1] 4.8.1296 (Not Activated)
Firewall : ZoneAlarm Firewall 8.0.065.000 (Activated)
C:\ (Local Disk) - NTFS - Total:37 Go (Free:21 Go)
D:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [2] ( Fri 01/16/2009|23:33 )


\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


--------------------\\ Listing folders in APPLIC~1

[04/29/2005|09:39] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Apple Computer
[04/29/2005|07:40] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities
[01/16/2009|09:01] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft
[04/29/2005|09:49] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Symantec

[12/23/2008|11:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {55A29068-F2CE-456C-9148-C869879E2357}
[04/29/2005|09:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[10/27/2008|10:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Alias
[07/17/2006|03:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Creative
[04/29/2005|10:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> hpqwmi
[04/29/2005|09:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield
[03/09/2007|03:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Kodak
[08/29/2008|03:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> MailFrontier
[03/17/2007|10:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[04/29/2005|09:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> muvee Technologies
[08/31/2006|08:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> PlayFirst
[05/26/2006|06:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> PopCap
[04/23/2006|06:49] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime
[04/29/2005|07:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SBSI
[12/31/2008|05:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy
[07/02/2008|02:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SYSTEMAX Software Development
[08/31/2006|08:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Trymedia
[12/23/2008|11:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TuneUp Software
[08/31/2006|09:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[09/27/2008|02:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WLInstaller

[04/29/2005|09:39] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Apple Computer
[04/29/2005|07:40] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities
[04/29/2005|10:07] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft
[04/29/2005|09:49] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Symantec

[11/25/2007|02:19] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft
[09/27/2008|07:16] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Mozilla
[09/27/2008|07:18] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Talkback

[03/17/2008|09:56] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Adobe
[01/04/2008|06:39] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> AdobeUM
[09/27/2008|04:06] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Aim
[04/29/2005|09:39] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Apple Computer
[10/27/2008|10:47] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Autodesk
[05/16/2008|10:00] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> DivX
[07/23/2008|09:14] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> dvdcss
[05/25/2007|04:00] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Gamelab
[09/25/2006|06:49] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Help
[04/29/2005|07:40] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Identities
[03/15/2006|06:11] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> InterVideo
[11/20/2006|04:34] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> IrfanView
[05/26/2006|06:50] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Leadertech
[12/23/2008|03:11] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> LimeWire
[02/07/2006|10:19] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Macromedia
[05/26/2007|11:42] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Magic Academy
[12/19/2008|05:28] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Microsoft
[11/22/2008|03:11] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Mozilla
[04/30/2008|10:25] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> OpenOffice.org2
[08/31/2006|08:55] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> PlayFirst
[05/25/2007|04:59] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> SmartFTP
[07/30/2006|04:08] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Sonic
[05/26/2006|06:07] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Sun
[07/02/2008|02:31] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> SYSTEMAX Software Development
[02/07/2006|11:00] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Talkback
[02/21/2006|08:09] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Template
[04/15/2007|02:29] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> TuneUp Software
[03/15/2007|07:40] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Visio
[05/18/2008|03:05] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> vlc
[04/23/2006|05:48] C:\DOCUME~1\Marisa\APPLIC~1\<DIR> Winamp

[10/14/2007|10:47] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[01/16/2009 11:00 PM][--a------] C:\WINDOWS\tasks\1-Click Maintenance.job
[01/16/2009 09:37 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[08/04/2004 12:00 AM][-rah-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[05/16/2008|10:05] C:\Program Files\<DIR> AC3Filter
[08/02/2007|07:28] C:\Program Files\<DIR> Adobe
[09/27/2008|05:13] C:\Program Files\<DIR> Alwil Software
[04/29/2005|09:06] C:\Program Files\<DIR> AMD
[04/23/2006|02:07] C:\Program Files\<DIR> AOD
[04/29/2005|08:54] C:\Program Files\<DIR> ATI Technologies
[11/04/2008|05:53] C:\Program Files\<DIR> BitLord
[12/23/2008|08:52] C:\Program Files\<DIR> CCleaner
[01/16/2009|09:33] C:\Program Files\<DIR> Common Files
[04/29/2005|07:40] C:\Program Files\<DIR> ComPlus Applications
[10/31/2008|01:48] C:\Program Files\<DIR> Conduit
[04/29/2005|07:45] C:\Program Files\<DIR> CONEXANT
[06/18/2006|08:04] C:\Program Files\<DIR> Dell
[04/08/2008|08:08] C:\Program Files\<DIR> Download
[06/20/2008|10:38] C:\Program Files\<DIR> Hp
[02/08/2006|10:32] C:\Program Files\<DIR> HPQ
[10/30/2008|11:37] C:\Program Files\<DIR> InstallShield Installation Information
[10/21/2006|01:10] C:\Program Files\<DIR> InterActual
[12/09/2008|07:23] C:\Program Files\<DIR> Internet Explorer
[04/29/2005|09:30] C:\Program Files\<DIR> InterVideo
[08/10/2006|05:47] C:\Program Files\<DIR> IrfanView
[12/06/2008|11:49] C:\Program Files\<DIR> Java
[03/11/2007|12:43] C:\Program Files\<DIR> Kodak
[11/14/2008|05:34] C:\Program Files\<DIR> LimeWire
[06/10/2006|11:49] C:\Program Files\<DIR> Microsoft ActiveSync
[04/29/2005|07:40] C:\Program Files\<DIR> microsoft frontpage
[08/22/2006|01:11] C:\Program Files\<DIR> Microsoft Money 2005
[03/15/2007|07:18] C:\Program Files\<DIR> Microsoft Office
[06/10/2006|11:47] C:\Program Files\<DIR> Microsoft Visual Studio
[04/29/2005|09:20] C:\Program Files\<DIR> Microsoft Works
[06/10/2006|11:45] C:\Program Files\<DIR> Microsoft.NET
[09/27/2008|06:52] C:\Program Files\<DIR> Movie Maker
[12/31/2008|03:05] C:\Program Files\<DIR> Mozilla Firefox
[11/07/2008|03:05] C:\Program Files\<DIR> MP3Gain
[09/27/2008|06:52] C:\Program Files\<DIR> msn
[04/29/2005|07:40] C:\Program Files\<DIR> MSN Gaming Zone
[11/20/2006|07:40] C:\Program Files\<DIR> MSXML 4.0
[01/01/2007|06:03] C:\Program Files\<DIR> MUSICMATCH
[04/29/2005|09:48] C:\Program Files\<DIR> muvee Technologies
[09/27/2008|06:46] C:\Program Files\<DIR> NetMeeting
[09/07/2006|12:34] C:\Program Files\<DIR> OpenOffice.org 2.0
[09/27/2008|06:46] C:\Program Files\<DIR> Outlook Express
[05/24/2007|09:31] C:\Program Files\<DIR> PFE32
[10/30/2008|11:32] C:\Program Files\<DIR> SAI
[06/11/2006|10:03] C:\Program Files\<DIR> Sierra On-Line
[05/25/2007|04:59] C:\Program Files\<DIR> SmartFTP Client
[04/29/2005|09:29] C:\Program Files\<DIR> Sonic
[12/26/2008|12:08] C:\Program Files\<DIR> Spybot - Search & Destroy
[04/29/2005|09:30] C:\Program Files\<DIR> Synaptics
[12/31/2008|06:26] C:\Program Files\<DIR> Trend Micro
[12/23/2008|11:53] C:\Program Files\<DIR> TuneUp Utilities 2009
[04/29/2005|07:40] C:\Program Files\<DIR> Uninstall Information
[05/18/2008|02:09] C:\Program Files\<DIR> VideoLAN
[03/15/2007|07:42] C:\Program Files\<DIR> Visio
[10/27/2008|10:38] C:\Program Files\<DIR> Wacom
[03/20/2006|11:53] C:\Program Files\<DIR> Winamp
[10/30/2008|11:40] C:\Program Files\<DIR> Windows Live
[11/25/2007|01:22] C:\Program Files\<DIR> Windows Media Connect 2
[09/27/2008|06:46] C:\Program Files\<DIR> Windows Media Player
[09/27/2008|06:46] C:\Program Files\<DIR> Windows NT
[04/29/2005|07:40] C:\Program Files\<DIR> WindowsUpdate
[03/28/2006|11:52] C:\Program Files\<DIR> WinRAR
[04/08/2008|08:30] C:\Program Files\<DIR> WinSCP
[04/08/2008|10:32] C:\Program Files\<DIR> Ws_ftp
[04/29/2005|07:40] C:\Program Files\<DIR> xerox
[10/30/2008|11:58] C:\Program Files\<DIR> Yahoo! Games
[06/10/2006|08:19] C:\Program Files\<DIR> ydkj movies
[06/10/2006|08:50] C:\Program Files\<DIR> ydkj volume 2
[04/23/2006|01:51] C:\Program Files\<DIR> Zone Labs

--------------------\\ Listing Folders in C:\Program Files\Common Files

[08/02/2007|07:28] C:\Program Files\Common Files\<DIR> Adobe
[03/15/2007|07:18] C:\Program Files\Common Files\<DIR> DESIGNER
[06/20/2008|10:37] C:\Program Files\Common Files\<DIR> Hewlett-Packard
[06/20/2008|10:33] C:\Program Files\Common Files\<DIR> HP
[04/29/2005|09:29] C:\Program Files\Common Files\<DIR> InstallShield
[04/29/2005|09:08] C:\Program Files\Common Files\<DIR> Java
[03/11/2007|12:40] C:\Program Files\Common Files\<DIR> Kodak
[06/10/2006|11:50] C:\Program Files\Common Files\<DIR> L&H
[03/15/2007|07:42] C:\Program Files\Common Files\<DIR> Lhspf
[04/29/2005|09:54] C:\Program Files\Common Files\<DIR> LightScribe
[09/27/2008|06:20] C:\Program Files\Common Files\<DIR> Microsoft Shared
[04/29/2005|07:40] C:\Program Files\Common Files\<DIR> MSSoap
[04/29/2005|09:48] C:\Program Files\Common Files\<DIR> muvee Technologies
[04/29/2005|07:40] C:\Program Files\Common Files\<DIR> ODBC
[04/29/2005|07:40] C:\Program Files\Common Files\<DIR> Services
[04/29/2005|09:27] C:\Program Files\Common Files\<DIR> Sonic Shared
[04/29/2005|07:40] C:\Program Files\Common Files\<DIR> SpeechEngines
[04/29/2005|09:29] C:\Program Files\Common Files\<DIR> SureThing Shared
[09/27/2008|06:45] C:\Program Files\Common Files\<DIR> System
[04/29/2005|09:28] C:\Program Files\Common Files\<DIR> TiVo Shared
[03/15/2007|07:43] C:\Program Files\Common Files\<DIR> Visio Shared
[03/15/2007|07:42] C:\Program Files\Common Files\<DIR> WexTech Shared
[09/27/2008|07:42] C:\Program Files\Common Files\<DIR> WindowsLiveInstaller
[01/03/2009|10:07] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

--------------------\\ Process

( 42 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 23:35:38
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Marisa\Desktop\Files\Megan\Meh\Naruto___Bleach_CrackComic_by_MSkyDragons.png
C:\DOCUME~1\Marisa\Desktop\Files\Megan\Meh\Naruto___Death_Note_CrackComic_by_MSkyDragons.png


[F:1][D:0]-> C:\DOCUME~1\Marisa\LOCALS~1\Temp
[F:1][D:0]-> C:\DOCUME~1\Marisa\Cookies
[F:1][D:0]-> C:\DOCUME~1\Marisa\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Fri 01/16/2009|23:36 - Option : [2]

--------------------\\ Scan completed at 23:36:36


And here's the latest ComboFix log:

ComboFix 09-01-16.03 - Marisa 2009-01-17 3:09:47.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.101 [GMT -8:00]
Running from: c:\documents and settings\Marisa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marisa\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090116-1] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-17 03:02 . 2009-01-17 03:02 <DIR> d-------- c:\windows\LastGood
2009-01-16 23:32 . 2009-01-16 23:36 <DIR> d-------- C:\Lop SD
2009-01-03 22:07 . 2009-01-03 22:07 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-31 06:26 . 2008-12-31 06:26 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 05:16 . 2005-04-29 21:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-12-31 05:16 . 2005-04-29 21:39 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-12-31 05:16 . 2008-12-31 05:16 <DIR> d-------- c:\documents and settings\Administrator
2008-12-23 23:31 . 2008-12-23 23:31 603,904 --a------ c:\windows\system32\TUProgSt.exe
2008-12-23 23:31 . 2008-12-23 23:31 360,192 --a------ c:\windows\system32\TuneUpDefragService.exe
2008-12-23 23:31 . 2008-12-11 13:31 27,904 --a------ c:\windows\system32\uxtuneup.dll
2008-12-23 23:28 . 2008-12-23 23:53 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2008-12-23 23:27 . 2008-12-23 23:27 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 13:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-28 12:43 2,084,864 ----a-w c:\windows\Internet Logs\xDBF.tmp
2008-12-26 08:08 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-24 07:29 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-12-24 04:52 --------- d-----w c:\program files\CCleaner
2008-12-23 11:11 --------- d-----w c:\documents and settings\Marisa\Application Data\LimeWire
2008-12-20 00:39 4,663,009 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-19 14:11 2,031,616 ----a-w c:\windows\Internet Logs\xDBE.tmp
2008-12-18 10:28 2,031,104 ----a-w c:\windows\Internet Logs\xDBD.tmp
2008-12-17 13:26 2,027,520 ----a-w c:\windows\Internet Logs\xDBC.tmp
2008-12-17 04:14 2,027,008 ----a-w c:\windows\Internet Logs\xDBB.tmp
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-10 04:05 2,016,768 ----a-w c:\windows\Internet Logs\xDB9.tmp
2008-12-09 15:04 2,015,232 ----a-w c:\windows\Internet Logs\xDB8.tmp
2008-12-07 14:04 2,014,208 ----a-w c:\windows\Internet Logs\xDB7.tmp
2008-12-07 07:49 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-07 07:49 --------- d-----w c:\program files\Java
2008-11-14 10:42 1,893,376 ----a-w c:\windows\Internet Logs\xDB6.tmp
2008-11-13 23:18 1,221,008 ----a-w c:\windows\system32\zpeng25.dll
2008-11-01 01:20 1,846,784 ----a-w c:\windows\Internet Logs\xDB5.tmp
2008-10-26 12:24 2,790,912 ----a-w c:\windows\Internet Logs\xDB4.tmp
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 22:42 3,143,168 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-10-23 22:42 1,725,440 ----a-w c:\windows\Internet Logs\xDB3.tmp
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-06-25 08:42 526 ----a-w c:\documents and settings\Marisa\Application Data\wklnhst.dat
1999-07-07 00:00 6 --sh--r c:\windows\@desktop@.dat
2008-09-28 03:09 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092720080928\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-13_19.20.52.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-10 03:26:24 593,920 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-01-17 11:04:41 593,920 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-12-10 03:26:25 12,288 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-01-17 11:04:42 12,288 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-12-10 03:26:24 135,168 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-01-17 11:04:40 135,168 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-12-10 03:26:25 11,264 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-01-17 11:04:42 11,264 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-12-10 03:26:25 27,136 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-01-17 11:04:43 27,136 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-12-10 03:26:25 4,096 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-01-17 11:04:43 4,096 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-12-10 03:26:25 794,624 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2009-01-17 11:04:44 794,624 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-12-10 03:26:24 249,856 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-01-17 11:04:41 249,856 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-12-10 03:26:24 61,440 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2009-01-17 11:04:41 61,440 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-12-10 03:26:26 23,040 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-01-17 11:04:44 23,040 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-12-10 03:26:24 286,720 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-01-17 11:04:40 286,720 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-12-10 03:26:23 409,600 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-01-17 11:04:39 409,600 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-17 05:09:40 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2a0.dat
+ 2009-01-17 05:09:18 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_98.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-02 113664]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2008-10-27 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcbYoPg]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2005-02-17 13:01 233534 c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2004-12-03 12:24 290816 c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 07:38 241664 c:\program files\Hp\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 16:28 49152 c:\program files\Hp\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LSBWatcher"=c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-09-27 111184]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2004-12-15 200192]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-09-27 20560]
R4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-23 603904]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 21:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 03:13:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1640)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-17 3:17:32
ComboFix-quarantined-files.txt 2009-01-17 11:17:28
ComboFix2.txt 2009-01-17 05:37:38
ComboFix3.txt 2009-01-14 03:23:19

Pre-Run: 22,809,948,160 bytes free
Post-Run: 22,787,584,000 bytes free

187 --- E O F --- 2009-01-17 11:05:01


I'm going to uninstall Limewire later on, because I fully agree it's a breeding ground for infections, and I just wanted to say once more, thank you so very much for all your help.

#9 BHowett

BHowett

    Malware Hunter


  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 17 January 2009 - 06:24 PM

Hi Pecoi,

well that looks a lot better, please do the following...


ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===============================================

Update Java

Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
===============================================

Kaspersky WebScanner
please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
===============================================

Needed in your next reply:


Kaspersky WebScanner results


And let me know how things are running now. :thumbsup:

Posted Image

Please do not PM me asking for support. Post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Search the Forums | Forum Help
Posted Image
My help is always free, but if you feel I have helped you and would like to make a small donation, please click ---> Posted Image


#10 Pecoi

Pecoi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:37 PM

Posted 20 January 2009 - 08:40 AM

Here are the attached results for the Kaspersky Online Scanner: Attached File  kaspersky_online_scanner_results.html   4.48KB   4 downloads Sorry it took awhile... I finally got around to scanning the laptop and actually getting a full report because IE apparently hates me, and FF loves me much more.

#11 BHowett

BHowett

    Malware Hunter


  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 20 January 2009 - 10:13 AM

Hi Pecoi,

Well done, your log appears clean :thumbsup:

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /u, it needs to be there.
    Posted Image
===============================================

Click Here to download OTCleanIt
Double-click OTCleanIt.exe to run it.
Click the Clean up button
Click Yes to the reboot.

Now delete any logs that you have left over on your desktop.

===============================================

For some useful tips on staying clean, along with links to some freeware to help, have a look at this page.

To find out more information about how you got infected in the first place, you can read this article.

===============================================

Follow this list and your potential for being infected again will reduce dramatically.

Thanks for letting us help you!

Posted Image

Please do not PM me asking for support. Post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Search the Forums | Forum Help
Posted Image
My help is always free, but if you feel I have helped you and would like to make a small donation, please click ---> Posted Image


#12 Pecoi

Pecoi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:37 PM

Posted 21 January 2009 - 01:45 AM

EDIT: Wait. I'm sorry to ask for your further assistance, but I have another issue that may or may not be related to this thread. Everything was working fine, running smoothly, up to date, supposedly clean and what not, when the keyboard and touch pad just stopped responding. For a moment it worked, went in and out, then just stopped working all together. Windows was not lagging, nothing seemed amiss, and I could still access things via the mouse that was plugged into the USB port.

I told it to restart, which it did, then it stopped and hung at shut down. I held down the power button and turned it off manually, then restarted. Once it was restarted and back to the sign in screen, I tried to type the password in and use the touch pad, but it was still to no avail. I told the machine to shut down again, but it got stuck thinking once more, and it won't respond to a manual shut down, so I've unplugged the power cord and I'm going to let the battery die out before attempting anything else.

After the clean out we did, I want to say it isn't the fault of any malware or another infection, but can't help it might be related because it happened in the wake, but still, it wasn't immediate and showed any signs until just now. Do you think it could be the fault of another infection, the clean up, drivers, or just a dying keyboard? Because I have absolutely no idea, and if this isn't your area of expertise, could you kindly direct to a thread that might be the most helpful?

-----

So it's clean? Clean and safe for certain? There are no spies in my internet machine? Ahh, thank you immensely, BHowett! <3 I checked out all the links you provided and applied what was needed and made sure everything was updated and what not. I appreciate all your time and help, as well as the help of this forum. Again, thank you very much!

Edited by Pecoi, 21 January 2009 - 03:01 AM.


#13 BHowett

BHowett

    Malware Hunter


  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 AM

Posted 22 January 2009 - 10:27 AM

Hi Pecoi,

I am fairly certain that the keyboard problem has nothing to do with malware. If it was, or if it was something we did during the process it would have been immediate, not shortly after you posted back everything was working fine.

But anyways lets take a look just to be sure.

RSIT
  • Download random's system information tool (RSIT) by random/random from here.
  • It is important that is saved to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
If it comes back clean we will know :thumbsup:

Posted Image

Please do not PM me asking for support. Post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Search the Forums | Forum Help
Posted Image
My help is always free, but if you feel I have helped you and would like to make a small donation, please click ---> Posted Image


#14 Pecoi

Pecoi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:37 PM

Posted 22 January 2009 - 08:51 PM

Thank you very much for replying. I'm sorry to inconvenience you, and I agree that I don't believe it has to do with the malware, but perhaps just bad timing. I'll download that scanner and post the log as soon as possible.

#15 Pecoi

Pecoi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:37 PM

Posted 23 January 2009 - 10:31 AM

So I was finally able to get the laptop to boot up normally and stay on for a decent amount of time. It's been hellish, seeing how it hangs at start up, hangs at shut down, won't stay on for more than fifteen minutes, despite if it's charged or not, or plugged in, it won't respond to manual shut down and sometimes start up, and half the time I swear I have to prompt it to keep doing whatever it's doing via the USB ports or shutting the lid, and the keyboard and mouse still don't work.

At this point, I have absolutely no idea what's wrong with it. Even when the machine was infected, it would stay on as long as its battery permitted, or as long as it was plugged into the wall. It would respond, even when it erred. If this is just the hardware malfunctioning, it has horrible, hair pulling timing. And if I reinfected myself somehow right off the bat, I am going to laugh and cry in unison. Here's the scan log:


Logfile of random's system information tool 1.05 (written by random/random)
Run by Marisa at 2009-01-23 07:09:55
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 23 GB (60%) free of 38 GB
Total RAM: 382 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:42 AM, on 1/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Documents and Settings\Marisa\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Marisa.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {45c74525-1f15-42eb-a067-e1bf1f4a9734} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F2F85263-ED90-447D-8B86-5C2AAA3A8873} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O20 - Winlogon Notify: ddcbYoPg - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8031 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\1-Click Maintenance.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45c74525-1f15-42eb-a067-e1bf1f4a9734}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-01-18 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-18 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-01-18 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F2F85263-ED90-447D-8B86-5C2AAA3A8873}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-04-11 339968]
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2005-04-01 794624]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2005-02-02 102492]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-02-02 692316]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-11-26 81000]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-11-13 981904]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe [2005-02-17 233534]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2004-12-03 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2003-12-22 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hp\HP Software Update\HPWuSchd.exe [2003-08-04 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-18 136600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE [2006-06-07 180224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-04-11 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcbYoPg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PSEXESVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe"="C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\SmartFTP Client\SmartFTP.exe"="C:\Program Files\SmartFTP Client\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 1 months======

2009-01-23 07:09:55 ----D---- C:\rsit
2009-01-20 21:58:33 ----D---- C:\Program Files\SpywareGuard
2009-01-20 21:52:14 ----D---- C:\Program Files\SpywareBlaster
2009-01-18 12:51:25 ----D---- C:\Program Files\ieSpell
2009-01-18 01:54:05 ----D---- C:\Documents and Settings\Marisa\Application Data\Jarte
2009-01-18 01:52:26 ----D---- C:\Program Files\Jarte
2009-01-18 00:44:54 ----A---- C:\WINDOWS\system32\javaws.exe
2009-01-18 00:44:54 ----A---- C:\WINDOWS\system32\javaw.exe
2009-01-18 00:44:54 ----A---- C:\WINDOWS\system32\java.exe
2009-01-18 00:44:15 ----D---- C:\Program Files\Java
2009-01-18 00:03:50 ----SHD---- C:\RECYCLER
2009-01-17 03:03:24 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-13 18:52:52 ----A---- C:\Boot.bak
2009-01-13 18:52:42 ----RASHD---- C:\cmdcons
2009-01-13 18:37:51 ----D---- C:\WINDOWS\ERDNT
2009-01-03 22:07:40 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-31 06:26:19 ----D---- C:\Program Files\Trend Micro
2008-12-31 05:13:38 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-31 05:04:31 ----A---- C:\WINDOWS\system32\02ceb57d-.txt

======List of files/folders modified in the last 1 months======

2009-01-23 07:10:20 ----D---- C:\WINDOWS\Prefetch
2009-01-23 06:54:22 ----D---- C:\WINDOWS\Temp
2009-01-23 06:54:16 ----D---- C:\WINDOWS\Internet Logs
2009-01-23 06:51:28 ----D---- C:\WINDOWS
2009-01-23 06:51:12 ----D---- C:\WINDOWS\system32
2009-01-23 00:22:13 ----D---- C:\Program Files\Mozilla Firefox
2009-01-22 00:16:38 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-21 23:26:44 ----D---- C:\WINDOWS\system32\config
2009-01-21 23:23:05 ----D---- C:\WINDOWS\system32\wbem
2009-01-21 23:23:00 ----D---- C:\WINDOWS\Registration
2009-01-21 23:13:45 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-21 04:50:09 ----HD---- C:\WINDOWS\inf
2009-01-20 21:58:33 ----RD---- C:\Program Files
2009-01-20 19:41:32 ----SHD---- C:\System Volume Information
2009-01-20 19:41:32 ----D---- C:\WINDOWS\system32\Restore
2009-01-18 00:45:03 ----SHD---- C:\WINDOWS\Installer
2009-01-18 00:44:23 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-01-17 03:13:51 ----A---- C:\WINDOWS\system.ini
2009-01-17 03:12:51 ----D---- C:\WINDOWS\system32\drivers
2009-01-17 03:12:49 ----D---- C:\Program Files\Common Files
2009-01-17 03:12:48 ----D---- C:\WINDOWS\AppPatch
2009-01-17 03:03:27 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-01-17 03:02:40 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-17 03:01:00 ----D---- C:\WINDOWS\Debug
2009-01-16 21:31:56 ----SD---- C:\WINDOWS\Tasks
2009-01-13 18:52:52 ----RASH---- C:\boot.ini
2009-01-13 18:27:14 ----D---- C:\WINDOWS\Minidump
2009-01-09 17:35:28 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-31 05:39:39 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-31 05:16:08 ----D---- C:\Documents and Settings
2008-12-26 00:08:12 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-24 00:12:55 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-11-26 26944]
R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2004-08-11 39424]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-11-26 111184]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-11-26 50864]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2008-11-13 353680]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-11-26 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-11-26 94032]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-11-26 23152]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-04-11 1035264]
R3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-03-10 371712]
R3 CAMCAUD;Conexant AMC Audio; C:\WINDOWS\system32\drivers\camc6aud.sys [2005-02-18 38016]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camc6hal.sys [2005-02-18 349696]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-12-15 1038208]
R3 HSFHWATI;HSFHWATI; C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2005-03-03 74496]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-02-02 191456]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-12-15 703232]
S1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2005-01-18 55320]
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-01-04 51056]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-01-04 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-01-04 21488]
S3 Jukebox;Jukebox; C:\WINDOWS\system32\DRIVERS\ctpdusb2.sys [2003-10-28 16890]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
S3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\system32\DRIVERS\smcirda.sys [2001-08-17 35913]
S3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-03-16 159488]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-11-26 18752]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-04-11 360448]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-11-26 155160]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-01-18 152984]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-02-22 38912]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 TabletService;TabletService; C:\WINDOWS\system32\Tablet.exe [2003-12-04 634880]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service; C:\WINDOWS\System32\TUProgSt.exe [2008-12-23 603904]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2008-11-13 2405776]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-11-26 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-11-26 352920]
R3 hpqwmi;HP WMI Interface; C:\Program Files\HPQ\SHARED\HPQWMI.exe [2005-03-04 98304]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-01-04 65795]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service; C:\WINDOWS\System32\TuneUpDefragService.exe [2008-12-23 360192]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users