Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

avcenter.exe, msmp3.exe, naxmgr.exe, s3mgr.exe, wrm32.exe


  • This topic is locked This topic is locked
26 replies to this topic

#1 aznriceboi13

aznriceboi13

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 03 January 2009 - 10:22 AM

avcenter.exe, msmp3.exe, naxmgr.exe, s3mgr.exe, wrm32.exe are some of the unknown items that keep appearing in C:\Documents and Settings\HP_Administrator folder. Sometimes when I open task manager, I see those exe taking up most of my computer's cpu. They also create a file with its name.bat. For example s3mgr.exe = s3mgr.bat. When I choose to edit s3mgr.bat bat file it says,

@echo off
:1
del /F "C:\Documents and Settings\HP_Administrator\s3mgr.exe"
If exist "C:\Documents and Settings\HP_Administrator\s3mgr.exe" Goto 1
Start C:\WINDOWS\system32\svhost.exe /B
del "C:\Documents and Settings\HP_Administrator\s3mgr.bat"

here are my rsit.exe results


log.txt

Logfile of random's system information tool 1.04 (written by random/random)
Run by HP_Administrator at 2009-01-02 09:09:27
Microsoft Windows XP Professional Service Pack 2
System drive C: has 132 GB (57%) free of 230 GB
Total RAM: 2046 MB (77% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:40 AM, on 1/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\naxmgr.exe
C:\WINDOWS\system32\svhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\syrmgr.exe
C:\WINDOWS\system32\cleannt.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Documents and Settings\HP_Administrator\Desktop\RSIT.exe
C:\Program Files\trend micro\HijackThis\HP_Administrator.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&...mp;UT=companion
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [naxmgr] C:\WINDOWS\system32\naxmgr.exe
O4 - HKLM\..\Run: [s3mgr] C:\WINDOWS\system32\svhost.exe
O4 - HKLM\..\Run: [Microsoft® System Manager] C:\WINDOWS\system32\syrmgr.exe
O4 - HKLM\..\Run: [cleannt] C:\WINDOWS\system32\cleannt.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O23 - Service: Norton2009 Reset (.norton2009Reset) - Unknown owner - C:\Program Files\Norton2009Reset.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10024 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\Warranty Reminder 11 month.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-04-26 438848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52706EF7-D7A2-49AD-A615-E903858CF284}]
Popup-Blocker Class - C:\Program Files\NetZero\qsacc\X1IEBHO.dll [2006-07-05 175600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
Symantec NCO BHO - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll [2008-11-04 340848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\IPSBHO.DLL [2008-12-13 107896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 184423]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}]
hpWebHelper Class - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11 345480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC59E0F9-7E43-44FA-9FAA-8377850BF205}]
FDMIECookiesBHO Class - C:\Program Files\Free Download Manager\iefdm2.dll [2007-11-26 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077}]
SmartSelect Class - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11 345480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-04-26 438848]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Norton Toolbar - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll [2008-11-04 340848]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11 345480]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-06-13 16239616]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-31 7634944]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [2005-11-10 36975]
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect []
"naxmgr"=C:\WINDOWS\system32\naxmgr.exe [2009-01-01 30392]
"s3mgr"=C:\WINDOWS\system32\svhost.exe [2009-01-01 26718]
"Microsoft® System Manager"=C:\WINDOWS\system32\syrmgr.exe [2008-12-17 17920]
"cleannt"=C:\WINDOWS\system32\cleannt.exe [2009-01-01 30392]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"NetZero_uoltray"=C:\Program Files\NetZero\exec.exe [2008-05-06 1701376]
"Free Download Manager"=C:\Program Files\Free Download Manager\fdm.exe [2008-05-20 2474031]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"untd_recovery"=C:\Program Files\NetZero\qsacc\x1exec.exe [2005-06-27 241664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\DISC\DISCover.exe"="C:\Program Files\DISC\DISCover.exe:*:Enabled:DISCover Drop & Play System"
"C:\Program Files\DISC\DiscStreamHub.exe"="C:\Program Files\DISC\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\Program Files\DISC\myFTP.exe"="C:\Program Files\DISC\myFTP.exe:*:Enabled:DISCover FTP"
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP"
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d0ae2b4-ce12-11dd-a4aa-00c0a8c09b2f}]
shell\AutoRun\command - L:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1033\conmgr.exe
shell\open\command - L:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1033\conmgr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d0ae2b6-ce12-11dd-a4aa-00c0a8c09b2f}]
shell\AutoRun\command - L:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1033\conmgr.exe
shell\open\command - L:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1033\conmgr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e432f07-caf4-11dd-a4a5-00c0a8c09b2f}]
shell\AutoRun\command - L:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1033\conmgr.exe
shell\open\command - L:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1033\conmgr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa030583-c990-11dd-a49f-00c0a8c09b2f}]
shell\AutoRun\command - L:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1033\conmgr.exe
shell\open\command - L:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1033\conmgr.exe


======List of files/folders created in the last 1 months======

2009-01-02 09:09:27 ----D---- C:\rsit
2009-01-01 22:09:15 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-01-01 22:09:07 ----HDC---- C:\WINDOWS\$NtUninstallKB928255$
2009-01-01 22:09:02 ----HDC---- C:\WINDOWS\$NtUninstallKB899591$
2009-01-01 22:08:57 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-01-01 22:08:51 ----HDC---- C:\WINDOWS\$NtUninstallKB933729$
2009-01-01 22:08:45 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-01-01 22:08:18 ----HDC---- C:\WINDOWS\$NtUninstallKB936357$
2009-01-01 22:08:12 ----HDC---- C:\WINDOWS\$NtUninstallKB925902$
2009-01-01 22:07:56 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-01-01 22:07:49 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-01-01 22:07:41 ----HDC---- C:\WINDOWS\$NtUninstallKB888302$
2009-01-01 22:07:36 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-01-01 22:07:22 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-01-01 22:07:15 ----HDC---- C:\WINDOWS\$NtUninstallKB913580$
2009-01-01 22:07:09 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-01-01 22:07:01 ----A---- C:\WINDOWS\imsins.BAK
2009-01-01 22:06:57 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2009-01-01 21:15:28 ----A---- C:\WINDOWS\system32\cleannt.exe
2009-01-01 21:12:00 ----A---- C:\WINDOWS\system32\svhost.exe
2009-01-01 21:08:01 ----A---- C:\WINDOWS\system32\naxmgr.exe
2008-12-17 22:26:36 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-17 22:26:23 ----HDC---- C:\WINDOWS\$NtUninstallKB920872$
2008-12-17 22:26:09 ----HDC---- C:\WINDOWS\$NtUninstallKB922582$
2008-12-17 22:25:59 ----HDC---- C:\WINDOWS\$NtUninstallKB918118$
2008-12-17 22:25:53 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2008-12-17 22:25:24 ----HDC---- C:\WINDOWS\$NtUninstallKB886185$
2008-12-17 22:25:17 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-17 22:25:11 ----HDC---- C:\WINDOWS\$NtUninstallKB896428$
2008-12-17 22:25:05 ----HDC---- C:\WINDOWS\$NtUninstallKB935839$
2008-12-17 20:15:31 ----A---- C:\WINDOWS\system32\syrmgr.exe
2008-12-17 20:15:31 ----A---- C:\WINDOWS\system32\msvcrt2.dll
2008-12-17 20:02:15 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2008-12-17 20:02:15 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2008-12-17 20:02:08 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2008-12-17 20:02:08 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2008-12-17 20:02:07 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2008-12-17 20:02:07 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2008-12-17 20:02:06 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2008-12-17 20:02:06 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2008-12-17 20:02:06 ----A---- C:\WINDOWS\system32\d3dx9_24.dll
2008-12-17 20:01:42 ----D---- C:\Program Files\SanDisk
2008-12-17 20:01:32 ----N---- C:\WINDOWS\system32\spmsg.dll
2008-12-16 22:35:22 ----HDC---- C:\WINDOWS\$NtUninstallKB899587$
2008-12-16 22:35:16 ----HDC---- C:\WINDOWS\$NtUninstallKB918439$
2008-12-16 22:35:09 ----HDC---- C:\WINDOWS\$NtUninstallKB930178$
2008-12-16 22:35:03 ----HDC---- C:\WINDOWS\$NtUninstallKB905414$
2008-12-16 22:34:52 ----HDC---- C:\WINDOWS\$NtUninstallKB935840$
2008-12-16 18:41:55 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\WinBatch
2008-12-15 22:27:23 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-12-15 22:27:18 ----HDC---- C:\WINDOWS\$NtUninstallKB927802$
2008-12-15 22:27:12 ----HDC---- C:\WINDOWS\$NtUninstallKB911927$
2008-12-15 22:27:06 ----HDC---- C:\WINDOWS\$NtUninstallKB901017$
2008-12-15 22:27:01 ----HDC---- C:\WINDOWS\$NtUninstallKB920670$
2008-12-15 22:26:55 ----HDC---- C:\WINDOWS\$NtUninstallKB926436$
2008-12-15 22:26:49 ----HDC---- C:\WINDOWS\$NtUninstallKB914388$
2008-12-15 22:26:43 ----HDC---- C:\WINDOWS\$NtUninstallKB926255$
2008-12-15 22:26:38 ----HDC---- C:\WINDOWS\$NtUninstallKB920213$
2008-12-15 22:26:32 ----HDC---- C:\WINDOWS\$NtUninstallKB943485$
2008-12-15 22:26:27 ----HDC---- C:\WINDOWS\$NtUninstallKB916595$
2008-12-15 22:26:19 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-12-15 22:26:13 ----HDC---- C:\WINDOWS\$NtUninstallKB943055$
2008-12-15 22:26:07 ----HDC---- C:\WINDOWS\$NtUninstallKB914389$
2008-12-15 22:26:01 ----HDC---- C:\WINDOWS\$NtUninstallKB944653$
2008-12-15 22:25:53 ----HDC---- C:\WINDOWS\$NtUninstallKB928843$
2008-12-15 21:35:39 ----D---- C:\Program Files\Common Files\TiVo Shared
2008-12-15 21:14:46 ----D---- C:\WINDOWS\setupupd
2008-12-15 21:05:41 ----D---- C:\WINDOWS\system32\PreInstall
2008-12-14 17:05:28 ----A---- C:\WINDOWS\system32\sndvol32.exe
2008-12-14 17:03:30 ----A---- C:\WINDOWS\system32\getuname.dll
2008-12-14 17:03:28 ----A---- C:\WINDOWS\system32\charmap.exe
2008-12-14 17:03:26 ----A---- C:\WINDOWS\system32\calc.exe
2008-12-14 17:03:17 ----A---- C:\WINDOWS\system32\sol.exe
2008-12-14 17:03:14 ----A---- C:\WINDOWS\system32\winmine.exe
2008-12-14 17:03:11 ----A---- C:\WINDOWS\system32\mshearts.exe
2008-12-14 17:03:08 ----A---- C:\WINDOWS\system32\freecell.exe
2008-12-14 17:02:54 ----A---- C:\WINDOWS\system32\accwiz.exe
2008-12-14 17:02:46 ----A---- C:\WINDOWS\system32\sndrec32.exe
2008-12-14 17:02:19 ----A---- C:\WINDOWS\system32\mplay32.exe
2008-12-14 17:00:51 ----A---- C:\WINDOWS\system32\hypertrm.dll
2008-12-14 16:43:50 ----A---- C:\WINDOWS\system32\mspaint.exe
2008-12-14 16:43:48 ----A---- C:\WINDOWS\system32\clipbrd.exe
2008-12-14 16:43:39 ----A---- C:\WINDOWS\system32\spider.exe
2008-12-14 16:37:27 ----SHD---- C:\WINDOWS\ftpcache
2008-12-14 11:39:45 ----HDC---- C:\WINDOWS\$NtUninstallKB926239$
2008-12-14 11:39:03 ----HDC---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2008-12-14 11:38:45 ----D---- C:\Program Files\Windows Media Connect 2
2008-12-14 11:38:25 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2008-12-14 11:37:37 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2008-12-14 11:37:17 ----D---- C:\WINDOWS\system32\LogFiles
2008-12-14 11:37:09 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2008-12-14 11:06:48 ----D---- C:\WINDOWS\system32\en-US
2008-12-13 21:38:37 ----A---- C:\WINDOWS\system32\CnAS0MMK.DLL
2008-12-13 21:38:09 ----A---- C:\WINDOWS\system32\CNCMFP21.INI
2008-12-13 21:38:09 ----A---- C:\WINDOWS\system32\CNCLSU21.DLL
2008-12-13 21:38:09 ----A---- C:\WINDOWS\system32\CNCLST21.DLL
2008-12-13 21:38:09 ----A---- C:\WINDOWS\system32\CNCLSI21.DLL
2008-12-13 21:38:09 ----A---- C:\WINDOWS\system32\CNCLSD21.DLL
2008-12-13 21:38:09 ----A---- C:\WINDOWS\system32\CNCLSC21.DLL
2008-12-13 21:38:08 ----A---- C:\WINDOWS\system32\CNCL3200.DLL
2008-12-13 21:38:08 ----A---- C:\WINDOWS\system32\cncilsc.dll
2008-12-13 21:38:08 ----A---- C:\WINDOWS\system32\CNCI3200.DLL
2008-12-13 21:38:08 ----A---- C:\WINDOWS\system32\CNCC3200.DLL
2008-12-13 21:32:56 ----A---- C:\WINDOWS\system32\ippsa611.dll
2008-12-13 21:32:56 ----A---- C:\WINDOWS\system32\ippja611.dll
2008-12-13 21:32:56 ----A---- C:\WINDOWS\system32\ippcva611.dll
2008-12-13 21:32:55 ----A---- C:\WINDOWS\system32\ippsra611.dll
2008-12-13 21:32:55 ----A---- C:\WINDOWS\system32\ippsr11.dll
2008-12-13 21:32:55 ----A---- C:\WINDOWS\system32\ipps11.dll
2008-12-13 21:32:55 ----A---- C:\WINDOWS\system32\ippj11.dll
2008-12-13 21:32:55 ----A---- C:\WINDOWS\system32\ippia611.dll
2008-12-13 21:32:55 ----A---- C:\WINDOWS\system32\ippi11.dll
2008-12-13 21:32:55 ----A---- C:\WINDOWS\system32\ippcv11.dll
2008-12-13 21:32:55 ----A---- C:\WINDOWS\system32\IPPCPUID.DLL
2008-12-13 21:32:42 ----A---- C:\WINDOWS\system32\pmsbfn32.dll
2008-12-13 21:32:00 ----D---- C:\Program Files\Common Files\PDFView
2008-12-13 21:31:59 ----D---- C:\WINDOWS\system32\color
2008-12-13 21:31:59 ----D---- C:\Program Files\NewSoft
2008-12-13 21:31:35 ----D---- C:\Documents and Settings\All Users\Application Data\SSScanWizard
2008-12-13 21:31:35 ----D---- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
2008-12-13 21:30:02 ----HD---- C:\WINDOWS\system32\CanonMF Uninstaller Information
2008-12-13 19:35:31 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2008-12-13 18:58:53 ----RA---- C:\WINDOWS\system32\AdobePDFUI.dll
2008-12-13 18:58:53 ----RA---- C:\WINDOWS\system32\AdobePDF.dll
2008-12-13 18:37:09 ----SHD---- C:\cmdcons
2008-12-13 18:37:08 ----D---- C:\WINDOWS\setup.pss
2008-12-13 18:33:05 ----ASH---- C:\Documents and Settings\HP_Administrator\Application Data\desktop.ini
2008-12-13 18:33:01 ----SD---- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft
2008-12-13 18:33:01 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Real
2008-12-13 18:33:01 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Intuit
2008-12-13 18:33:01 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Identities
2008-12-13 18:29:20 ----A---- C:\WINDOWS\system32\hidserv.dll
2008-12-13 18:22:22 ----D---- C:\Program Files\Symantec
2008-12-13 18:22:22 ----A---- C:\WINDOWS\system32\S32EVNT1.DLL
2008-12-13 18:21:05 ----D---- C:\Program Files\Windows Sidebar
2008-12-13 18:21:05 ----D---- C:\Program Files\Norton Internet Security
2008-12-13 18:20:53 ----D---- C:\Program Files\NortonInstaller
2008-12-13 18:05:24 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-12-13 17:59:37 ----D---- C:\WINDOWS\system32\Adobe
2008-12-13 17:49:57 ----A---- C:\WINDOWS\system32\LuResult.txt
2008-12-13 17:49:13 ----D---- C:\WINDOWS\system32\appmgmt
2008-12-13 08:54:30 ----D---- C:\Program Files\trend micro
2008-12-13 08:54:29 ----D---- C:\WINDOWS\rsit
2008-12-13 08:53:24 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\HPQ
2008-12-10 15:45:40 ----D---- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-12-07 20:05:03 ----D---- C:\WINDOWS\Sun
2008-12-05 20:33:44 ----D---- C:\WINDOWS\Minidump
2008-12-03 17:57:00 ----HD---- C:\WINDOWS\PIF

======List of files/folders modified in the last 1 months======

2009-01-02 09:08:58 ----D---- C:\WINDOWS\Temp
2009-01-02 09:08:52 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-02 09:08:52 ----AD---- C:\WINDOWS
2009-01-02 09:08:50 ----D---- C:\WINDOWS\Registration
2009-01-02 09:08:29 ----D---- C:\WINDOWS\system32
2009-01-01 22:09:24 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-01 22:09:17 ----HD---- C:\WINDOWS\inf
2009-01-01 22:09:16 ----D---- C:\Program Files\Messenger
2009-01-01 22:09:14 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-01 22:09:07 ----D---- C:\WINDOWS\Prefetch
2009-01-01 22:09:04 ----D---- C:\WINDOWS\system32\drivers
2009-01-01 22:08:41 ----HDC---- C:\WINDOWS\$NtUninstallKB923980$
2009-01-01 22:08:35 ----HDC---- C:\WINDOWS\$NtUninstallKB911280$
2009-01-01 22:08:30 ----HDC---- C:\WINDOWS\$NtUninstallKB896423$
2009-01-01 22:08:24 ----HDC---- C:\WINDOWS\$NtUninstallKB924270$
2009-01-01 22:08:07 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-01-01 22:07:31 ----HDC---- C:\WINDOWS\$NtUninstallKB930916$
2009-01-01 21:50:47 ----A---- C:\WINDOWS\ModemLog_Data Fax SoftModem with SmartCP.txt
2009-01-01 21:16:17 ----D---- C:\Program Files\Mozilla Firefox
2008-12-18 15:11:28 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-18 15:07:03 ----D---- C:\WINDOWS\msagent
2008-12-17 22:28:07 ----D---- C:\WINDOWS\Debug
2008-12-17 22:27:59 ----HDC---- C:\WINDOWS\$NtUninstallKB900485$
2008-12-17 22:27:50 ----HDC---- C:\WINDOWS\$NtUninstallKB931261$
2008-12-17 22:26:31 ----HDC---- C:\WINDOWS\$NtUninstallKB946026$
2008-12-17 22:26:16 ----HDC---- C:\WINDOWS\$NtUninstallKB932168$
2008-12-17 22:25:30 ----HDC---- C:\WINDOWS\$NtUninstallKB945553$
2008-12-17 22:24:54 ----HDC---- C:\WINDOWS\$NtUninstallKB920683$
2008-12-17 21:26:11 ----D---- C:\Downloads
2008-12-17 20:03:06 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-17 20:02:16 ----D---- C:\WINDOWS\system32\DirectX
2008-12-17 20:01:42 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-17 20:01:42 ----D---- C:\Program Files
2008-12-17 20:00:44 ----SHD---- C:\WINDOWS\Installer
2008-12-17 20:00:34 ----HD---- C:\Config.Msi
2008-12-17 19:58:04 ----D---- C:\WINDOWS\WinSxS
2008-12-17 19:58:04 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-12-17 15:09:14 ----D---- C:\WINDOWS\nview
2008-12-17 15:09:14 ----D---- C:\WINDOWS\Help
2008-12-16 18:42:05 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-12-15 22:09:41 ----D---- C:\WINDOWS\security
2008-12-15 21:38:32 ----HD---- C:\hp
2008-12-15 21:36:28 ----A---- C:\WINDOWS\WININIT.INI
2008-12-15 21:35:44 ----RSD---- C:\WINDOWS\Fonts
2008-12-15 21:35:39 ----D---- C:\Program Files\Sonic
2008-12-15 21:35:39 ----D---- C:\Program Files\Common Files
2008-12-15 21:05:41 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2008-12-15 19:18:05 ----D---- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-12-15 17:10:38 ----D---- C:\Program Files\DVD Shrink
2008-12-14 17:15:19 ----D---- C:\WINDOWS\Cursors
2008-12-14 17:09:16 ----D---- C:\Program Files\Online Services
2008-12-14 16:52:36 ----D---- C:\WINDOWS\system32\Restore
2008-12-14 16:45:43 ----D---- C:\Program Files\Windows NT
2008-12-14 16:39:55 ----AD---- C:\Program Files\Common Files\LightScribe
2008-12-14 16:38:29 ----D---- C:\WINDOWS\system32\RTCOM
2008-12-14 16:10:37 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-12-14 11:42:14 ----D---- C:\WINDOWS\AppPatch
2008-12-14 11:42:13 ----D---- C:\Program Files\Internet Explorer
2008-12-14 11:38:56 ----A---- C:\WINDOWS\win.ini
2008-12-14 11:38:44 ----D---- C:\Program Files\Windows Media Player
2008-12-14 11:27:08 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\uTorrent
2008-12-14 11:07:20 ----D---- C:\WINDOWS\system32\config
2008-12-14 11:06:59 ----HDC---- C:\WINDOWS\ie8
2008-12-14 11:03:30 ----HDC---- C:\WINDOWS\$NtUninstallKB932823-v3$
2008-12-14 11:01:11 ----D---- C:\Program Files\Leaf
2008-12-14 10:19:40 ----D---- C:\WINDOWS\Media
2008-12-14 10:18:48 ----D---- C:\WINDOWS\addins
2008-12-13 21:33:05 ----D---- C:\Program Files\Canon
2008-12-13 21:32:50 ----D---- C:\WINDOWS\system
2008-12-13 21:31:34 ----AC---- C:\WINDOWS\MAXLINK.INI
2008-12-13 21:31:27 ----D---- C:\Program Files\Common Files\ScanSoft Shared
2008-12-13 20:48:56 ----D---- C:\Program Files\Common Files\Adobe
2008-12-13 19:51:14 ----D---- C:\Program Files\Rhapsody
2008-12-13 19:36:00 ----D---- C:\WINDOWS\SoftwareDistribution
2008-12-13 19:13:14 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-12-13 18:39:52 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-12-13 18:38:51 ----RSHD---- C:\RECYCLER
2008-12-13 18:37:34 ----RASH---- C:\boot.ini
2008-12-13 18:37:09 ----AC---- C:\WINDOWS\UPGRADE.TXT
2008-12-13 18:35:36 ----AD---- C:\WINDOWS\system32\pcintro
2008-12-13 18:33:01 ----D---- C:\Documents and Settings
2008-12-13 18:30:48 ----RASH---- C:\BOOT.BAK
2008-12-13 18:29:39 ----A---- C:\WINDOWS\system.ini
2008-12-13 18:29:11 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-12-13 18:28:51 ----D---- C:\Program Files\Microsoft Works
2008-12-13 18:28:40 ----D---- C:\WINDOWS\pchealth
2008-12-13 18:23:45 ----D---- C:\WINDOWS\I386
2008-12-13 18:22:22 ----D---- C:\Program Files\Common Files\Symantec Shared
2008-12-13 18:21:37 ----RSD---- C:\WINDOWS\assembly
2008-12-13 18:21:37 ----RD---- C:\WINDOWS\Web
2008-12-13 18:21:37 ----RD---- C:\WINDOWS\Offline Web Pages
2008-12-13 18:21:05 ----D---- C:\Documents and Settings\All Users\Application Data\Norton
2008-12-13 18:13:28 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2008-12-13 17:54:42 ----D---- C:\Program Files\WinRAR
2008-12-13 17:53:05 ----SD---- C:\WINDOWS\Tasks
2008-12-13 17:49:11 ----D---- C:\Program Files\Quicken
2008-12-13 17:49:06 ----A---- C:\WINDOWS\QUICKEN.INI
2008-12-13 17:48:16 ----D---- C:\Program Files\WildTangent
2008-12-13 17:48:14 ----D---- C:\Documents and Settings\All Users\Application Data\WildTangent
2008-12-13 17:40:07 ----D---- C:\Program Files\Free Download Manager
2008-12-13 16:58:41 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Free Download Manager
2008-12-12 21:45:47 ----SHD---- C:\WINDOWS\CSC
2008-12-12 20:31:22 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\ZoomBrowser EX
2008-12-09 19:44:44 ----D---- C:\MTV_OUTPUT
2008-12-05 17:58:39 ----D---- C:\Program Files\SpiderMan Web of Shadows

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 BHDrvx86;Symantec Heuristics Driver; C:\WINDOWS\System32\Drivers\NIS\1001000.021\BHDrvx86.sys [2008-11-04 255536]
R1 ccHP;Symantec Hash Provider; C:\WINDOWS\System32\Drivers\NIS\1001000.021\ccHPx86.sys [2008-12-13 362544]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 ELhid;EL hid Service; \??\C:\WINDOWS\System32\Drivers\Elhid.sys []
R1 ELkbd;EL KB Service; \??\C:\WINDOWS\System32\Drivers\Elkbd.sys []
R1 ELmon;EL Monitor Service; \??\C:\WINDOWS\System32\Drivers\Elmon.sys []
R1 ELmou;EL Mouse Service; \??\C:\WINDOWS\System32\Drivers\Elmou.sys []
R1 IDSxpx86;IDSxpx86; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081212.001\IDSxpx86.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R1 SRTSP;Symantec Real Time Storage Protection; C:\WINDOWS\System32\Drivers\NIS\1001000.021\SRTSP.SYS [2008-11-04 306736]
R1 SRTSPX;Symantec Real Time Storage Protection (PEL); C:\WINDOWS\System32\Drivers\NIS\1001000.021\SRTSPX.SYS [2008-11-04 43696]
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\NIS\1001000.021\SYMTDI.SYS [2008-12-13 198192]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-10 60800]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2006-05-16 229376]
R3 ELacpi;ELacpi; C:\WINDOWS\system32\DRIVERS\ELacpi.sys [2006-05-09 9728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 hcwPP2;Hauppauge WinTV PVR PCI II ([23|25|26]xxx); C:\WINDOWS\system32\DRIVERS\hcwPP2.sys [2006-04-13 168064]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-08 138752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 HSX_DP;HSX_DP; C:\WINDOWS\system32\DRIVERS\HSX_DP.sys [2005-12-06 936448]
R3 HSXHWBS2;HSXHWBS2; C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys [2005-12-06 241664]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-06-14 4299264]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081216.022\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081216.022\NAVEX15.SYS []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-10 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-31 3964256]
R3 SYMDNS;SYMDNS; C:\WINDOWS\System32\Drivers\NIS\1001000.021\SYMDNS.SYS [2008-12-13 12976]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMFW;SYMFW; C:\WINDOWS\System32\Drivers\NIS\1001000.021\SYMFW.SYS [2008-12-13 89904]
R3 SYMIDS;SYMIDS; C:\WINDOWS\System32\Drivers\NIS\1001000.021\SYMIDS.SYS [2008-12-13 34608]
R3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2008-12-13 35888]
R3 SYMNDIS;SYMNDIS; C:\WINDOWS\System32\Drivers\NIS\1001000.021\SYMNDIS.SYS [2008-12-13 37424]
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\NIS\1001000.021\SYMREDRV.SYS [2008-12-13 24752]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2005-03-31 27008]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-09 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 winachsx;winachsx; C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys [2005-12-06 670208]
R3 WN5301;LIteon Wireless PCI Network Adapter Service; C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-05 468768]
S3 ac4w0s6w;ac4w0s6w; C:\WINDOWS\system32\drivers\ac4w0s6w.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture; C:\WINDOWS\system32\drivers\cxfalcon.sys [2006-04-20 82048]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-04 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver; \??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms []
S3 Ps2;PS2; C:\WINDOWS\system32\DRIVERS\PS2.sys [2005-12-12 19072]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2008-12-13 35888]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-12-15 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 ELService;Intel® Quick Resume technology; C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe [2006-06-02 180224]
R2 IAANTMON;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2006-07-06 90112]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-06-21 49152]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 Norton Internet Security;Norton Internet Security; C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe [2008-11-04 115560]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-31 155715]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-09 14336]
S2 .norton2009Reset;Norton2009 Reset; C:\Program Files\Norton2009Reset.exe [2008-09-17 549159]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-11-28 655624]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2004-08-09 14336]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\wmpnetwk.exe [2006-10-18 913408]

-----------------EOF-----------------


info.txt

info.txt logfile of random's system information tool 1.04 2009-01-02 09:09:44

======Uninstall list======

Sansa Media Converter-->"C:\Program Files\InstallShield Installation Information\{FC053571-8507-44E4-8B6D-AACEAB8CA57C}\setup.exe" --u:{FC053571-8507-44E4-8B6D-AACEAB8CA57C}
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\UninstIPP.isu
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {F80239D8-7811-4D5E-B033-0D0BBFE32920}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0CF63063-BD94-4A8B-9966-B6FDC3F55B38}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 9 Pro - English, Français, Deutsch-->msiexec /I {AC76BA86-1033-F400-7760-000000000004}
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop CS4-->C:\Program Files\Common Files\Adobe\Installers\faf656ef605427ee2f42989c3ad31b8\Setup.exe --uninstall=1
Adobe Setup-->MsiExec.exe /I{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}
Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Canon MF Toolbox 4.9.1.1.mf02-->MsiExec.exe /I{132CA5D9-C745-4B0B-A3B2-8C7A6EC3EE7E}
Canon MF3200 Series-->"C:\WINDOWS\system32\CanonMF Uninstaller Information\{269DBC9C-CAFC-472d-B1F1-0D327C2FFA76}\misc\DelDrv.exe" /U:{269DBC9C-CAFC-472d-B1F1-0D327C2FFA76} /L0x0000
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Customer Experience Enhancement-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
Data Fax SoftModem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\HXFSETUP.EXE -U -ITrx200Ck.inf
DISCover-->"C:\Program Files\DISC\uninstall.exe"
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2-->"C:\Program Files\DVD Shrink\unins000.exe"
Easy Internet Sign-up-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
Enhanced Multimedia Keyboard Solution-->C:\HP\KBD\Install.exe /u
GemMaster Mystic-->"C:\Program Files\GemMaster\uninstallgemmaster.exe"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 10 (KB910393)-->"C:\WINDOWS\$NtUninstallKB910393$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB893357)-->"C:\WINDOWS\$NtUninstallKB893357$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB906569)-->"C:\WINDOWS\$NtUninstallKB906569$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB912024)-->"C:\WINDOWS\$NtUninstallKB912024$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Boot Optimizer-->MsiExec.exe /X{1341D838-719C-4A05-B50F-49420CA1B4BB}
HP DigitalMedia Archive-->MsiExec.exe /X{F80239D8-7811-4D5E-B033-0D0BBFE32920}
HP DVD Play 2.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
HP Imaging Device Functions 7.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart for Media Center PC-->c:\Program Files\HP\Digital Imaging\bin\mcpc\setupmcl.exe /u
HP Photosmart Premier Software 6.5-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Software Update-->MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Web Helper-->regsvr32 /u /s "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll"
Intel® Matrix Storage Manager-->C:\WINDOWS\System32\Imsmudlg.exe
Intel® PRO Network Connections Drivers-->Prounstl.exe
Intel® Quick Resume Technology Drivers-->C:\WINDOWS\System32\Elusetup.exe
Intel® Viiv™ Software-->MsiExec.exe /X{EEFEBB48-329E-46F6-AEB8-929A5BAFDB2F}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Macromedia Flash Player 8-->C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works-->MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
muvee autoProducer 5.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB4740B3-2530-452D-A825-F7AB246CA7DF}\setup.exe" -l0x9
muvee autoProducer unPlugged 2.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5FDD0538-C67A-4F67-B3F8-09D1AAF04D99}\setup.exe" -l0x9
Netscape Browser (remove only)-->"C:\Program Files\Netscape\Netscape Browser\NSUninst.exe"
Norton Internet Security-->C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\562C4DD5\16.1.0.33\InstStub.exe /X
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OmniPage SE 2.0-->MsiExec.exe /I{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}
PC-Doctor 5 for Windows-->C:\Program Files\PC-Doctor 5 for Windows\uninst.exe
Presto! PageManager 7.15.11-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA52A1AC-D35D-4D25-8686-9466FE2C5CE5}\Setup.exe" -l0x9 anything
Python 2.2 pywin32 extensions (build 203)-->"C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3-->C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Rhapsody-->C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\INSTALL.LOG
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Sonic Express Labeler-->MsiExec.exe /X{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus-->MsiExec.exe /X{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio-->MsiExec.exe /X{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy-->MsiExec.exe /X{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data-->MsiExec.exe /X{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager-->MsiExec.exe /X{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB912945)-->"C:\WINDOWS\$NtUninstallKB912945$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Updates from HP (remove only)-->C:\WINDOWS\HPCPCUninstall-9972322\HPBWSetup.exe -appid 9972322 -uninstall
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 8 Beta 1-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB883667-->C:\WINDOWS\$NtUninstallKB883667$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB892050-->"C:\WINDOWS\$NtUninstallKB892050$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB908246-->"C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB912067-->"C:\WINDOWS\$NtUninstallKB912067$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Yahoo! Toolbar for Internet Explorer-->C:\PROGRA~1\Yahoo!\Common\unyt.exe

======Hosts File======

127.0.0.1 activate.adobe.com

======Security center information======

AV: Norton Internet Security (outdated)
FW: Norton Internet Security

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Python22
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0f06
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=c:\Program Files\Common Files\Sonic Shared\Sonic Central\

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:08:10 AM

Posted 14 January 2009 - 01:29 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 aznriceboi13

aznriceboi13
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 14 January 2009 - 04:11 PM

DDS (Ver_09-01-07.01) - NTFSx86
Run by HP_Administrator at 15:06:52.21 on Wed 01/14/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1449 [GMT -6:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\svhost.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Page = hxxp://my.netzero.net/s/search?r=minisearch
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://my.netzero.net/s/search?r=minisearch
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=anhhungdung2&login=17e96bb308ae8db8204e94abaf98b1af/anhhungdung2:netzero.net/1229211587/30/sss.4.66753/&ts=494447c3&A=695072480003399&B=1220252400000&C=1220252400000&D=1079424000000&I=A0874DN.&N=PL&O=I&UT=companion
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\netzero\SearchEnh1.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Popup-Blocker Class: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\netzero\qsacc\X1IEBHO.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.1.0.33\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\16.1.0.33\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.1.0.33\coIEPlg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun
uRun: [13CFG914-K641-26SF-N31P] c:\recycler\s-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe
uRunOnce: [untd_recovery] "c:\program files\netzero\qsacc\x1exec.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [USB Storage Toolbox] c:\windows\umstor\Res.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [vcmc32] c:\windows\system32\vcmc32.exe
mRun: [naxmgr] c:\windows\system32\naxmgr.exe
mRun: [s3mgr] c:\windows\system32\svhost.exe
mRun: [wrm32] c:\windows\system32\wrm32.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: trymedia.com
TCP: {DB3C0724-B6D7-4157-A31F-8EEAB5CF5904} = 64.136.44.74 64.136.52.74
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1001000.021\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1001000.021\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1001000.021\BHDrvx86.sys [2008-12-16 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1001000.021\cchpx86.sys [2008-12-16 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20081220.001\IDSxpx86.sys [2009-1-3 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-13 99376]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20081216.022\NAVENG.SYS [2008-12-16 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20081216.022\NAVEX15.SYS [2008-12-16 876112]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-8-25 468768]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.1.0.33\ccSvcHst.exe [2008-12-16 115560]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-8-25 82048]
S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2006-5-10 21248]
S4 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-9-17 549159]
S4 BNDMSS;Windows Network Data Management System Service;c:\windows\system32\bndmss.exe --> c:\windows\system32\bndmss.exe [?]

=============== Created Last 30 ================

2009-01-14 14:57 254 a------- c:\documents and settings\hp_administrator\svnmgr.bat
2009-01-14 14:57 32,142 a------- c:\documents and settings\hp_administrator\svnmgr.exe
2009-01-14 14:57 28,762 a------- c:\documents and settings\hp_administrator\onbar2.exe
2009-01-14 14:56 25,754 a------- c:\documents and settings\hp_administrator\vcmc32.exe
2009-01-14 14:54 32,400 a------- c:\documents and settings\hp_administrator\dnrmgr32.exe
2009-01-14 14:54 25,754 a------- c:\documents and settings\hp_administrator\msmp3.exe
2009-01-14 14:54 9,064 a------- c:\documents and settings\hp_administrator\naxmgr.exe
2009-01-14 14:54 30,720 a------- c:\documents and settings\hp_administrator\fns.exe
2009-01-14 14:54 9,064 a------- c:\documents and settings\hp_administrator\s3mgr.exe
2009-01-14 12:04 31,480 a------- c:\windows\system32\wrm32.exe
2009-01-14 12:03 31,206 a------- c:\windows\system32\dnrmgr32.exe
2009-01-14 12:02 32,276 a------- c:\windows\system32\svhost.exe
2009-01-12 16:06 <DIR> --d----- c:\program files\SpiderMan Web of Shadows
2009-01-12 15:57 25,288 a------- c:\windows\system32\vcmc32.exe
2009-01-12 15:55 37,346 a------- c:\windows\system32\naxmgr.exe
2009-01-11 14:47 24,638 a------- c:\windows\system32\s3mgr.exe
2009-01-10 14:05 81,920 a------- c:\windows\system32\ieencode.dll
2009-01-10 14:05 81,920 a------- c:\windows\system32\dllcache\ieencode.dll
2009-01-10 09:11 7,552 a------- c:\windows\system32\drivers\SONYPVU1.SYS
2009-01-10 09:11 7,552 a------- c:\windows\system32\dllcache\sonypvu1.sys
2009-01-07 11:26 <DIR> --d----- C:\Memorex Vault
2009-01-06 22:00 <DIR> --d----- c:\windows\ie8updates
2009-01-06 22:00 <DIR> --d----- c:\program files\MSXML 4.0
2009-01-06 16:22 23,040 -------- c:\windows\kb913800.exe
2009-01-05 15:35 2,136,064 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-05 15:35 2,180,352 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-05 15:35 2,015,744 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-05 15:35 2,057,728 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-04 21:58 <DIR> --d----- c:\program files\MSXML 6.0
2009-01-04 19:00 <DIR> --d----- c:\program files\Teorex
2009-01-04 14:23 109 a------- c:\windows\DelToolbox.bat
2009-01-04 10:03 <DIR> --d----- c:\program files\Final Fantasy VII
2009-01-03 11:31 <DIR> --d----- c:\program files\Audiosurf
2009-01-03 09:33 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\SPORE
2009-01-03 08:53 <DIR> --d----- c:\windows\Logs
2009-01-03 08:52 81,768 a------- c:\windows\system32\xinput1_3.dll
2009-01-03 08:52 1,123,696 a------- c:\windows\system32\D3DCompiler_33.dll
2009-01-03 08:52 443,752 a------- c:\windows\system32\d3dx10_33.dll
2009-01-03 08:52 3,495,784 a------- c:\windows\system32\d3dx9_33.dll
2009-01-03 08:52 <DIR> --d----- c:\windows\system32\xlive
2009-01-02 22:01 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-02 22:01 14,048 -------- c:\windows\system32\spmsg2.dll
2009-01-02 21:53 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-17 20:15 102,415 a------- c:\windows\system32\msvcrt2.dll
2008-12-17 20:02 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2008-12-17 20:01 14,608 a------- c:\windows\system32\iviaspi.sys
2008-12-17 20:01 <DIR> --d----- c:\program files\SanDisk
2008-12-16 18:41 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\WinBatch
2008-12-15 21:35 <DIR> --d----- c:\program files\common files\TiVo Shared
2008-12-15 21:14 <DIR> --d----- c:\windows\setupupd
2008-12-15 21:07 272,128 -------- c:\windows\system32\drivers\bthport.sys
2008-12-15 21:07 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2008-12-15 21:06 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-15 21:05 <DIR> --d----- c:\windows\system32\PreInstall

==================== Find3M ====================

2008-12-13 18:35 1,971 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_RC647AA-ABA m7680n_YC_0Pavi_QMXX635_E64NAemMPA4_48_IBasswood_SASUSTek Computer INC._V1.01_B3.06_T060811_WXP2_L409_M2047_J250_7Intel_8Core2 6400_92.13_#080704_N168C001B_Z14F12F20_G10DE01D1.MRK
2008-12-13 18:22 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-13 18:22 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-13 18:22 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-13 18:22 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-13 18:22 35,888 a----r-- c:\windows\system32\drivers\SymIM.sys
2008-12-13 18:16 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-09-17 07:16 549,159 a--shr-- c:\program files\Norton2009Reset.exe
2006-10-15 14:28 32 ac-sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 15:07:28.87 ===============

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:10 AM

Posted 15 January 2009 - 12:09 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable Norton Antivirus.
  • Right click on thr Norton icon (Posted Image) beside your click and select Disable Auto-Protect.
  • Select a disabled duration of 5 hours to ensure that it will not interfere with this fix.
  • Click OK to apply the settings.
When done properly, you should recieve a pop-up warning saying that protection was disabled. The Norton icon should now look like Posted Image.

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 aznriceboi13

aznriceboi13
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 15 January 2009 - 09:43 PM

well i haven't seen any more problems right now, thanks fo the help
my combofix.exe log

ComboFix 09-01-13.04 - HP_Administrator 2009-01-15 8:19:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1579 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\svhost.exe
D:\install.exe
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BNDMSS
-------\Service_BNDMSS


((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-15 16:38 . 2009-01-15 16:38 31,480 --a------ c:\windows\system32\wrm32.exe
2009-01-15 16:38 . 2009-01-15 16:38 31,480 --a------ c:\documents and settings\HP_Administrator\wrm32.exe
2009-01-15 16:38 . 2009-01-15 16:39 0 --a------ c:\documents and settings\HP_Administrator\wrm32.bat
2009-01-15 16:34 . 2009-01-15 16:34 30,316 --a------ c:\windows\system32\umdmgr.exe
2009-01-15 16:34 . 2009-01-15 16:34 25,288 --a------ c:\documents and settings\HP_Administrator\vcmc32.exe
2009-01-15 16:34 . 2009-01-15 16:36 0 --a------ c:\documents and settings\HP_Administrator\svnmgr.bat
2009-01-15 16:34 . 2009-01-15 18:59 0 --a------ c:\documents and settings\HP_Administrator\mscupdate.bat
2009-01-15 16:33 . 2009-01-15 16:33 32,276 --a------ c:\documents and settings\HP_Administrator\dnrmgr32.exe
2009-01-15 16:33 . 2009-01-15 16:36 0 --a------ c:\documents and settings\HP_Administrator\msmp3.bat
2009-01-15 16:33 . 2009-01-15 16:34 0 --a------ c:\documents and settings\HP_Administrator\dnrmgr32.bat
2009-01-15 16:32 . 2009-01-15 16:33 27,194 --a------ c:\documents and settings\HP_Administrator\s3mgr.exe
2009-01-15 16:32 . 2009-01-15 16:32 9,064 --a------ c:\documents and settings\HP_Administrator\plt32.exe
2009-01-15 16:32 . 2009-01-15 16:32 9,064 --a------ c:\documents and settings\HP_Administrator\fns.exe
2009-01-14 14:56 . 2009-01-14 14:56 25,754 --a------ c:\windows\system32\vcmc32.exe
2009-01-12 16:06 . 2009-01-12 16:06 <DIR> d-------- c:\program files\SpiderMan Web of Shadows
2009-01-11 14:47 . 2009-01-11 14:48 24,638 --a------ c:\windows\system32\s3mgr.exe
2009-01-10 14:05 . 2004-08-09 22:00 81,920 --a------ c:\windows\system32\ieencode.dll
2009-01-10 14:05 . 2004-08-09 22:00 81,920 --a------ c:\windows\system32\dllcache\ieencode.dll
2009-01-10 09:11 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\drivers\SONYPVU1.SYS
2009-01-10 09:11 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\dllcache\sonypvu1.sys
2009-01-07 11:26 . 2009-01-07 11:26 <DIR> d-------- C:\Memorex Vault
2009-01-06 22:00 . 2009-01-10 09:06 <DIR> d-------- c:\windows\ie8updates
2009-01-06 22:00 . 2009-01-06 22:00 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-06 16:22 . 2006-03-20 21:23 23,040 --------- c:\windows\kb913800.exe
2009-01-05 15:35 . 2008-08-14 04:00 2,180,352 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-05 15:35 . 2008-08-14 03:58 2,136,064 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-05 15:35 . 2008-08-14 03:22 2,057,728 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-05 15:35 . 2008-08-14 03:22 2,015,744 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-04 21:58 . 2009-01-04 21:58 <DIR> d-------- c:\program files\MSXML 6.0
2009-01-04 19:00 . 2009-01-04 19:00 <DIR> d-------- c:\program files\Teorex
2009-01-04 14:23 . 2009-01-04 14:23 109 --a------ c:\windows\DelToolbox.bat
2009-01-04 10:03 . 2009-01-14 15:03 <DIR> d-------- c:\program files\Final Fantasy VII
2009-01-04 09:49 . 2009-01-04 10:18 <DIR> d-------- c:\program files\Electronic Arts
2009-01-03 11:31 . 2009-01-03 12:02 <DIR> d-------- c:\program files\Audiosurf
2009-01-03 09:33 . 2009-01-03 15:43 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\SPORE
2009-01-03 08:53 . 2009-01-03 08:53 <DIR> d-------- c:\windows\Logs
2009-01-03 08:52 . 2009-01-03 08:52 <DIR> d-------- c:\windows\system32\xlive
2009-01-03 08:52 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll
2009-01-03 08:52 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\system32\D3DCompiler_33.dll
2009-01-03 08:52 . 2007-03-15 16:57 443,752 --a------ c:\windows\system32\d3dx10_33.dll
2009-01-03 08:52 . 2007-04-04 18:53 81,768 --a------ c:\windows\system32\xinput1_3.dll
2009-01-02 22:04 . 2009-01-02 22:04 <DIR> d-------- c:\program files\MSBuild
2009-01-02 22:01 . 2009-01-02 22:01 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-02 22:01 . 2009-01-02 22:01 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-02 22:01 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-02 21:53 . 2009-01-02 21:53 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-02 09:09 . 2009-01-02 09:09 <DIR> d-------- C:\rsit
2008-12-17 20:15 . 2008-12-17 20:15 102,415 --a------ c:\windows\system32\msvcrt2.dll
2008-12-17 20:02 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2008-12-17 20:01 . 2008-12-17 20:01 <DIR> d-------- c:\program files\SanDisk
2008-12-17 20:01 . 2008-10-14 12:01 14,608 --a------ c:\windows\system32\iviaspi.sys
2008-12-16 18:41 . 2008-12-16 18:41 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\WinBatch
2008-12-15 21:35 . 2008-12-15 21:35 <DIR> d-------- c:\program files\Common Files\TiVo Shared
2008-12-15 21:07 . 2008-06-13 07:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-15 21:07 . 2008-06-13 07:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-15 21:06 . 2008-10-24 05:10 453,632 --------- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 04:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Free Download Manager
2009-01-11 23:01 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 22:57 --------- d-----w c:\program files\Free Download Manager
2009-01-04 20:23 --------- d-----w c:\program files\USB Disk Win98 Driver
2009-01-03 14:01 --------- d-----w c:\program files\Paint.NET
2008-12-16 03:35 --------- d-----w c:\program files\Sonic
2008-12-16 01:18 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-15 23:10 --------- d-----w c:\program files\DVD Shrink
2008-12-14 22:39 --------- d---a-w c:\program files\Common Files\LightScribe
2008-12-14 17:38 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-14 17:27 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\uTorrent
2008-12-14 03:33 --------- d-----w c:\program files\Canon
2008-12-14 03:32 --------- d-----w c:\program files\Common Files\PDFView
2008-12-14 03:31 --------- d-----w c:\program files\NewSoft
2008-12-14 03:31 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-12-14 03:31 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanWizard
2008-12-14 03:31 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2008-12-14 02:48 --------- d-----w c:\program files\Common Files\Adobe
2008-12-14 01:51 --------- d-----w c:\program files\Rhapsody
2008-12-14 01:13 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-14 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-14 00:35 1,971 --sha-r c:\windows\system32\drivers\103C_HP_CPC_RC647AA-ABA m7680n_YC_0Pavi_QMXX635_E64NAemMPA4_48_IBasswood_SASUSTek Computer INC._V1.01_B3.06_T060811_WXP2_L409_M2047_J250_7Intel_8Core2 6400_92.13_#080704_N168C001B_Z14F12F20_G10DE01D1.MRK
2008-12-14 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-14 00:28 --------- d-----w c:\program files\Microsoft Works
2008-12-14 00:22 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-12-14 00:22 35,888 ----a-r c:\windows\system32\drivers\SymIM.sys
2008-12-14 00:22 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-14 00:22 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-14 00:22 --------- d-----w c:\program files\Symantec
2008-12-14 00:22 --------- d-----w c:\program files\Norton Internet Security
2008-12-14 00:22 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-14 00:21 --------- d-----w c:\program files\Windows Sidebar
2008-12-14 00:21 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2008-12-14 00:20 --------- d-----w c:\program files\NortonInstaller
2008-12-14 00:16 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-14 00:13 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-13 23:49 --------- d-----w c:\program files\Quicken
2008-12-13 23:48 --------- d-----w c:\program files\WildTangent
2008-12-13 23:48 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2008-12-13 14:59 --------- d-----w c:\program files\trend micro
2008-12-13 14:53 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\HPQ
2008-12-13 02:31 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\ZoomBrowser EX
2008-12-11 11:57 333,184 ------w c:\windows\system32\drivers\srv.sys
2008-12-10 22:34 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2008-12-02 23:03 --------- d-----w c:\program files\Best Buy Rhapsody
2008-11-28 16:11 --------- d-----w c:\program files\Adobe Media Player
2008-11-28 16:09 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-24 03:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\LimeWire
2008-11-22 03:12 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Sonic
2008-11-20 03:50 --------- d-----w c:\documents and settings\All Users\Application Data\muvee Technologies
2008-11-20 03:42 --------- d-----w c:\program files\DVD Decrypter
2008-11-15 20:42 --------- d-----w c:\program files\UniKey
2008-11-15 20:41 --------- d-----w c:\program files\NetZero
2008-11-15 20:41 --------- d-----w c:\program files\LimeWire
2008-11-15 20:41 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Orbit
2008-11-15 20:41 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Bioshock
2008-11-15 20:41 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-15 20:37 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Pmcc
2008-09-17 13:16 549,159 --sha-r c:\program files\Norton2009Reset.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-14 65536]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-25 180269]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2006-10-31 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vcmc32]
--a------ 2009-01-14 14:56 25754 c:\windows\system32\vcmc32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wrm32]
--a------ 2009-01-15 16:38 31480 c:\windows\system32\wrm32.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1001000.021\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1001000.021\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1001000.021\BHDrvx86.sys [2008-12-16 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1001000.021\cchpx86.sys [2008-12-16 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20081220.001\IDSxpx86.sys [2009-01-03 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-13 99376]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-08-25 468768]
R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe [2008-12-16 115560]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-08-25 82048]
S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2006-05-10 21248]
S4 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-09-17 549159]
.
Contents of the 'Scheduled Tasks' folder

2008-12-14 c:\windows\Tasks\Warranty Reminder 11 month.job
- c:\windows\system32\pcintro\reminder\Warranty_Reminder_11_month\Warranty_Reminder_11_month.bat [2008-12-13 18:35]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-13CFG914-K641-26SF-N31P - c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe
MSConfigStartUp-dnrmgr32 - c:\windows\system32\dnrmgr32.exe
MSConfigStartUp-naxmgr - c:\windows\system32\naxmgr.exe
MSConfigStartUp-s3mgr - c:\windows\system32\svhost.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=anhhungdung2&login=17e96bb308ae8db8204e94abaf98b1af/anhhungdung2:netzero.net/1229211587/30/sss.4.66753/&ts=494447c3&A=695072480003399&B=1220252400000&C=1220252400000&D=1079424000000&I=A0874DN.&N=PL&O=I&UT=companion
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
Trusted Zone: *.trymedia.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 08:28:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{8A863ACB-F5F6CC6A-05010004}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3392608103-2373730388-1741899492-1007\Software\SecuROM\License information*]
"datasecu"=hex:cc,65,5c,94,8a,fa,6a,97,cc,a0,c1,0d,29,1d,e9,82,45,14,85,a6,2a,
d5,14,a5,05,dd,d7,85,46,cd,31,1b,c4,a7,c9,22,33,c6,e2,77,76,e1,cf,a8,d2,b8,\
"rkeysecu"=hex:61,59,2d,29,bc,a0,8e,a4,b3,bf,5f,e3,21,38,ed,90
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-01-15 8:31:11 - machine was rebooted [HP_Administrator]
ComboFix-quarantined-files.txt 2009-01-15 14:31:08

Pre-Run: 94,830,514,176 bytes free
Post-Run: 94,758,445,056 bytes free

243 --- E O F --- 2009-01-15 04:19:55





rsit.exe results

Logfile of random's system information tool 1.04 (written by random/random)
Run by HP_Administrator at 2009-01-15 08:42:51
Microsoft Windows XP Professional Service Pack 2
System drive C: has 90 GB (39%) free of 230 GB
Total RAM: 2046 MB (73% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:54 AM, on 1/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe
C:\Documents and Settings\HP_Administrator\Desktop\RSIT.exe
C:\Program Files\trend micro\HijackThis\HP_Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&...mp;UT=companion
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\WINDOWS\UMStor\Res.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB3C0724-B6D7-4157-A31F-8EEAB5CF5904}: NameServer = 64.136.44.74 64.136.52.74
O23 - Service: Norton2009 Reset (.norton2009Reset) - Unknown owner - C:\Program Files\Norton2009Reset.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9567 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Warranty Reminder 11 month.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-04-26 438848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52706EF7-D7A2-49AD-A615-E903858CF284}]
Popup-Blocker Class - C:\Program Files\NetZero\qsacc\X1IEBHO.dll [2006-07-05 175600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
Symantec NCO BHO - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll [2008-11-04 340848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\IPSBHO.DLL [2008-12-13 107896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 184423]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}]
hpWebHelper Class - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11 345480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC59E0F9-7E43-44FA-9FAA-8377850BF205}]
FDMIECookiesBHO Class - C:\Program Files\Free Download Manager\iefdm2.dll [2007-11-26 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077}]
SmartSelect Class - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11 345480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-04-26 438848]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Norton Toolbar - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll [2008-11-04 340848]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11 345480]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-06-13 16239616]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-31 7634944]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [2005-11-10 36975]
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect []
"USB Storage Toolbox"=C:\WINDOWS\UMStor\Res.EXE [2005-09-14 65536]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-08-25 180269]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"untd_recovery"=C:\Program Files\NetZero\qsacc\x1exec.exe [2005-06-27 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vcmc32]
C:\WINDOWS\system32\vcmc32.exe [2009-01-14 25754]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wrm32]
C:\WINDOWS\system32\wrm32.exe [2009-01-15 31480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\DISC\DISCover.exe"="C:\Program Files\DISC\DISCover.exe:*:Enabled:DISCover Drop & Play System"
"C:\Program Files\DISC\DiscStreamHub.exe"="C:\Program Files\DISC\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\Program Files\DISC\myFTP.exe"="C:\Program Files\DISC\myFTP.exe:*:Enabled:DISCover FTP"
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP"

======List of files/folders created in the last 1 months======

2009-01-15 20:13:34 ----A---- C:\WINDOWS\zip.exe
2009-01-15 20:13:34 ----A---- C:\WINDOWS\SWREG.exe
2009-01-15 20:13:34 ----A---- C:\WINDOWS\NIRCMD.exe
2009-01-15 20:13:33 ----A---- C:\WINDOWS\VFIND.exe
2009-01-15 20:13:33 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-01-15 20:13:33 ----A---- C:\WINDOWS\SWSC.exe
2009-01-15 20:13:33 ----A---- C:\WINDOWS\sed.exe
2009-01-15 20:13:33 ----A---- C:\WINDOWS\grep.exe
2009-01-15 20:13:33 ----A---- C:\WINDOWS\fdsv.exe
2009-01-15 20:13:30 ----D---- C:\WINDOWS\ERDNT
2009-01-15 20:13:30 ----D---- C:\Qoobox
2009-01-15 16:38:38 ----A---- C:\WINDOWS\system32\wrm32.exe
2009-01-15 16:34:04 ----A---- C:\WINDOWS\system32\umdmgr.exe
2009-01-15 08:40:00 ----SHD---- C:\RECYCLER
2009-01-15 08:31:12 ----A---- C:\ComboFix.txt
2009-01-14 22:19:46 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2009-01-14 22:19:32 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2009-01-14 22:19:20 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-14 14:56:48 ----A---- C:\WINDOWS\system32\vcmc32.exe
2009-01-12 16:06:58 ----D---- C:\Program Files\SpiderMan Web of Shadows
2009-01-11 22:01:54 ----HDC---- C:\WINDOWS\$NtUninstallKB944338-v2$
2009-01-11 14:47:53 ----A---- C:\WINDOWS\system32\s3mgr.exe
2009-01-10 14:05:22 ----A---- C:\WINDOWS\system32\ieencode.dll
2009-01-07 11:26:36 ----D---- C:\Memorex Vault
2009-01-06 22:01:46 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-01-06 22:01:36 ----HDC---- C:\WINDOWS\$NtUninstallKB913800$
2009-01-06 22:01:15 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2009-01-06 22:00:48 ----D---- C:\WINDOWS\ie8updates
2009-01-06 22:00:34 ----D---- C:\Program Files\MSXML 4.0
2009-01-06 16:22:31 ----N---- C:\WINDOWS\kb913800.exe
2009-01-05 22:27:32 ----HDC---- C:\WINDOWS\$NtUninstallKB943460$
2009-01-05 22:27:19 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-01-05 22:27:02 ----HDC---- C:\WINDOWS\$NtUninstallKB900725$
2009-01-05 22:26:52 ----HDC---- C:\WINDOWS\$NtUninstallKB930494$
2009-01-05 22:26:32 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2009-01-05 22:26:01 ----HDC---- C:\WINDOWS\$NtUninstallKB890859$
2009-01-04 21:58:50 ----D---- C:\Program Files\MSXML 6.0
2009-01-04 21:58:42 ----HDC---- C:\WINDOWS\$NtUninstallKB925720$
2009-01-04 21:58:33 ----HDC---- C:\WINDOWS\$NtUninstallKB929123$
2009-01-04 19:00:29 ----D---- C:\Program Files\Teorex
2009-01-04 14:23:45 ----A---- C:\WINDOWS\DelToolbox.bat
2009-01-04 14:00:21 ----A---- C:\WINDOWS\system32\XAudio2_3.dll
2009-01-04 14:00:21 ----A---- C:\WINDOWS\system32\XAPOFX1_2.dll
2009-01-04 14:00:21 ----A---- C:\WINDOWS\system32\D3DX9_40.dll
2009-01-04 14:00:21 ----A---- C:\WINDOWS\system32\d3dx10_40.dll
2009-01-04 14:00:21 ----A---- C:\WINDOWS\system32\D3DCompiler_40.dll
2009-01-04 14:00:20 ----A---- C:\WINDOWS\system32\XAudio2_2.dll
2009-01-04 14:00:20 ----A---- C:\WINDOWS\system32\XAPOFX1_1.dll
2009-01-04 14:00:20 ----A---- C:\WINDOWS\system32\xactengine3_3.dll
2009-01-04 14:00:20 ----A---- C:\WINDOWS\system32\xactengine3_2.dll
2009-01-04 14:00:20 ----A---- C:\WINDOWS\system32\X3DAudio1_5.dll
2009-01-04 14:00:19 ----A---- C:\WINDOWS\system32\XAudio2_1.dll
2009-01-04 14:00:19 ----A---- C:\WINDOWS\system32\XAPOFX1_0.dll
2009-01-04 14:00:19 ----A---- C:\WINDOWS\system32\xactengine3_1.dll
2009-01-04 14:00:19 ----A---- C:\WINDOWS\system32\D3DX9_39.dll
2009-01-04 14:00:19 ----A---- C:\WINDOWS\system32\d3dx10_39.dll
2009-01-04 14:00:19 ----A---- C:\WINDOWS\system32\D3DCompiler_39.dll
2009-01-04 14:00:18 ----A---- C:\WINDOWS\system32\XAudio2_0.dll
2009-01-04 14:00:18 ----A---- C:\WINDOWS\system32\X3DAudio1_4.dll
2009-01-04 14:00:18 ----A---- C:\WINDOWS\system32\D3DX9_38.dll
2009-01-04 14:00:18 ----A---- C:\WINDOWS\system32\d3dx10_38.dll
2009-01-04 14:00:18 ----A---- C:\WINDOWS\system32\D3DCompiler_38.dll
2009-01-04 14:00:17 ----A---- C:\WINDOWS\system32\xactengine3_0.dll
2009-01-04 14:00:17 ----A---- C:\WINDOWS\system32\X3DAudio1_3.dll
2009-01-04 14:00:17 ----A---- C:\WINDOWS\system32\D3DX9_37.dll
2009-01-04 14:00:17 ----A---- C:\WINDOWS\system32\d3dx10_37.dll
2009-01-04 14:00:17 ----A---- C:\WINDOWS\system32\D3DCompiler_37.dll
2009-01-04 14:00:16 ----A---- C:\WINDOWS\system32\xactengine2_10.dll
2009-01-04 14:00:16 ----A---- C:\WINDOWS\system32\d3dx9_36.dll
2009-01-04 14:00:16 ----A---- C:\WINDOWS\system32\d3dx10_36.dll
2009-01-04 14:00:16 ----A---- C:\WINDOWS\system32\D3DCompiler_36.dll
2009-01-04 14:00:15 ----A---- C:\WINDOWS\system32\xactengine2_9.dll
2009-01-04 14:00:15 ----A---- C:\WINDOWS\system32\d3dx9_35.dll
2009-01-04 14:00:15 ----A---- C:\WINDOWS\system32\d3dx10_35.dll
2009-01-04 14:00:15 ----A---- C:\WINDOWS\system32\D3DCompiler_35.dll
2009-01-04 14:00:14 ----A---- C:\WINDOWS\system32\xactengine2_8.dll
2009-01-04 14:00:14 ----A---- C:\WINDOWS\system32\X3DAudio1_2.dll
2009-01-04 14:00:14 ----A---- C:\WINDOWS\system32\d3dx9_34.dll
2009-01-04 14:00:14 ----A---- C:\WINDOWS\system32\d3dx10_34.dll
2009-01-04 14:00:14 ----A---- C:\WINDOWS\system32\D3DCompiler_34.dll
2009-01-04 14:00:13 ----A---- C:\WINDOWS\system32\xactengine2_7.dll
2009-01-04 14:00:13 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2009-01-04 14:00:13 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2009-01-04 14:00:12 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2009-01-04 14:00:12 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2009-01-04 14:00:12 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2009-01-04 14:00:12 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2009-01-04 14:00:12 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2009-01-04 14:00:11 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2009-01-04 14:00:11 ----A---- C:\WINDOWS\system32\xinput1_1.dll
2009-01-04 14:00:11 ----A---- C:\WINDOWS\system32\xactengine2_2.dll
2009-01-04 14:00:11 ----A---- C:\WINDOWS\system32\xactengine2_1.dll
2009-01-04 14:00:10 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2009-01-04 10:35:39 ----HDC---- C:\WINDOWS\$NtUninstallKB908250$
2009-01-04 10:03:28 ----D---- C:\Program Files\Final Fantasy VII
2009-01-04 09:49:03 ----D---- C:\Program Files\Electronic Arts
2009-01-03 22:02:50 ----HDC---- C:\WINDOWS\$NtUninstallKB923723$
2009-01-03 22:02:38 ----HDC---- C:\WINDOWS\$NtUninstallKB924667$
2009-01-03 22:02:26 ----HDC---- C:\WINDOWS\$NtUninstallKB927891$
2009-01-03 22:02:21 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-01-03 22:02:15 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-01-03 22:02:08 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-01-03 22:02:02 ----HDC---- C:\WINDOWS\$NtUninstallKB910437$
2009-01-03 22:01:53 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2009-01-03 22:01:17 ----HDC---- C:\WINDOWS\$NtUninstallKB950749$
2009-01-03 22:01:05 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-01-03 11:31:10 ----D---- C:\Program Files\Audiosurf
2009-01-03 10:39:38 ----HDC---- C:\WINDOWS\$NtUninstallKB925398_WMP64$
2009-01-03 10:38:00 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-01-03 09:33:27 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\SPORE
2009-01-03 08:53:50 ----D---- C:\WINDOWS\Logs
2009-01-03 08:52:47 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2009-01-03 08:52:46 ----A---- C:\WINDOWS\system32\d3dx10_33.dll
2009-01-03 08:52:46 ----A---- C:\WINDOWS\system32\D3DCompiler_33.dll
2009-01-03 08:52:45 ----A---- C:\WINDOWS\system32\d3dx9_33.dll
2009-01-03 08:52:28 ----D---- C:\WINDOWS\system32\xlive
2009-01-02 22:06:37 ----HDC---- C:\WINDOWS\$NtUninstallKB927779$
2009-01-02 22:06:31 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-01-02 22:06:25 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-01-02 22:06:18 ----HDC---- C:\WINDOWS\$NtUninstallKB937894$
2009-01-02 22:06:10 ----HDC---- C:\WINDOWS\$NtUninstallKB935448$
2009-01-02 22:06:05 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2009-01-02 22:06:00 ----HDC---- C:\WINDOWS\$NtUninstallKB938828$
2009-01-02 22:04:36 ----D---- C:\Program Files\MSBuild
2009-01-02 22:01:48 ----D---- C:\WINDOWS\system32\XPSViewer
2009-01-02 22:01:22 ----D---- C:\Program Files\Reference Assemblies
2009-01-02 22:01:04 ----N---- C:\WINDOWS\system32\spmsg2.dll
2009-01-02 21:58:08 ----HDC---- C:\WINDOWS\$NtUninstallWIC$
2009-01-02 21:53:40 ----A---- C:\WINDOWS\system32\CmdLineExt.dll
2009-01-02 13:00:01 ----HDC---- C:\WINDOWS\$NtUninstallKB920685$
2009-01-02 09:09:27 ----D---- C:\rsit
2009-01-01 22:09:15 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-01-01 22:09:07 ----HDC---- C:\WINDOWS\$NtUninstallKB928255$
2009-01-01 22:09:02 ----HDC---- C:\WINDOWS\$NtUninstallKB899591$
2009-01-01 22:08:57 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-01-01 22:08:51 ----HDC---- C:\WINDOWS\$NtUninstallKB933729$
2009-01-01 22:08:45 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-01-01 22:08:18 ----HDC---- C:\WINDOWS\$NtUninstallKB936357$
2009-01-01 22:08:12 ----HDC---- C:\WINDOWS\$NtUninstallKB925902$
2009-01-01 22:07:56 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-01-01 22:07:49 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-01-01 22:07:41 ----HDC---- C:\WINDOWS\$NtUninstallKB888302$
2009-01-01 22:07:36 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-01-01 22:07:22 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-01-01 22:07:15 ----HDC---- C:\WINDOWS\$NtUninstallKB913580$
2009-01-01 22:07:09 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-01-01 22:06:57 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-12-17 22:26:36 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-17 22:26:23 ----HDC---- C:\WINDOWS\$NtUninstallKB920872$
2008-12-17 22:26:09 ----HDC---- C:\WINDOWS\$NtUninstallKB922582$
2008-12-17 22:25:59 ----HDC---- C:\WINDOWS\$NtUninstallKB918118$
2008-12-17 22:25:53 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2008-12-17 22:25:24 ----HDC---- C:\WINDOWS\$NtUninstallKB886185$
2008-12-17 22:25:17 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-17 22:25:11 ----HDC---- C:\WINDOWS\$NtUninstallKB896428$
2008-12-17 22:25:05 ----HDC---- C:\WINDOWS\$NtUninstallKB935839$
2008-12-17 20:15:31 ----A---- C:\WINDOWS\system32\msvcrt2.dll
2008-12-17 20:02:15 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2008-12-17 20:02:15 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2008-12-17 20:02:08 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2008-12-17 20:02:08 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2008-12-17 20:02:07 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2008-12-17 20:02:07 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2008-12-17 20:02:06 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2008-12-17 20:02:06 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2008-12-17 20:02:06 ----A---- C:\WINDOWS\system32\d3dx9_24.dll
2008-12-17 20:01:42 ----D---- C:\Program Files\SanDisk
2008-12-17 20:01:32 ----N---- C:\WINDOWS\system32\spmsg.dll
2008-12-16 22:35:22 ----HDC---- C:\WINDOWS\$NtUninstallKB899587$
2008-12-16 22:35:16 ----HDC---- C:\WINDOWS\$NtUninstallKB918439$
2008-12-16 22:35:09 ----HDC---- C:\WINDOWS\$NtUninstallKB930178$
2008-12-16 22:35:03 ----HDC---- C:\WINDOWS\$NtUninstallKB905414$
2008-12-16 22:34:52 ----HDC---- C:\WINDOWS\$NtUninstallKB935840$
2008-12-16 18:41:55 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\WinBatch

======List of files/folders modified in the last 1 months======

2009-01-15 18:59:44 ----RASH---- C:\boot.ini
2009-01-15 18:59:44 ----A---- C:\WINDOWS\win.ini
2009-01-15 18:44:39 ----HD---- C:\WINDOWS\inf
2009-01-15 08:42:52 ----D---- C:\WINDOWS\Temp
2009-01-15 08:42:47 ----D---- C:\WINDOWS\Prefetch
2009-01-15 08:41:08 ----A---- C:\WINDOWS\ModemLog_Data Fax SoftModem with SmartCP.txt
2009-01-15 08:40:13 ----D---- C:\Program Files\Mozilla Firefox
2009-01-15 08:40:00 ----AD---- C:\WINDOWS
2009-01-15 08:31:14 ----D---- C:\WINDOWS\system32\drivers
2009-01-15 08:31:14 ----D---- C:\WINDOWS\system32
2009-01-15 08:28:08 ----A---- C:\WINDOWS\system.ini
2009-01-15 08:26:44 ----D---- C:\WINDOWS\Registration
2009-01-15 08:26:25 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-15 08:23:32 ----D---- C:\WINDOWS\system32\config
2009-01-15 08:22:16 ----D---- C:\WINDOWS\AppPatch
2009-01-15 08:22:16 ----D---- C:\Program Files\Common Files
2009-01-15 08:19:23 ----N---- C:\WINDOWS\SchedLgU.Txt
2009-01-14 22:19:52 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-01-14 22:19:50 ----D---- C:\Program Files\Internet Explorer
2009-01-14 22:19:38 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-14 22:18:48 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Free Download Manager
2009-01-14 21:31:27 ----D---- C:\MTV_OUTPUT
2009-01-14 19:26:48 ----D---- C:\WINDOWS\UMStor
2009-01-14 15:06:43 ----D---- C:\Downloads
2009-01-12 18:35:01 ----SD---- C:\WINDOWS\Tasks
2009-01-12 16:33:07 ----D---- C:\Program Files
2009-01-11 22:02:03 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-11 17:01:02 ----HD---- C:\Program Files\InstallShield Installation Information
2009-01-11 16:57:58 ----D---- C:\Program Files\Free Download Manager
2009-01-11 11:57:45 ----D---- C:\WINDOWS\security
2009-01-11 09:00:27 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-11 08:43:59 ----D---- C:\WINDOWS\Help
2009-01-11 08:43:58 ----D---- C:\WINDOWS\system32\en-US
2009-01-10 14:10:00 ----D---- C:\WINDOWS\Debug
2009-01-07 21:59:13 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Real
2009-01-06 22:00:34 ----SHD---- C:\WINDOWS\Installer
2009-01-06 22:00:34 ----HD---- C:\Config.Msi
2009-01-06 22:00:34 ----D---- C:\WINDOWS\WinSxS
2009-01-05 22:26:56 ----RSD---- C:\WINDOWS\assembly
2009-01-04 21:58:35 ----D---- C:\Program Files\Outlook Express
2009-01-04 21:58:35 ----D---- C:\Program Files\Common Files\System
2009-01-04 14:23:45 ----D---- C:\Program Files\USB Disk Win98 Driver
2009-01-04 14:00:22 ----D---- C:\WINDOWS\system32\DirectX
2009-01-03 22:02:46 ----HDC---- C:\WINDOWS\$NtUninstallKB893756$
2009-01-03 10:38:13 ----HDC---- C:\WINDOWS\$NtUninstallKB905749$
2009-01-03 08:52:28 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-01-03 08:01:27 ----D---- C:\Program Files\Paint.NET
2009-01-02 22:05:54 ----HDC---- C:\WINDOWS\$NtUninstallKB923191$
2009-01-02 22:01:44 ----RSD---- C:\WINDOWS\Fonts
2009-01-02 22:01:13 ----D---- C:\WINDOWS\system32\spool
2009-01-01 22:09:16 ----D---- C:\Program Files\Messenger
2009-01-01 22:08:41 ----HDC---- C:\WINDOWS\$NtUninstallKB923980$
2009-01-01 22:08:35 ----HDC---- C:\WINDOWS\$NtUninstallKB911280$
2009-01-01 22:08:30 ----HDC---- C:\WINDOWS\$NtUninstallKB896423$
2009-01-01 22:08:24 ----HDC---- C:\WINDOWS\$NtUninstallKB924270$
2009-01-01 22:08:07 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-01-01 22:07:31 ----HDC---- C:\WINDOWS\$NtUninstallKB930916$
2008-12-18 15:07:03 ----D---- C:\WINDOWS\msagent
2008-12-17 22:27:59 ----HDC---- C:\WINDOWS\$NtUninstallKB900485$
2008-12-17 22:27:50 ----HDC---- C:\WINDOWS\$NtUninstallKB931261$
2008-12-17 22:26:31 ----HDC---- C:\WINDOWS\$NtUninstallKB946026$
2008-12-17 22:26:16 ----HDC---- C:\WINDOWS\$NtUninstallKB932168$
2008-12-17 22:25:30 ----HDC---- C:\WINDOWS\$NtUninstallKB945553$
2008-12-17 22:24:54 ----HDC---- C:\WINDOWS\$NtUninstallKB920683$
2008-12-17 19:58:04 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-12-17 15:09:14 ----D---- C:\WINDOWS\nview
2008-12-16 18:42:05 ----D---- C:\WINDOWS\system32\ReinstallBackups

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 BHDrvx86;Symantec Heuristics Driver; C:\WINDOWS\System32\Drivers\NIS\1001000.021\BHDrvx86.sys [2008-11-04 255536]
R1 ccHP;Symantec Hash Provider; C:\WINDOWS\System32\Drivers\NIS\1001000.021\ccHPx86.sys [2008-12-13 362544]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 ELhid;EL hid Service; \??\C:\WINDOWS\System32\Drivers\Elhid.sys []
R1 ELkbd;EL KB Service; \??\C:\WINDOWS\System32\Drivers\Elkbd.sys []
R1 ELmon;EL Monitor Service; \??\C:\WINDOWS\System32\Drivers\Elmon.sys []
R1 ELmou;EL Mouse Service; \??\C:\WINDOWS\System32\Drivers\Elmou.sys []
R1 IDSxpx86;IDSxpx86; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081220.001\IDSxpx86.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R1 SRTSP;Symantec Real Time Storage Protection; C:\WINDOWS\System32\Drivers\NIS\1001000.021\SRTSP.SYS [2008-11-04 306736]
R1 SRTSPX;Symantec Real Time Storage Protection (PEL); C:\WINDOWS\System32\Drivers\NIS\1001000.021\SRTSPX.SYS [2008-11-04 43696]
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\NIS\1001000.021\SYMTDI.SYS [2008-12-13 198192]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-10 60800]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2006-05-16 229376]
R3 ELacpi;ELacpi; C:\WINDOWS\system32\DRIVERS\ELacpi.sys [2006-05-09 9728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 hcwPP2;Hauppauge WinTV PVR PCI II ([23|25|26]xxx); C:\WINDOWS\system32\DRIVERS\hcwPP2.sys [2006-04-13 168064]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-08 138752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 HSX_DP;HSX_DP; C:\WINDOWS\system32\DRIVERS\HSX_DP.sys [2005-12-06 936448]
R3 HSXHWBS2;HSXHWBS2; C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys [2005-12-06 241664]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-06-14 4299264]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081216.022\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081216.022\NAVEX15.SYS []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-10 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-31 3964256]
R3 SYMDNS;SYMDNS; C:\WINDOWS\System32\Drivers\NIS\1001000.021\SYMDNS.SYS [2008-12-13 12976]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMFW;SYMFW; C:\WINDOWS\System32\Drivers\NIS\1001000.021\SYMFW.SYS [2008-12-13 89904]
R3 SYMIDS;SYMIDS; C:\WINDOWS\System32\Drivers\NIS\1001000.021\SYMIDS.SYS [2008-12-13 34608]
R3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2008-12-13 35888]
R3 SYMNDIS;SYMNDIS; C:\WINDOWS\System32\Drivers\NIS\1001000.021\SYMNDIS.SYS [2008-12-13 37424]
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\NIS\1001000.021\SYMREDRV.SYS [2008-12-13 24752]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2005-03-31 27008]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-09 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 winachsx;winachsx; C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys [2005-12-06 670208]
R3 WN5301;LIteon Wireless PCI Network Adapter Service; C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-05 468768]
S3 a4nm76qr;a4nm76qr; C:\WINDOWS\system32\drivers\a4nm76qr.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture; C:\WINDOWS\system32\drivers\cxfalcon.sys [2006-04-20 82048]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-04 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver; \??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms []
S3 Ps2;PS2; C:\WINDOWS\system32\DRIVERS\PS2.sys [2005-12-12 19072]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2008-12-13 35888]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-12-15 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 ELService;Intel® Quick Resume technology; C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe [2006-06-02 180224]
R2 IAANTMON;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2006-07-06 90112]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-06-21 49152]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 Norton Internet Security;Norton Internet Security; C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe [2008-11-04 115560]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-09 14336]
S2 .norton2009Reset;Norton2009 Reset; C:\Program Files\Norton2009Reset.exe [2008-09-17 549159]
S2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-31 155715]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-11-28 655624]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2004-08-09 14336]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\wmpnetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

Edited by aznriceboi13, 15 January 2009 - 09:45 PM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:10 AM

Posted 16 January 2009 - 08:10 AM

Hello aznriceboi13.

Please make sure your protection is disabled.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\windows\system32\wrm32.exe
    c:\documents and settings\HP_Administrator\wrm32.exe
    c:\documents and settings\HP_Administrator\wrm32.bat
    c:\windows\system32\umdmgr.exe
    c:\documents and settings\HP_Administrator\vcmc32.exe
    c:\documents and settings\HP_Administrator\svnmgr.bat
    c:\documents and settings\HP_Administrator\mscupdate.bat
    c:\documents and settings\HP_Administrator\dnrmgr32.exe
    c:\documents and settings\HP_Administrator\msmp3.bat
    c:\documents and settings\HP_Administrator\dnrmgr32.bat
    c:\documents and settings\HP_Administrator\s3mgr.exe
    c:\documents and settings\HP_Administrator\plt32.exe
    c:\documents and settings\HP_Administrator\fns.exe
    c:\windows\system32\vcmc32.exe
    c:\windows\system32\s3mgr.exe
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vcmc32]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wrm32]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Please post back with:
-the ComboFix log
-the MalwareBytes log

Any symptoms at this point?

With Regards,
The Panda

#7 aznriceboi13

aznriceboi13
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 16 January 2009 - 06:22 PM

the trojans came back after the second reboot after i did combofix, then they were removed again then i rebooted, then they came back, then i use Malwarebytes' Anti-Malware, which found them and deleted them though i have a feeling they'll come back

my combofix log

ComboFix 09-01-13.04 - HP_Administrator 2009-01-16 15:39:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1522 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Created a new restore point

FILE ::
c:\documents and settings\HP_Administrator\dnrmgr32.bat
c:\documents and settings\HP_Administrator\dnrmgr32.exe
c:\documents and settings\HP_Administrator\fns.exe
c:\documents and settings\HP_Administrator\mscupdate.bat
c:\documents and settings\HP_Administrator\msmp3.bat
c:\documents and settings\HP_Administrator\plt32.exe
c:\documents and settings\HP_Administrator\s3mgr.exe
c:\documents and settings\HP_Administrator\svnmgr.bat
c:\documents and settings\HP_Administrator\vcmc32.exe
c:\documents and settings\HP_Administrator\wrm32.bat
c:\documents and settings\HP_Administrator\wrm32.exe
c:\windows\system32\s3mgr.exe
c:\windows\system32\umdmgr.exe
c:\windows\system32\vcmc32.exe
c:\windows\system32\wrm32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\dnrmgr32.exe
c:\documents and settings\HP_Administrator\fns.exe
c:\documents and settings\HP_Administrator\s3mgr.exe
c:\documents and settings\HP_Administrator\svnmgr.bat
c:\documents and settings\HP_Administrator\vcmc32.exe
c:\documents and settings\HP_Administrator\wrm32.bat
c:\documents and settings\HP_Administrator\wrm32.exe
c:\windows\system32\s3mgr.exe
c:\windows\system32\svhost.exe
c:\windows\system32\umdmgr.exe
c:\windows\system32\vcmc32.exe
c:\windows\system32\wrm32.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-16 14:59 . 2009-01-16 14:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 14:59 . 2009-01-16 14:59 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-01-16 14:59 . 2009-01-16 14:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 14:59 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 14:59 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-16 14:24 . 2009-01-16 14:26 0 --a------ c:\documents and settings\HP_Administrator\vcmc32.bat
2009-01-16 14:21 . 2009-01-16 14:22 38,108 --a------ c:\documents and settings\HP_Administrator\nocmgr.exe
2009-01-16 14:21 . 2009-01-16 14:21 9,064 --a------ c:\documents and settings\HP_Administrator\msmp3.exe
2009-01-16 14:18 . 2009-01-16 14:18 <DIR> d-------- C:\mspformat
2009-01-16 14:18 . 2009-01-16 14:18 <DIR> d-------- C:\msinst
2009-01-15 09:50 . 2009-01-15 09:50 <DIR> d-------- c:\program files\CubeDesktop
2009-01-15 09:50 . 2009-01-15 09:50 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Thinking Minds Budiling Bytes
2009-01-12 16:06 . 2009-01-12 16:06 <DIR> d-------- c:\program files\SpiderMan Web of Shadows
2009-01-10 14:05 . 2004-08-09 22:00 81,920 --a------ c:\windows\system32\ieencode.dll
2009-01-10 14:05 . 2004-08-09 22:00 81,920 --a------ c:\windows\system32\dllcache\ieencode.dll
2009-01-10 09:11 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\drivers\SONYPVU1.SYS
2009-01-10 09:11 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\dllcache\sonypvu1.sys
2009-01-07 11:26 . 2009-01-07 11:26 <DIR> d-------- C:\Memorex Vault
2009-01-06 22:00 . 2009-01-10 09:06 <DIR> d-------- c:\windows\ie8updates
2009-01-06 22:00 . 2009-01-06 22:00 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-06 16:22 . 2006-03-20 21:23 23,040 --------- c:\windows\kb913800.exe
2009-01-05 15:35 . 2008-08-14 04:00 2,180,352 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-05 15:35 . 2008-08-14 03:58 2,136,064 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-05 15:35 . 2008-08-14 03:22 2,057,728 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-05 15:35 . 2008-08-14 03:22 2,015,744 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-04 21:58 . 2009-01-04 21:58 <DIR> d-------- c:\program files\MSXML 6.0
2009-01-04 19:00 . 2009-01-04 19:00 <DIR> d-------- c:\program files\Teorex
2009-01-04 14:23 . 2009-01-04 14:23 109 --a------ c:\windows\DelToolbox.bat
2009-01-04 10:03 . 2009-01-14 15:03 <DIR> d-------- c:\program files\Final Fantasy VII
2009-01-04 09:49 . 2009-01-04 10:18 <DIR> d-------- c:\program files\Electronic Arts
2009-01-03 11:31 . 2009-01-03 12:02 <DIR> d-------- c:\program files\Audiosurf
2009-01-03 09:33 . 2009-01-03 15:43 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\SPORE
2009-01-03 08:53 . 2009-01-03 08:53 <DIR> d-------- c:\windows\Logs
2009-01-03 08:52 . 2009-01-03 08:52 <DIR> d-------- c:\windows\system32\xlive
2009-01-03 08:52 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll
2009-01-03 08:52 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\system32\D3DCompiler_33.dll
2009-01-03 08:52 . 2007-03-15 16:57 443,752 --a------ c:\windows\system32\d3dx10_33.dll
2009-01-03 08:52 . 2007-04-04 18:53 81,768 --a------ c:\windows\system32\xinput1_3.dll
2009-01-02 22:04 . 2009-01-02 22:04 <DIR> d-------- c:\program files\MSBuild
2009-01-02 22:01 . 2009-01-02 22:01 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-02 22:01 . 2009-01-02 22:01 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-02 22:01 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-02 21:53 . 2009-01-02 21:53 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-02 09:09 . 2009-01-02 09:09 <DIR> d-------- C:\rsit
2008-12-17 20:15 . 2008-12-17 20:15 102,415 --a------ c:\windows\system32\msvcrt2.dll
2008-12-17 20:02 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2008-12-17 20:01 . 2008-12-17 20:01 <DIR> d-------- c:\program files\SanDisk
2008-12-17 20:01 . 2008-10-14 12:01 14,608 --a------ c:\windows\system32\iviaspi.sys
2008-12-16 18:41 . 2008-12-16 18:41 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\WinBatch

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 04:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Free Download Manager
2009-01-11 23:01 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 22:57 --------- d-----w c:\program files\Free Download Manager
2009-01-04 20:23 --------- d-----w c:\program files\USB Disk Win98 Driver
2009-01-03 14:01 --------- d-----w c:\program files\Paint.NET
2008-12-16 03:35 --------- d-----w c:\program files\Sonic
2008-12-16 03:35 --------- d-----w c:\program files\Common Files\TiVo Shared
2008-12-16 01:18 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-15 23:10 --------- d-----w c:\program files\DVD Shrink
2008-12-14 22:39 --------- d---a-w c:\program files\Common Files\LightScribe
2008-12-14 17:38 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-14 17:27 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\uTorrent
2008-12-14 03:33 --------- d-----w c:\program files\Canon
2008-12-14 03:32 --------- d-----w c:\program files\Common Files\PDFView
2008-12-14 03:31 --------- d-----w c:\program files\NewSoft
2008-12-14 03:31 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-12-14 03:31 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanWizard
2008-12-14 03:31 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2008-12-14 02:48 --------- d-----w c:\program files\Common Files\Adobe
2008-12-14 01:51 --------- d-----w c:\program files\Rhapsody
2008-12-14 01:13 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-14 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-14 00:35 1,971 --sha-r c:\windows\system32\drivers\103C_HP_CPC_RC647AA-ABA m7680n_YC_0Pavi_QMXX635_E64NAemMPA4_48_IBasswood_SASUSTek Computer INC._V1.01_B3.06_T060811_WXP2_L409_M2047_J250_7Intel_8Core2 6400_92.13_#080704_N168C001B_Z14F12F20_G10DE01D1.MRK
2008-12-14 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-14 00:28 --------- d-----w c:\program files\Microsoft Works
2008-12-14 00:22 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-12-14 00:22 35,888 ----a-r c:\windows\system32\drivers\SymIM.sys
2008-12-14 00:22 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-14 00:22 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-14 00:22 --------- d-----w c:\program files\Symantec
2008-12-14 00:22 --------- d-----w c:\program files\Norton Internet Security
2008-12-14 00:22 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-14 00:21 --------- d-----w c:\program files\Windows Sidebar
2008-12-14 00:21 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2008-12-14 00:20 --------- d-----w c:\program files\NortonInstaller
2008-12-14 00:16 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-14 00:13 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-13 23:49 --------- d-----w c:\program files\Quicken
2008-12-13 23:48 --------- d-----w c:\program files\WildTangent
2008-12-13 23:48 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2008-12-13 14:59 --------- d-----w c:\program files\trend micro
2008-12-13 14:53 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\HPQ
2008-12-13 02:31 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\ZoomBrowser EX
2008-12-11 11:57 333,184 ------w c:\windows\system32\drivers\srv.sys
2008-12-10 22:34 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2008-12-02 23:03 --------- d-----w c:\program files\Best Buy Rhapsody
2008-11-28 16:11 --------- d-----w c:\program files\Adobe Media Player
2008-11-28 16:09 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-24 03:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\LimeWire
2008-11-22 03:12 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Sonic
2008-11-20 03:50 --------- d-----w c:\documents and settings\All Users\Application Data\muvee Technologies
2008-11-20 03:42 --------- d-----w c:\program files\DVD Decrypter
2008-09-17 13:16 549,159 --sha-r c:\program files\Norton2009Reset.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-15_ 8.30.36.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-16 21:16:39 4,422 ----a-w c:\windows\SoftwareDistribution\EventCache\{8FD7CDEF-2377-4DA8-B7EB-124A86B0A3C2}.bin
+ 2009-01-16 21:45:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-14 65536]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-25 180269]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2006-10-31 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\13CFG914-K641-26SF-N31P]
c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe [BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1001000.021\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1001000.021\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1001000.021\BHDrvx86.sys [2008-12-16 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1001000.021\cchpx86.sys [2008-12-16 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20081220.001\IDSxpx86.sys [2009-01-03 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-13 99376]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-08-25 468768]
R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe [2008-12-16 115560]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-08-25 82048]
S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2006-05-10 21248]
S4 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-09-17 549159]
.
Contents of the 'Scheduled Tasks' folder

2008-12-14 c:\windows\Tasks\Warranty Reminder 11 month.job
- c:\windows\system32\pcintro\reminder\Warranty_Reminder_11_month\Warranty_Reminder_11_month.bat [2008-12-13 18:35]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-dnrmgr32 - c:\windows\system32\svhost.exe
HKLM-Run-vcmc32 - c:\windows\system32\vcmc32.exe
HKLM-Run-wrm32 - c:\windows\system32\wrm32.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=anhhungdung2&login=17e96bb308ae8db8204e94abaf98b1af/anhhungdung2:netzero.net/1229211587/30/sss.4.66753/&ts=494447c3&A=695072480003399&B=1220252400000&C=1220252400000&D=1079424000000&I=A0874DN.&N=PL&O=I&UT=companion
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
Trusted Zone: *.trymedia.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 15:45:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{8A863ACB-F5F6CC6A-05010004}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3392608103-2373730388-1741899492-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4A5C58DD-C8F1-F3FC-47D9-8909EC360B7B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hamekemdoafpagep"=hex:6e,62,68,65,6f,62,65,61,67,68,69,6e,6c,6f,6b,6d,6c,67,
61,6e,61,61,61,70,65,6d,6c,63,65,68,67,6f,6f,66,6d,6b,6a,69,69,6f,6f,63,6b,\
"jamekemdoafpagepkecp"=hex:66,61,68,65,69,62,66,61,6c,69,6f,66,00,06
"paeghepgmocmnpoaaofnfpchagjkpchb"=hex:65,61,68,65,68,62,64,61,66,6e,00,66

[HKEY_USERS\S-1-5-21-3392608103-2373730388-1741899492-1007\Software\SecuROM\License information*]
"datasecu"=hex:cc,65,5c,94,8a,fa,6a,97,cc,a0,c1,0d,29,1d,e9,82,45,14,85,a6,2a,
d5,14,a5,05,dd,d7,85,46,cd,31,1b,c4,a7,c9,22,33,c6,e2,77,76,e1,cf,a8,d2,b8,\
"rkeysecu"=hex:61,59,2d,29,bc,a0,8e,a4,b3,bf,5f,e3,21,38,ed,90
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-01-16 15:48:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-16 21:48:37
ComboFix2.txt 2009-01-15 14:31:12

Pre-Run: 93,187,207,168 bytes free
Post-Run: 93,171,568,640 bytes free

262 --- E O F --- 2009-01-15 04:19:55


my Malwarebytes Anti-Malware log

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

1/16/2009 5:13:53 PM
mbam-log-2009-01-16 (17-13-49).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 181503
Time elapsed: 54 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13cfg914-k641-26sf-n31p (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msmp3 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svnmgr (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\s3mgr (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\msmp3.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\svnmgr.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\svhost.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\msvcrt2.dll (Trojan.Agent) -> No action taken.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:10 AM

Posted 16 January 2009 - 06:24 PM

Hello.

Re-run scan with MalwareBytes Anti-Malware

Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead only clicked "Save Logfile. Please read this thread and rescan again only using the (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. After performing the new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.

Download and Run DDS
DDS is a tool that gives us a general overview of the condition of your machine.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.
---

With Regards,
The Panda

#9 aznriceboi13

aznriceboi13
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 16 January 2009 - 06:37 PM

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

1/16/2009 5:22:05 PM
mbam-log-2009-01-16 (17-22-05).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 181503
Time elapsed: 54 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13cfg914-k641-26sf-n31p (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msmp3 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svnmgr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\s3mgr (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\msmp3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svnmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msvcrt2.dll (Trojan.Agent) -> Quarantined and deleted successfully.


DDS.txt


DDS (Ver_09-01-07.01) - NTFSx86
Run by HP_Administrator at 17:34:51.75 on Fri 01/16/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1367 [GMT -6:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Page = hxxp://my.netzero.net/s/search?r=minisearch
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://my.netzero.net/s/search?r=minisearch
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=anhhungdung2&login=17e96bb308ae8db8204e94abaf98b1af/anhhungdung2:netzero.net/1229211587/30/sss.4.66753/&ts=494447c3&A=695072480003399&B=1220252400000&C=1220252400000&D=1079424000000&I=A0874DN.&N=PL&O=I&UT=companion
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\netzero\SearchEnh1.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Popup-Blocker Class: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\netzero\qsacc\X1IEBHO.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.1.0.33\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\16.1.0.33\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.1.0.33\coIEPlg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRunOnce: [untd_recovery] "c:\program files\netzero\qsacc\x1exec.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [USB Storage Toolbox] c:\windows\umstor\Res.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [nocmgr] c:\windows\system32\nocmgr.exe
mRun: [vcmc32] c:\windows\system32\vcmc32.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: trymedia.com
TCP: {DB3C0724-B6D7-4157-A31F-8EEAB5CF5904} = 64.136.44.74 64.136.52.74
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1001000.021\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1001000.021\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1001000.021\BHDrvx86.sys [2008-12-16 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1001000.021\cchpx86.sys [2008-12-16 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20081220.001\IDSxpx86.sys [2009-1-3 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-13 99376]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20081216.022\NAVENG.SYS [2008-12-16 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20081216.022\NAVEX15.SYS [2008-12-16 876112]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-8-25 468768]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.1.0.33\ccSvcHst.exe [2008-12-16 115560]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-8-25 82048]
S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2006-5-10 21248]
S4 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-9-17 549159]

=============== Created Last 30 ================

2009-01-16 16:17 24,814 a------- c:\documents and settings\hp_administrator\onbar2.exe
2009-01-16 16:16 25,288 a------- c:\windows\system32\vcmc32.exe
2009-01-16 16:16 31,480 a------- c:\documents and settings\hp_administrator\wrm32.exe
2009-01-16 16:16 30,316 a------- c:\documents and settings\hp_administrator\mscupdate.exe
2009-01-16 16:15 21,302 a------- c:\windows\system32\nocmgr.exe
2009-01-16 16:15 31,206 a------- c:\documents and settings\hp_administrator\msmp3.exe
2009-01-16 16:15 38,108 a------- c:\documents and settings\hp_administrator\dnrmgr32.exe
2009-01-16 16:15 9,064 a------- c:\documents and settings\hp_administrator\fns.exe
2009-01-16 14:59 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-01-16 14:59 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 14:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-16 14:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-15 20:13 161,792 a------- c:\windows\SWREG.exe
2009-01-15 20:13 98,816 a------- c:\windows\sed.exe
2009-01-15 09:50 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Thinking Minds Budiling Bytes
2009-01-15 09:50 <DIR> --d----- c:\program files\CubeDesktop
2009-01-12 16:06 <DIR> --d----- c:\program files\SpiderMan Web of Shadows
2009-01-10 14:05 81,920 a------- c:\windows\system32\ieencode.dll
2009-01-10 14:05 81,920 a------- c:\windows\system32\dllcache\ieencode.dll
2009-01-10 09:11 7,552 a------- c:\windows\system32\drivers\SONYPVU1.SYS
2009-01-10 09:11 7,552 a------- c:\windows\system32\dllcache\sonypvu1.sys
2009-01-07 11:26 <DIR> --d----- C:\Memorex Vault
2009-01-06 22:00 <DIR> --d----- c:\windows\ie8updates
2009-01-06 22:00 <DIR> --d----- c:\program files\MSXML 4.0
2009-01-06 16:22 23,040 -------- c:\windows\kb913800.exe
2009-01-05 15:35 2,136,064 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-05 15:35 2,180,352 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-05 15:35 2,015,744 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-05 15:35 2,057,728 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-04 21:58 <DIR> --d----- c:\program files\MSXML 6.0
2009-01-04 19:00 <DIR> --d----- c:\program files\Teorex
2009-01-04 14:23 109 a------- c:\windows\DelToolbox.bat
2009-01-04 10:03 <DIR> --d----- c:\program files\Final Fantasy VII
2009-01-03 11:31 <DIR> --d----- c:\program files\Audiosurf
2009-01-03 09:33 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\SPORE
2009-01-03 08:53 <DIR> --d----- c:\windows\Logs
2009-01-03 08:52 81,768 a------- c:\windows\system32\xinput1_3.dll
2009-01-03 08:52 1,123,696 a------- c:\windows\system32\D3DCompiler_33.dll
2009-01-03 08:52 443,752 a------- c:\windows\system32\d3dx10_33.dll
2009-01-03 08:52 3,495,784 a------- c:\windows\system32\d3dx9_33.dll
2009-01-03 08:52 <DIR> --d----- c:\windows\system32\xlive
2009-01-02 22:01 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-02 22:01 14,048 -------- c:\windows\system32\spmsg2.dll
2009-01-02 21:53 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-17 20:02 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2008-12-17 20:01 14,608 a------- c:\windows\system32\iviaspi.sys
2008-12-17 20:01 <DIR> --d----- c:\program files\SanDisk

==================== Find3M ====================

2008-12-13 18:35 1,971 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_RC647AA-ABA m7680n_YC_0Pavi_QMXX635_E64NAemMPA4_48_IBasswood_SASUSTek Computer INC._V1.01_B3.06_T060811_WXP2_L409_M2047_J250_7Intel_8Core2 6400_92.13_#080704_N168C001B_Z14F12F20_G10DE01D1.MRK
2008-12-13 18:22 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-13 18:22 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-13 18:22 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-13 18:22 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-13 18:22 35,888 a----r-- c:\windows\system32\drivers\SymIM.sys
2008-12-13 18:16 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-12-12 11:27 3,067,392 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,184 -------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-24 05:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-09-17 07:16 549,159 a--shr-- c:\program files\Norton2009Reset.exe
2006-10-15 14:28 32 ac-sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 17:35:10.45 ===============

Attached Files



#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:10 AM

Posted 16 January 2009 - 08:01 PM

Hello.

Looks like it came back..

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/191744/avcenterexe-msmp3exe-naxmgrexe-s3mgrexe-wrm32exe/
    KILLALL::
    
    Collect::[59]
    c:\documents and settings\hp_administrator\onbar2.exe
    c:\windows\system32\vcmc32.exe
    c:\documents and settings\hp_administrator\wrm32.exe
    c:\documents and settings\hp_administrator\mscupdate.exe
    c:\windows\system32\nocmgr.exe
    c:\documents and settings\hp_administrator\msmp3.exe
    c:\documents and settings\hp_administrator\dnrmgr32.exe
    c:\documents and settings\hp_administrator\fns.exe
    
    DDS::
    mRun: [nocmgr]
    mRun: [vcmc32]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

ComboFix will attempt to upload file samples at the end of its run.

With Regards,
The Panda

#11 aznriceboi13

aznriceboi13
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 16 January 2009 - 08:36 PM

ComboFix 09-01-13.04 - HP_Administrator 2009-01-16 19:20:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1512 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\hp_administrator\dnrmgr32.exe
c:\documents and settings\hp_administrator\fns.exe
c:\documents and settings\hp_administrator\mscupdate.exe
c:\documents and settings\hp_administrator\msmp3.exe
c:\documents and settings\hp_administrator\onbar2.exe
c:\documents and settings\hp_administrator\wrm32.exe
c:\windows\system32\nocmgr.exe
c:\windows\system32\vcmc32.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-16 14:59 . 2009-01-16 14:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 14:59 . 2009-01-16 14:59 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-01-16 14:59 . 2009-01-16 14:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 14:59 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 14:59 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-15 09:50 . 2009-01-15 09:50 <DIR> d-------- c:\program files\CubeDesktop
2009-01-15 09:50 . 2009-01-15 09:50 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Thinking Minds Budiling Bytes
2009-01-12 16:06 . 2009-01-12 16:06 <DIR> d-------- c:\program files\SpiderMan Web of Shadows
2009-01-10 14:05 . 2004-08-09 22:00 81,920 --a------ c:\windows\system32\ieencode.dll
2009-01-10 14:05 . 2004-08-09 22:00 81,920 --a------ c:\windows\system32\dllcache\ieencode.dll
2009-01-10 09:11 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\drivers\SONYPVU1.SYS
2009-01-10 09:11 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\dllcache\sonypvu1.sys
2009-01-07 11:26 . 2009-01-07 11:26 <DIR> d-------- C:\Memorex Vault
2009-01-06 22:00 . 2009-01-10 09:06 <DIR> d-------- c:\windows\ie8updates
2009-01-06 22:00 . 2009-01-06 22:00 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-06 16:22 . 2006-03-20 21:23 23,040 --------- c:\windows\kb913800.exe
2009-01-05 15:35 . 2008-08-14 04:00 2,180,352 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-05 15:35 . 2008-08-14 03:58 2,136,064 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-05 15:35 . 2008-08-14 03:22 2,057,728 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-05 15:35 . 2008-08-14 03:22 2,015,744 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-04 21:58 . 2009-01-04 21:58 <DIR> d-------- c:\program files\MSXML 6.0
2009-01-04 19:00 . 2009-01-04 19:00 <DIR> d-------- c:\program files\Teorex
2009-01-04 14:23 . 2009-01-04 14:23 109 --a------ c:\windows\DelToolbox.bat
2009-01-04 10:03 . 2009-01-14 15:03 <DIR> d-------- c:\program files\Final Fantasy VII
2009-01-04 09:49 . 2009-01-04 10:18 <DIR> d-------- c:\program files\Electronic Arts
2009-01-03 11:31 . 2009-01-03 12:02 <DIR> d-------- c:\program files\Audiosurf
2009-01-03 09:33 . 2009-01-03 15:43 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\SPORE
2009-01-03 08:53 . 2009-01-03 08:53 <DIR> d-------- c:\windows\Logs
2009-01-03 08:52 . 2009-01-03 08:52 <DIR> d-------- c:\windows\system32\xlive
2009-01-03 08:52 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll
2009-01-03 08:52 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\system32\D3DCompiler_33.dll
2009-01-03 08:52 . 2007-03-15 16:57 443,752 --a------ c:\windows\system32\d3dx10_33.dll
2009-01-03 08:52 . 2007-04-04 18:53 81,768 --a------ c:\windows\system32\xinput1_3.dll
2009-01-02 22:04 . 2009-01-02 22:04 <DIR> d-------- c:\program files\MSBuild
2009-01-02 22:01 . 2009-01-02 22:01 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-02 22:01 . 2009-01-02 22:01 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-02 22:01 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-02 21:53 . 2009-01-02 21:53 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-02 09:09 . 2009-01-02 09:09 <DIR> d-------- C:\rsit
2008-12-17 20:02 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2008-12-17 20:01 . 2008-12-17 20:01 <DIR> d-------- c:\program files\SanDisk
2008-12-17 20:01 . 2008-10-14 12:01 14,608 --a------ c:\windows\system32\iviaspi.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 04:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Free Download Manager
2009-01-11 23:01 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 22:57 --------- d-----w c:\program files\Free Download Manager
2009-01-04 20:23 --------- d-----w c:\program files\USB Disk Win98 Driver
2009-01-03 14:01 --------- d-----w c:\program files\Paint.NET
2008-12-17 00:41 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\WinBatch
2008-12-16 03:35 --------- d-----w c:\program files\Sonic
2008-12-16 03:35 --------- d-----w c:\program files\Common Files\TiVo Shared
2008-12-16 01:18 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-15 23:10 --------- d-----w c:\program files\DVD Shrink
2008-12-14 22:39 --------- d---a-w c:\program files\Common Files\LightScribe
2008-12-14 17:38 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-14 17:27 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\uTorrent
2008-12-14 03:33 --------- d-----w c:\program files\Canon
2008-12-14 03:32 --------- d-----w c:\program files\Common Files\PDFView
2008-12-14 03:31 --------- d-----w c:\program files\NewSoft
2008-12-14 03:31 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-12-14 03:31 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanWizard
2008-12-14 03:31 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2008-12-14 02:48 --------- d-----w c:\program files\Common Files\Adobe
2008-12-14 01:51 --------- d-----w c:\program files\Rhapsody
2008-12-14 01:13 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-14 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-14 00:35 1,971 --sha-r c:\windows\system32\drivers\103C_HP_CPC_RC647AA-ABA m7680n_YC_0Pavi_QMXX635_E64NAemMPA4_48_IBasswood_SASUSTek Computer INC._V1.01_B3.06_T060811_WXP2_L409_M2047_J250_7Intel_8Core2 6400_92.13_#080704_N168C001B_Z14F12F20_G10DE01D1.MRK
2008-12-14 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-14 00:28 --------- d-----w c:\program files\Microsoft Works
2008-12-14 00:22 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-12-14 00:22 35,888 ----a-r c:\windows\system32\drivers\SymIM.sys
2008-12-14 00:22 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-14 00:22 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-14 00:22 --------- d-----w c:\program files\Symantec
2008-12-14 00:22 --------- d-----w c:\program files\Norton Internet Security
2008-12-14 00:22 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-14 00:21 --------- d-----w c:\program files\Windows Sidebar
2008-12-14 00:21 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2008-12-14 00:20 --------- d-----w c:\program files\NortonInstaller
2008-12-14 00:16 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-14 00:13 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-13 23:49 --------- d-----w c:\program files\Quicken
2008-12-13 23:48 --------- d-----w c:\program files\WildTangent
2008-12-13 23:48 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2008-12-13 14:59 --------- d-----w c:\program files\trend micro
2008-12-13 14:53 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\HPQ
2008-12-13 02:31 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\ZoomBrowser EX
2008-12-11 11:57 333,184 ------w c:\windows\system32\drivers\srv.sys
2008-12-10 22:34 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2008-12-02 23:03 --------- d-----w c:\program files\Best Buy Rhapsody
2008-11-28 16:11 --------- d-----w c:\program files\Adobe Media Player
2008-11-28 16:09 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-24 03:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\LimeWire
2008-11-22 03:12 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Sonic
2008-11-20 03:50 --------- d-----w c:\documents and settings\All Users\Application Data\muvee Technologies
2008-11-20 03:42 --------- d-----w c:\program files\DVD Decrypter
2008-09-17 13:16 549,159 --sha-r c:\program files\Norton2009Reset.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-15_ 8.30.36.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-16 21:16:39 4,422 ----a-w c:\windows\SoftwareDistribution\EventCache\{8FD7CDEF-2377-4DA8-B7EB-124A86B0A3C2}.bin
+ 2009-01-17 01:25:06 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-14 65536]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-25 180269]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2006-10-31 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\13CFG914-K641-26SF-N31P]
c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dnrmgr32]
c:\windows\system32\dnrmgr32.exe [BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1001000.021\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1001000.021\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1001000.021\BHDrvx86.sys [2008-12-16 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1001000.021\cchpx86.sys [2008-12-16 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20081220.001\IDSxpx86.sys [2009-01-03 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-13 99376]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-08-25 468768]
R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe [2008-12-16 115560]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-08-25 82048]
S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2006-05-10 21248]
S4 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-09-17 549159]
.
Contents of the 'Scheduled Tasks' folder

2008-12-14 c:\windows\Tasks\Warranty Reminder 11 month.job
- c:\windows\system32\pcintro\reminder\Warranty_Reminder_11_month\Warranty_Reminder_11_month.bat [2008-12-13 18:35]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-CubeDesktop - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=anhhungdung2&login=17e96bb308ae8db8204e94abaf98b1af/anhhungdung2:netzero.net/1229211587/30/sss.4.66753/&ts=494447c3&A=695072480003399&B=1220252400000&C=1220252400000&D=1079424000000&I=A0874DN.&N=PL&O=I&UT=companion
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
Trusted Zone: *.trymedia.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 19:24:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{8A863ACB-F5F6CC6A-05010004}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3392608103-2373730388-1741899492-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4A5C58DD-C8F1-F3FC-47D9-8909EC360B7B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hamekemdoafpagep"=hex:6e,62,68,65,6f,62,65,61,67,68,69,6e,6c,6f,6b,6d,6c,67,
61,6e,61,61,61,70,65,6d,6c,63,65,68,67,6f,6f,66,6d,6b,6a,69,69,6f,6f,63,6b,\
"jamekemdoafpagepkecp"=hex:66,61,68,65,69,62,66,61,6c,69,6f,66,00,2f
"paeghepgmocmnpoaaofnfpchagjkpchb"=hex:65,61,68,65,68,62,64,61,66,6e,00,66

[HKEY_USERS\S-1-5-21-3392608103-2373730388-1741899492-1007\Software\SecuROM\License information*]
"datasecu"=hex:cc,65,5c,94,8a,fa,6a,97,cc,a0,c1,0d,29,1d,e9,82,45,14,85,a6,2a,
d5,14,a5,05,dd,d7,85,46,cd,31,1b,c4,a7,c9,22,33,c6,e2,77,76,e1,cf,a8,d2,b8,\
"rkeysecu"=hex:61,59,2d,29,bc,a0,8e,a4,b3,bf,5f,e3,21,38,ed,90
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-01-16 19:28:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-17 01:28:30
ComboFix2.txt 2009-01-16 21:48:41
ComboFix3.txt 2009-01-15 14:31:12

Pre-Run: 93,330,198,528 bytes free
Post-Run: 93,314,039,808 bytes free

237 --- E O F --- 2009-01-15 04:19:55

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:10 AM

Posted 16 January 2009 - 09:07 PM

Hello.

Please run this CFSCript and post back the log. Let's see if the infection stays gone.

File::
c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe
c:\windows\system32\dnrmgr32.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\13CFG914-K641-26SF-N31P]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dnrmgr32]

With Regards,
The Panda

#13 aznriceboi13

aznriceboi13
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 16 January 2009 - 10:07 PM

might have to wait till tomorrow to see if it's completely eradicated, it took a while for it to come back last time

ComboFix 09-01-13.04 - HP_Administrator 2009-01-16 20:57:42.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1611 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFSCript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Created a new restore point

FILE ::
c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe
c:\windows\system32\dnrmgr32.exe
.

((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-16 14:59 . 2009-01-16 14:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 14:59 . 2009-01-16 14:59 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-01-16 14:59 . 2009-01-16 14:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 14:59 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 14:59 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-15 09:50 . 2009-01-15 09:50 <DIR> d-------- c:\program files\CubeDesktop
2009-01-15 09:50 . 2009-01-15 09:50 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Thinking Minds Budiling Bytes
2009-01-12 16:06 . 2009-01-12 16:06 <DIR> d-------- c:\program files\SpiderMan Web of Shadows
2009-01-10 14:05 . 2004-08-09 22:00 81,920 --a------ c:\windows\system32\ieencode.dll
2009-01-10 14:05 . 2004-08-09 22:00 81,920 --a------ c:\windows\system32\dllcache\ieencode.dll
2009-01-10 09:11 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\drivers\SONYPVU1.SYS
2009-01-10 09:11 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\dllcache\sonypvu1.sys
2009-01-07 11:26 . 2009-01-07 11:26 <DIR> d-------- C:\Memorex Vault
2009-01-06 22:00 . 2009-01-10 09:06 <DIR> d-------- c:\windows\ie8updates
2009-01-06 22:00 . 2009-01-06 22:00 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-06 16:22 . 2006-03-20 21:23 23,040 --------- c:\windows\kb913800.exe
2009-01-05 15:35 . 2008-08-14 04:00 2,180,352 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-05 15:35 . 2008-08-14 03:58 2,136,064 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-05 15:35 . 2008-08-14 03:22 2,057,728 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-05 15:35 . 2008-08-14 03:22 2,015,744 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-04 21:58 . 2009-01-04 21:58 <DIR> d-------- c:\program files\MSXML 6.0
2009-01-04 19:00 . 2009-01-04 19:00 <DIR> d-------- c:\program files\Teorex
2009-01-04 14:23 . 2009-01-04 14:23 109 --a------ c:\windows\DelToolbox.bat
2009-01-04 10:03 . 2009-01-14 15:03 <DIR> d-------- c:\program files\Final Fantasy VII
2009-01-04 09:49 . 2009-01-04 10:18 <DIR> d-------- c:\program files\Electronic Arts
2009-01-03 11:31 . 2009-01-03 12:02 <DIR> d-------- c:\program files\Audiosurf
2009-01-03 09:33 . 2009-01-03 15:43 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\SPORE
2009-01-03 08:53 . 2009-01-03 08:53 <DIR> d-------- c:\windows\Logs
2009-01-03 08:52 . 2009-01-03 08:52 <DIR> d-------- c:\windows\system32\xlive
2009-01-03 08:52 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll
2009-01-03 08:52 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\system32\D3DCompiler_33.dll
2009-01-03 08:52 . 2007-03-15 16:57 443,752 --a------ c:\windows\system32\d3dx10_33.dll
2009-01-03 08:52 . 2007-04-04 18:53 81,768 --a------ c:\windows\system32\xinput1_3.dll
2009-01-02 22:04 . 2009-01-02 22:04 <DIR> d-------- c:\program files\MSBuild
2009-01-02 22:01 . 2009-01-02 22:01 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-02 22:01 . 2009-01-02 22:01 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-02 22:01 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-02 21:53 . 2009-01-02 21:53 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-02 09:09 . 2009-01-02 09:09 <DIR> d-------- C:\rsit
2008-12-17 20:02 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2008-12-17 20:01 . 2008-12-17 20:01 <DIR> d-------- c:\program files\SanDisk
2008-12-17 20:01 . 2008-10-14 12:01 14,608 --a------ c:\windows\system32\iviaspi.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 04:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Free Download Manager
2009-01-11 23:01 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 22:57 --------- d-----w c:\program files\Free Download Manager
2009-01-04 20:23 --------- d-----w c:\program files\USB Disk Win98 Driver
2009-01-03 14:01 --------- d-----w c:\program files\Paint.NET
2008-12-17 00:41 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\WinBatch
2008-12-16 03:35 --------- d-----w c:\program files\Sonic
2008-12-16 03:35 --------- d-----w c:\program files\Common Files\TiVo Shared
2008-12-16 01:18 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-15 23:10 --------- d-----w c:\program files\DVD Shrink
2008-12-14 22:39 --------- d---a-w c:\program files\Common Files\LightScribe
2008-12-14 17:38 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-14 17:27 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\uTorrent
2008-12-14 03:33 --------- d-----w c:\program files\Canon
2008-12-14 03:32 --------- d-----w c:\program files\Common Files\PDFView
2008-12-14 03:31 --------- d-----w c:\program files\NewSoft
2008-12-14 03:31 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-12-14 03:31 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanWizard
2008-12-14 03:31 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2008-12-14 02:48 --------- d-----w c:\program files\Common Files\Adobe
2008-12-14 01:51 --------- d-----w c:\program files\Rhapsody
2008-12-14 01:13 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-14 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-14 00:35 1,971 --sha-r c:\windows\system32\drivers\103C_HP_CPC_RC647AA-ABA m7680n_YC_0Pavi_QMXX635_E64NAemMPA4_48_IBasswood_SASUSTek Computer INC._V1.01_B3.06_T060811_WXP2_L409_M2047_J250_7Intel_8Core2 6400_92.13_#080704_N168C001B_Z14F12F20_G10DE01D1.MRK
2008-12-14 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-14 00:28 --------- d-----w c:\program files\Microsoft Works
2008-12-14 00:22 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-12-14 00:22 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-12-14 00:22 35,888 ----a-r c:\windows\system32\drivers\SymIM.sys
2008-12-14 00:22 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-14 00:22 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-14 00:22 --------- d-----w c:\program files\Symantec
2008-12-14 00:22 --------- d-----w c:\program files\Norton Internet Security
2008-12-14 00:22 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-14 00:21 --------- d-----w c:\program files\Windows Sidebar
2008-12-14 00:21 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2008-12-14 00:20 --------- d-----w c:\program files\NortonInstaller
2008-12-14 00:16 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-14 00:13 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-13 23:49 --------- d-----w c:\program files\Quicken
2008-12-13 23:48 --------- d-----w c:\program files\WildTangent
2008-12-13 23:48 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2008-12-13 14:59 --------- d-----w c:\program files\trend micro
2008-12-13 14:53 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\HPQ
2008-12-13 02:31 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\ZoomBrowser EX
2008-12-12 17:27 3,067,392 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ------w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
2008-12-10 22:34 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2008-12-02 23:03 --------- d-----w c:\program files\Best Buy Rhapsody
2008-11-28 16:11 --------- d-----w c:\program files\Adobe Media Player
2008-11-28 16:09 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-24 03:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\LimeWire
2008-11-22 03:12 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Sonic
2008-11-20 03:50 --------- d-----w c:\documents and settings\All Users\Application Data\muvee Technologies
2008-11-20 03:42 --------- d-----w c:\program files\DVD Decrypter
2008-10-27 16:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 16:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 16:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 16:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-09-17 13:16 549,159 --sha-r c:\program files\Norton2009Reset.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-15_ 8.30.36.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-16 21:16:39 4,422 ----a-w c:\windows\SoftwareDistribution\EventCache\{8FD7CDEF-2377-4DA8-B7EB-124A86B0A3C2}.bin
+ 2009-01-17 01:25:06 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-14 65536]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-25 180269]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2006-10-31 c:\windows\system32\nwiz.exe]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1001000.021\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1001000.021\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1001000.021\BHDrvx86.sys [2008-12-16 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1001000.021\cchpx86.sys [2008-12-16 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20081220.001\IDSxpx86.sys [2009-01-03 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-13 99376]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-08-25 468768]
R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe [2008-12-16 115560]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-08-25 82048]
S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2006-05-10 21248]
S4 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-09-17 549159]
.
Contents of the 'Scheduled Tasks' folder

2008-12-14 c:\windows\Tasks\Warranty Reminder 11 month.job
- c:\windows\system32\pcintro\reminder\Warranty_Reminder_11_month\Warranty_Reminder_11_month.bat [2008-12-13 18:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=anhhungdung2&login=17e96bb308ae8db8204e94abaf98b1af/anhhungdung2:netzero.net/1229211587/30/sss.4.66753/&ts=494447c3&A=695072480003399&B=1220252400000&C=1220252400000&D=1079424000000&I=A0874DN.&N=PL&O=I&UT=companion
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
Trusted Zone: *.trymedia.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 20:58:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{8A863ACB-F5F6CC6A-05010004}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3392608103-2373730388-1741899492-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4A5C58DD-C8F1-F3FC-47D9-8909EC360B7B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hamekemdoafpagep"=hex:6e,62,68,65,6f,62,65,61,67,68,69,6e,6c,6f,6b,6d,6c,67,
61,6e,61,61,61,70,65,6d,6c,63,65,68,67,6f,6f,66,6d,6b,6a,69,69,6f,6f,63,6b,\
"jamekemdoafpagepkecp"=hex:66,61,68,65,69,62,66,61,6c,69,6f,66,00,2f
"paeghepgmocmnpoaaofnfpchagjkpchb"=hex:65,61,68,65,68,62,64,61,66,6e,00,66

[HKEY_USERS\S-1-5-21-3392608103-2373730388-1741899492-1007\Software\SecuROM\License information*]
"datasecu"=hex:cc,65,5c,94,8a,fa,6a,97,cc,a0,c1,0d,29,1d,e9,82,45,14,85,a6,2a,
d5,14,a5,05,dd,d7,85,46,cd,31,1b,c4,a7,c9,22,33,c6,e2,77,76,e1,cf,a8,d2,b8,\
"rkeysecu"=hex:61,59,2d,29,bc,a0,8e,a4,b3,bf,5f,e3,21,38,ed,90
.
Completion time: 2009-01-16 20:59:45
ComboFix-quarantined-files.txt 2009-01-17 02:59:44
ComboFix2.txt 2009-01-17 01:28:34
ComboFix3.txt 2009-01-16 21:48:41
ComboFix4.txt 2009-01-15 14:31:12

Pre-Run: 93,301,182,464 bytes free
Post-Run: 93,285,036,032 bytes free

219 --- E O F --- 2009-01-15 04:19:55

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:10 AM

Posted 16 January 2009 - 10:33 PM

Okay. Take a new DDS tomorrow then.

The Panda

#15 aznriceboi13

aznriceboi13
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 17 January 2009 - 08:42 AM

DDS (Ver_09-01-07.01) - NTFSx86
Run by HP_Administrator at 7:35:22.68 on Sat 01/17/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1602 [GMT -6:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\UMStor\Res.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.com
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Administrator\Desktop\Process Explorer\procexp.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Page = hxxp://my.netzero.net/s/search?r=minisearch
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://my.netzero.net/s/search?r=minisearch
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=anhhungdung2&login=17e96bb308ae8db8204e94abaf98b1af/anhhungdung2:netzero.net/1229211587/30/sss.4.66753/&ts=494447c3&A=695072480003399&B=1220252400000&C=1220252400000&D=1079424000000&I=A0874DN.&N=PL&O=I&UT=companion
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\netzero\SearchEnh1.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Popup-Blocker Class: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\netzero\qsacc\X1IEBHO.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.1.0.33\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\16.1.0.33\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.1.0.33\coIEPlg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRunOnce: [untd_recovery] "c:\program files\netzero\qsacc\x1exec.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [USB Storage Toolbox] c:\windows\umstor\Res.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: trymedia.com
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1001000.021\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1001000.021\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1001000.021\BHDrvx86.sys [2008-12-16 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1001000.021\cchpx86.sys [2008-12-16 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20081220.001\IDSxpx86.sys [2009-1-3 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-13 99376]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20081216.022\NAVENG.SYS [2008-12-16 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20081216.022\NAVEX15.SYS [2008-12-16 876112]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-8-25 468768]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.1.0.33\ccSvcHst.exe [2008-12-16 115560]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-8-25 82048]
S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2006-5-10 21248]
S4 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-9-17 549159]

=============== Created Last 30 ================

2009-01-16 20:57 <DIR> --d----- C:\ComboFix
2009-01-16 14:59 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-01-16 14:59 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 14:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-16 14:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-15 20:13 161,792 a------- c:\windows\SWREG.exe
2009-01-15 20:13 98,816 a------- c:\windows\sed.exe
2009-01-15 09:50 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Thinking Minds Budiling Bytes
2009-01-15 09:50 <DIR> --d----- c:\program files\CubeDesktop
2009-01-12 16:06 <DIR> --d----- c:\program files\SpiderMan Web of Shadows
2009-01-10 14:05 81,920 a------- c:\windows\system32\ieencode.dll
2009-01-10 14:05 81,920 a------- c:\windows\system32\dllcache\ieencode.dll
2009-01-10 09:11 7,552 a------- c:\windows\system32\drivers\SONYPVU1.SYS
2009-01-10 09:11 7,552 a------- c:\windows\system32\dllcache\sonypvu1.sys
2009-01-07 11:26 <DIR> --d----- C:\Memorex Vault
2009-01-06 22:00 <DIR> --d----- c:\windows\ie8updates
2009-01-06 22:00 <DIR> --d----- c:\program files\MSXML 4.0
2009-01-06 16:22 23,040 -------- c:\windows\kb913800.exe
2009-01-05 15:35 2,136,064 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-05 15:35 2,180,352 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-05 15:35 2,015,744 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-05 15:35 2,057,728 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-04 21:58 <DIR> --d----- c:\program files\MSXML 6.0
2009-01-04 19:00 <DIR> --d----- c:\program files\Teorex
2009-01-04 14:23 109 a------- c:\windows\DelToolbox.bat
2009-01-04 10:03 <DIR> --d----- c:\program files\Final Fantasy VII
2009-01-03 11:31 <DIR> --d----- c:\program files\Audiosurf
2009-01-03 09:33 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\SPORE
2009-01-03 08:53 <DIR> --d----- c:\windows\Logs
2009-01-03 08:52 81,768 a------- c:\windows\system32\xinput1_3.dll
2009-01-03 08:52 1,123,696 a------- c:\windows\system32\D3DCompiler_33.dll
2009-01-03 08:52 443,752 a------- c:\windows\system32\d3dx10_33.dll
2009-01-03 08:52 3,495,784 a------- c:\windows\system32\d3dx9_33.dll
2009-01-03 08:52 <DIR> --d----- c:\windows\system32\xlive
2009-01-02 22:01 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-02 22:01 14,048 -------- c:\windows\system32\spmsg2.dll
2009-01-02 21:53 107,888 a------- c:\windows\system32\CmdLineExt.dll

==================== Find3M ====================

2008-12-13 18:35 1,971 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_RC647AA-ABA m7680n_YC_0Pavi_QMXX635_E64NAemMPA4_48_IBasswood_SASUSTek Computer INC._V1.01_B3.06_T060811_WXP2_L409_M2047_J250_7Intel_8Core2 6400_92.13_#080704_N168C001B_Z14F12F20_G10DE01D1.MRK
2008-12-13 18:22 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-13 18:22 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-13 18:22 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-13 18:22 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-13 18:22 35,888 a----r-- c:\windows\system32\drivers\SymIM.sys
2008-12-13 18:16 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-12-12 11:27 3,067,392 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,184 -------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-24 05:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-09-17 07:16 549,159 a--shr-- c:\program files\Norton2009Reset.exe
2006-10-15 14:28 32 ac-sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 7:37:07.70 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users