Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde


  • This topic is locked This topic is locked
10 replies to this topic

#1 openfaced

openfaced

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 06 January 2009 - 06:49 PM

Around January 1, 2009 I was infected with a virus. AVG and Adaware found the Prunnet/Gadcom virus and removed it. But my computer started to crash, freeze, and have pop-ups. Here is what I've done so far:

AVG wasn't working so I installed Avast home edition and did a boot scan, which did remove threats and infected files.
I removed .ddl files in my System32 folder from the time the infection was found (6 total).
Then I did the big 3 (Adaware, Spybot, and Malwarebytes).
I did a registry clean using Uniblue Registry Booster.
I've also deleted the contents of the Prefech folder and the Temp folder in my user account.

The comptuer seems to be working OK, but when Spybot Search & Destroy does a scan it finds the following:
Virtumonde (dll, sdn, sci)
PornBHO
Smitfraud-C
Cydoor
Delf.ks
Zlob.Downloader.bs

It gets stuck on Virtumonde FOREVER. There are 361399 to scan and I think almost HALF are Virtumonde!

Here is the log file generated from the DSS program you instructed me to run. PLEASE HELP. Thanks.


DDS (Version 1.1.0) - NTFSx86
Run by HP_Administrator at 18:38:07.95 on Tue 01/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1480 [GMT -5:00]

AV: avast! antivirus 4.8.1296 [VPS 090106-1] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
{f0e23bb5-8dfc-4755-9d0a-5867df224997}
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Notify: igfxcui - igfxdev.dll
Notify: rqRIbxvU - rqRIbxvU.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\vtUkkkIB

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\nvetopob.default\
FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\nvetopob.default\extensions\{d02b1e87-a8c6-433f-9b5c-2cec4a072736}\components\susfox3.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-2 111184]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-2 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-2 352920]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-2 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-2 155160]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2008-7-9 868864]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2008-2-21 3768]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [2008-9-3 15104]
S4 A4SII300;A4SII300;c:\windows\system32\drivers\a4sii300.sys [2007-8-1 25632]

=============== Created Last 30 ================

2009-01-06 17:47 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-06 00:43 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-06 00:42 14,048 -------- c:\windows\system32\spmsg2.dll
2009-01-05 22:36 0 a------- c:\windows\vpc32.INI
2009-01-05 18:56 <DIR> --d----- c:\program files\Lavasoft
2009-01-05 18:56 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-05 01:49 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-01-05 01:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-05 01:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 01:49 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-05 01:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-03 00:46 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-01-02 22:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-02 17:08 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Uniblue
2009-01-02 17:08 <DIR> --d----- c:\program files\Uniblue
2009-01-02 16:46 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}
2009-01-01 22:09 130 a------- c:\windows\system32\tablet.dat
2008-12-24 14:02 <DIR> --d----- c:\program files\iTunes
2008-12-24 14:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-21 15:49 <DIR> --d----- c:\program files\TiVo
2008-12-21 15:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TiVo
2008-12-15 19:41 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 06:21 455,296 a------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 08:11 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-15 11:34 337,408 a------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2007-08-01 12:21 49 a------- c:\program files\users.dat
2002-04-01 15:48 10,830 a---h--- c:\program files\Mail20.GID
2001-06-28 17:28 753,664 a------- c:\program files\PalmUI.dll
2001-06-06 09:46 169 -------- c:\program files\support.htm
2001-05-31 07:52 299,008 a------- c:\program files\HOTSYNC.EXE
2001-05-31 07:51 40,960 a------- c:\program files\USBTransport.dll
2001-05-31 07:47 139,264 a------- c:\program files\Instaide.dll
2001-05-31 07:45 110,592 a------- c:\program files\CondMgr.dll
2001-05-31 07:45 28,672 a------- c:\program files\USBPort.dll
2001-05-01 14:17 40,960 a------- c:\program files\InstallToolHelper.exe
2001-04-24 05:51 180,224 a------- c:\program files\table21.dll
2001-04-24 05:51 135,168 a------- c:\program files\imex20.dll
2001-04-19 07:00 15,716 a------- c:\windows\inf\i386\Pmxscan.sys
2007-09-04 14:00 22 a--sh--- c:\windows\sminst\HPCD.sys
2008-08-27 12:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 18:38:56.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:35 AM

Posted 07 January 2009 - 04:55 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 openfaced

openfaced
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 07 January 2009 - 09:19 PM

Thank you for getting back to me so quickly. Below I will paste the log generated by Combofix and below that (also attached) I will paste a new log generated by the DDS tool, which I ran after Combofix. I wanted to note that my computer still seems to be running normally at this point.

----------------------------------
LOG FROM COMBOFIX:
----------------------------------


ComboFix 09-01-07.01 - HP_Administrator 2009-01-07 20:56:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1529 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090107-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-06 17:47 . 2009-01-06 17:49 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-06 00:46 . 2009-01-06 00:46 <DIR> d-------- c:\program files\MSBuild
2009-01-06 00:43 . 2009-01-06 00:43 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-06 00:42 . 2009-01-06 00:42 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-06 00:42 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-05 22:36 . 2009-01-05 22:36 0 --a------ c:\windows\vpc32.INI
2009-01-05 18:56 . 2009-01-05 18:56 <DIR> d-------- c:\program files\Lavasoft
2009-01-05 18:56 . 2009-01-05 18:56 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-05 01:49 . 2009-01-05 01:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-05 01:49 . 2009-01-05 01:49 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-01-05 01:49 . 2009-01-05 01:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-05 01:49 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 01:49 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 00:46 . 2008-10-15 20:00 1,499,136 --------- c:\windows\system32\dllcache\shdocvw.dll
2009-01-02 22:37 . 2009-01-06 18:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-02 18:26 . 2009-01-02 18:26 <DIR> d-------- c:\program files\Alwil Software
2009-01-02 17:08 . 2009-01-02 17:08 <DIR> d-------- c:\program files\Uniblue
2009-01-02 17:08 . 2009-01-02 17:08 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Uniblue
2009-01-02 16:46 . 2009-01-02 17:08 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}
2009-01-02 16:43 . 2009-01-02 16:43 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
2009-01-01 22:09 . 2009-01-01 22:09 130 --a------ c:\windows\system32\tablet.dat
2008-12-24 14:02 . 2008-12-24 14:02 <DIR> d-------- c:\program files\iTunes
2008-12-24 14:02 . 2008-12-24 14:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-21 15:49 . 2008-12-21 15:49 <DIR> d-------- c:\program files\TiVo
2008-12-21 15:49 . 2008-12-21 15:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\TiVo
2008-12-15 19:41 . 2008-12-15 19:40 410,984 --a------ c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 21:13 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\U3
2009-01-06 05:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-06 05:18 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-03 17:17 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-24 19:02 --------- d-----w c:\program files\iPod
2008-12-24 19:00 --------- d-----w c:\program files\QuickTime
2008-12-24 18:58 --------- d-----w c:\program files\Common Files\Apple
2008-12-24 18:52 --------- d-----w c:\program files\Safari
2008-12-21 20:49 --------- d-----w c:\program files\Common Files\TiVo Shared
2008-12-16 00:40 --------- d-----w c:\program files\Java
2008-12-05 22:29 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2008-12-05 22:27 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\ZoomBrowser EX
2008-12-05 20:31 --------- d-----w c:\program files\Ulead Photo Express LE
2008-12-05 20:31 --------- d-----w c:\program files\Common Files\Ulead Systems
2008-12-05 20:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 20:30 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Ulead Systems
2008-12-05 20:29 --------- d-----w c:\program files\Canon
2008-12-05 20:28 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-12-05 20:25 --------- d-----w c:\documents and settings\All Users\Application Data\CanonCP
2008-12-05 20:22 --------- d-----w c:\program files\Common Files\Canon
2007-08-01 17:21 49 ----a-w c:\program files\users.dat
2002-04-01 20:48 10,830 ---ha-w c:\program files\Mail20.GID
2001-06-28 22:28 753,664 ----a-w c:\program files\PalmUI.dll
2001-06-06 14:46 169 ------w c:\program files\support.htm
2001-05-31 12:52 299,008 ----a-w c:\program files\HOTSYNC.EXE
2001-05-31 12:51 40,960 ----a-w c:\program files\USBTransport.dll
2001-05-31 12:47 139,264 ----a-w c:\program files\Instaide.dll
2001-05-31 12:45 28,672 ----a-w c:\program files\USBPort.dll
2001-05-31 12:45 110,592 ----a-w c:\program files\CondMgr.dll
2001-05-01 19:17 40,960 ----a-w c:\program files\InstallToolHelper.exe
2001-04-24 10:51 180,224 ----a-w c:\program files\table21.dll
2001-04-24 10:51 135,168 ----a-w c:\program files\imex20.dll
2007-09-04 19:00 22 --sha-w c:\windows\SMINST\HPCD.sys
2008-08-27 17:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082720080828\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-20 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-24 68856]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2007-07-24 63064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-07-25 221247]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2008-01-05 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\prunnet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-24 09:15 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
--a------ 2008-07-09 15:14 394240 c:\program files\TiVo\Desktop\TiVoNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
--a------ 2008-07-09 15:15 1931264 c:\program files\TiVo\Desktop\TiVoServer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
--a------ 2008-07-09 15:13 1189376 c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-06-02 03:49 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-02 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-02 20560]
R4 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2008-07-09 868864]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2008-02-21 3768]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [2008-09-03 15104]
S4 A4SII300;A4SII300;c:\windows\system32\drivers\a4sii300.sys [2007-08-01 25632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da887ebf-393e-11dc-b36e-0015e98869e5}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-08 c:\windows\Tasks\xbcirnus.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{F0E23BB5-8DFC-4755-9D0A-5867DF224997} - (no file)
Notify-NavLogon - (no file)
Notify-rqRIbxvU - rqRIbxvU.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\CTSUEng.ocx - c:\windows\Downloaded Program Files\CTSUEngn.ocx
O16 -: {6C269571-C6D7-4818-BCA4-32A035E8C884}
hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
c:\windows\Downloaded Program Files\CTSUEng.inf
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\nvetopob.default\
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\nvetopob.default\extensions\{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}\components\susfox3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 21:02:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\windows\system32\Tablet.exe
c:\progra~1\Webshots\Webshots.scr
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-07 21:08:36 - machine was rebooted [HP_Administrator]
ComboFix-quarantined-files.txt 2009-01-08 02:08:33

Pre-Run: 176,691,515,392 bytes free
Post-Run: 176,684,335,104 bytes free

247 --- E O F --- 2009-01-04 17:55:27

----------------------------------
LOG FROM DDS TOOL:
----------------------------------


DDS (Ver_09-01-07.01) - NTFSx86
Run by HP_Administrator at 21:12:01.81 on Wed 01/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1551 [GMT -5:00]

AV: avast! antivirus 4.8.1296 [VPS 090107-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\nvetopob.default\
FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\nvetopob.default\extensions\{d02b1e87-a8c6-433f-9b5c-2cec4a072736}\components\susfox3.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-2 111184]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-2 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-2 352920]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-2 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-2 155160]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2008-7-9 868864]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2008-2-21 3768]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [2008-9-3 15104]
S4 A4SII300;A4SII300;c:\windows\system32\drivers\a4sii300.sys [2007-8-1 25632]

=============== Created Last 30 ================

2009-01-07 20:53 161,792 a------- c:\windows\SWREG.exe
2009-01-07 20:53 98,816 a------- c:\windows\sed.exe
2009-01-06 17:47 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-06 00:43 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-06 00:42 14,048 -------- c:\windows\system32\spmsg2.dll
2009-01-05 22:36 0 a------- c:\windows\vpc32.INI
2009-01-05 18:56 <DIR> --d----- c:\program files\Lavasoft
2009-01-05 18:56 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-05 01:49 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-01-05 01:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-05 01:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 01:49 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-05 01:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-03 00:46 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-01-02 22:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-02 17:08 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Uniblue
2009-01-02 17:08 <DIR> --d----- c:\program files\Uniblue
2009-01-02 16:46 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}
2009-01-01 22:09 130 a------- c:\windows\system32\tablet.dat
2008-12-24 14:02 <DIR> --d----- c:\program files\iTunes
2008-12-24 14:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-21 15:49 <DIR> --d----- c:\program files\TiVo
2008-12-21 15:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TiVo
2008-12-15 19:41 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 06:21 455,296 a------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 08:11 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-15 11:34 337,408 a------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2007-08-01 12:21 49 a------- c:\program files\users.dat
2002-04-01 15:48 10,830 a---h--- c:\program files\Mail20.GID
2001-06-28 17:28 753,664 a------- c:\program files\PalmUI.dll
2001-06-06 09:46 169 -------- c:\program files\support.htm
2001-05-31 07:52 299,008 a------- c:\program files\HOTSYNC.EXE
2001-05-31 07:51 40,960 a------- c:\program files\USBTransport.dll
2001-05-31 07:47 139,264 a------- c:\program files\Instaide.dll
2001-05-31 07:45 110,592 a------- c:\program files\CondMgr.dll
2001-05-31 07:45 28,672 a------- c:\program files\USBPort.dll
2001-05-01 14:17 40,960 a------- c:\program files\InstallToolHelper.exe
2001-04-24 05:51 180,224 a------- c:\program files\table21.dll
2001-04-24 05:51 135,168 a------- c:\program files\imex20.dll
2001-04-19 07:00 15,716 a------- c:\windows\inf\i386\Pmxscan.sys
2007-09-04 14:00 22 a--sh--- c:\windows\sminst\HPCD.sys
2008-08-27 12:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 21:12:24.25 ===============

Attached Files



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:35 AM

Posted 08 January 2009 - 03:48 AM

Hi,

Your logs look OK again. Just some leftovers we have to delete because you were also dealing with a flashdrive infection in the past.
* Download next removal tool to your desktop:
http://www.techsupportforum.com/sectools/s...Disinfector.exe
If you have any flashdrives being used previously, since this is a flashdrive infection, insert your flashdrive as well, because above tool will disinfect it as well.
Then doubleclick the Flash_Disinfector.exe to run the tool.
Your desktop and icons will disappear afterwards. This is normal.
When the tool has finished, reboot your computer.

Then, navigate to and delete the following file:

c:\windows\Tasks\xbcirnus.job

Then, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da887ebf-393e-11dc-b36e-0015e98869e5}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\prunnet]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 openfaced

openfaced
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 08 January 2009 - 10:44 AM

This is going really well and I appreciate how clear and in depth the instrucitons are. I have a question before I start the next step. I have 4 flash drives that I regularly use. So how do I disinfect them all at the same time? I have multiple open USB ports, can I plug them all in at the same time (even if more than one run U3)? Let me know before I run the next set of instructions.

Thanks,
Jeff

Edited by openfaced, 08 January 2009 - 10:54 AM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:35 AM

Posted 08 January 2009 - 10:46 AM

I have multiple open USB ports, can I plug them all in at the same time

Yes, that's a good idea. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 openfaced

openfaced
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 08 January 2009 - 10:55 AM

Qustion #2:
The link to the instructions about creating a reg file does not work (the nellie2 one). Can you send me a direct web address or a link to another one?

Thanks

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:35 AM

Posted 08 January 2009 - 11:04 AM

Hi,

There's no link to another one.
Don't worry though - just read my instructions again to create the regfile. It's easy to create it and merge it. Let me know if there's something in the instructions you don't understand.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 openfaced

openfaced
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 11 January 2009 - 04:00 PM

Hi,

I wanted to thank you and bleepingcomputer.com so much for helping me with this. This was a great experience (unlike all the other frustrating experiences I've had trying to fix my computer in the past by using online help). You were prompt with responses and the instructions were fool proof. Thank you so much. My computer seems to be working perfectly normal now.

I am going to send a donation for sure to make sure people like you continue to be funded to help us all out the way you do! Also I have a work computer and another computer at my brothers house that might be in need of assistance. I will certainly post to bleepingcomputer.com when I choose to troubleshoot in the future.

Thanks again!
Jeff

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:35 AM

Posted 11 January 2009 - 04:08 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:35 AM

Posted 12 January 2009 - 06:31 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users