Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan Sillydl.DJM


  • This topic is locked This topic is locked
19 replies to this topic

#1 Tony73

Tony73

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 14 April 2009 - 07:04 PM

CA Yahoo Antispy detected 3 Trojan Sillydl.DJM and it wouldn't allow me to quarantine it. Rather, it pops up a message "Cannot quarantine. Administrative rights may be required to quarantine items." Here is the DDS report.


DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Owner at 16:50:10.21 on Tue 04/14/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.274 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {4EA7840B-5D43-49CF-8B59-F7F7E54D1540} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {b276a7a1-7486-409d-9c35-422591247825} - c:\windows\system32\camoc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 YFF3 Firefox/3.0.8" -"http://highered.mcgraw-hill.com/sites/0072957549/student_view0/chapter34/matching_exercise.html"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\hporga~1.lnk - c:\program files\hewlett-packard\hp organize\bin\displayAgent.exe
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
Notify: mxlnati - c:\windows\system\mxlnati.dll
AppInit_DLLs: c:\windows\system32\semasowa.dll c:\windows\system32\medemovo.dll,c:\windows\system32\sawubiyi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\sawubiyi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\4swm9ju6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1682449&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - F.T.A Customized Web Search
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1682449&SearchSource=2&q=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\4swm9ju6.default\extensions\{f904d379-5b2e-44ee-96c9-3b51bd98696c}\components\FFAlert.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 lcrljfbu;lcrljfbu;c:\windows\system32\drivers\lcrljfbu.sys [2004-8-3 23424]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-4-13 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-4-13 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-4-13 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090408.002\IDSxpx86.sys [2009-4-12 276344]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-4-13 115560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-28 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-12 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090414.020\NAVENG.SYS [2009-4-14 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090414.020\NAVEX15.SYS [2009-4-14 876144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\documents and settings\hp_owner\my documents\download\doubllet\disk_1024.sys --> c:\documents and settings\hp_owner\my documents\download\doubllet\disk_1024.sys [?]
S3 Dua1;Dua1;\??\c:\documents and settings\hp_owner\my documents\duelengine 2\dualengi.sys --> c:\documents and settings\hp_owner\my documents\duelengine 2\DualEngi.sys [?]
S3 geebers12;geebers12;\??\c:\documents and settings\hp_owner\desktop\hacks\nvid888.sys --> c:\documents and settings\hp_owner\desktop\hacks\nvid888.sys [?]
S3 GGK;GGK;\??\c:\documents and settings\hp_owner\my documents\ggk\ggk.sys --> c:\documents and settings\hp_owner\my documents\ggk\ggk.sys [?]
S3 Nub1;Nub1;\??\c:\documents and settings\hp_owner\my documents\nubengine\nubbk32.sys --> c:\documents and settings\hp_owner\my documents\nubengine\Nubbk32.sys [?]
S3 saruen;saruen;\??\c:\documents and settings\hp_owner\desktop\akuma engine 33\saurengang 1.01\saruen.sys --> c:\documents and settings\hp_owner\desktop\akuma engine 33\saurengang 1.01\saruen.sys [?]
S3 sejt1;sejt1;\??\c:\documents and settings\hp_owner\desktop\akuma engine 33\sejt.sys --> c:\documents and settings\hp_owner\desktop\akuma engine 33\sejt.sys [?]
S3 zenx1;zenx1;\??\c:\documents and settings\hp_owner\desktop\hacks\zenx.sys --> c:\documents and settings\hp_owner\desktop\hacks\zenx.sys [?]

=============== Created Last 30 ================

2009-04-13 17:27 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-04-12 22:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-12 22:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-12 22:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-12 15:35 <DIR> --d----- c:\program files\CCleaner
2009-04-12 15:14 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-12 15:14 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-04-12 15:14 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-12 15:14 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-12 15:14 <DIR> --d----- c:\program files\Symantec
2009-04-12 15:13 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-04-12 15:13 <DIR> --d----- c:\program files\Norton Internet Security
2009-04-12 15:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2009-04-12 12:03 <DIR> --d----- c:\program files\Trend Micro
2009-04-11 23:05 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Malwarebytes
2009-04-11 23:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-11 20:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-04-11 20:36 <DIR> --d----- c:\program files\NortonInstaller
2009-04-11 20:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-04-11 20:14 <DIR> --d----- c:\docume~1\hp_owner\applic~1\GetRightToGo
2009-04-11 19:07 <DIR> --d----- c:\program files\Enigma Software Group
2009-04-11 14:03 <DIR> --d----- c:\program files\Exterminate It!
2009-04-11 12:41 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-11 12:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-10 18:20 97,280 a------- c:\windows\system32\camoc.dll
2009-04-07 21:59 <DIR> --d----- c:\program files\iTunes
2009-04-07 21:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-04 10:49 <DIR> --dsh--- c:\documents and settings\hp_owner\IECompatCache
2009-04-02 19:02 <DIR> --dsh--- c:\documents and settings\hp_owner\PrivacIE
2009-04-02 19:00 <DIR> --dsh--- c:\documents and settings\hp_owner\IETldCache
2009-04-02 18:58 <DIR> --d----- c:\windows\ie8updates
2009-04-02 18:48 <DIR> -cd-h--- c:\windows\ie8
2009-04-02 18:46 105,984 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-01 12:59 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-03-31 18:45 <DIR> --d----- c:\windows\SxsCaPendDel
2009-03-30 20:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-30 20:45 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-30 20:45 <DIR> --d----- c:\docume~1\hp_owner\applic~1\SUPERAntiSpyware.com
2009-03-20 17:16 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-04-14 15:32 3,645 a------- c:\windows\viassary-hp.reg
2009-04-11 11:02 62,464 a--sh--- c:\windows\system32\tavahozu.exe
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 04:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-06 21:07 3,698,584 a------- c:\windows\system32\dllcache\ieapfltr.dat
2007-12-01 12:45 81,920 a------- c:\docume~1\hp_owner\applic~1\ezpinst.exe
2007-12-01 12:45 47,360 a------- c:\docume~1\hp_owner\applic~1\pcouffin.sys
2007-08-19 19:41 87,608 a------- c:\docume~1\hp_owner\applic~1\inst.exe
2007-05-15 20:46 744 ac------ c:\docume~1\hp_owner\applic~1\wklnhst.dat
2006-10-17 18:20 1,544,851 ac-sh--- c:\windows\system\itanlxm.bak2
2007-02-02 19:05 1,546,408 ac-sh--- c:\windows\system\itanlxm.ini2
2008-09-11 16:18 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091120080912\index.dat

============= FINISH: 16:51:36.73 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:33 PM

Posted 15 April 2009 - 04:43 PM

Hello, Tony73

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



I see a fair number of bad entries. Let's see what Dr Web and MBAM can take out:

MalwareBytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Dr Web - CureIt

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
ReScan

Please rescan with DDS and post DDS.txt


In your next reply, please post:
  • MBAM log
  • Dr Web log
  • DDS log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 Tony73

Tony73
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 15 April 2009 - 11:14 PM

Hello, Jat, and thank you for your assistance. I have followed your instructions and scanned with MBAM, WebCureIt, and DDS. For WebCureIt, while doing a

full scan, a message popped up and asked if I wanted to delete the viruses found and I selected all and pressed OK. I realized that this wasn't in your

instructions and hopefully it wouldn't be a problem. If it is, please tell provide me further instructions on what to do. 1 file was unable to be deleted so I

selected "moved incurable" at the end of the scan. Anyways, here are the logs.



MBAM

Malwarebytes' Anti-Malware 1.36
Database version: 1987
Windows 5.1.2600 Service Pack 3

4/15/2009 3:50:26 PM
mbam-log-2009-04-15 (15-50-26).txt

Scan type: Quick Scan
Objects scanned: 82201
Time elapsed: 6 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b276a7a1-7486-409d-9c35-422591247825} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b276a7a1-7486-409d-9c35-422591247825} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b276a7a1-7486-409d-9c35-422591247825} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\camoc.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\lxbmiayb.dat (Rootkit.Agent) -> Delete on reboot.




Dr Web

RegUBP2b-HP_Owner.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
pifCrawl.exe;C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08};Trojan.Swizzor.based;Deleted.;
A0315230.reg;C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP932;Trojan.StartPage.1505;Deleted.;
A0317490.exe;C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP936;Trojan.Fakealert.4154;Deleted.;
A0319544.reg;C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP938;Trojan.StartPage.1505;Deleted.;
A0319545.exe;C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP938;Trojan.Swizzor.based;Deleted.;



DDS

DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Owner at 20:44:35.48 on Wed 04/15/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.327 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {4EA7840B-5D43-49CF-8B59-F7F7E54D1540} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {b276a7a1-7486-409d-9c35-422591247825} - c:\windows\system32\camoc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 YFF3 Firefox/3.0.8 (.NET CLR 3.5.30729)" -"http://highered.mcgraw-hill.com/sites/0072957549/student_view0/chapter35/matching_exercise.html"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\hporga~1.lnk - c:\program files\hewlett-packard\hp organize\bin\displayAgent.exe
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
Notify: mxlnati - c:\windows\system\mxlnati.dll
AppInit_DLLs: c:\windows\system32\semasowa.dll c:\windows\system32\medemovo.dll,c:\windows\system32\sawubiyi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\sawubiyi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\4swm9ju6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1682449&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - F.T.A Customized Web Search
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1682449&SearchSource=2&q=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\4swm9ju6.default\extensions\{f904d379-5b2e-44ee-96c9-3b51bd98696c}\components\FFAlert.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 lcrljfbu;lcrljfbu;c:\windows\system32\drivers\lcrljfbu.sys [2004-8-3 23424]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-4-13 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-4-13 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-4-13 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090408.002\IDSxpx86.sys [2009-4-12 276344]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-4-13 115560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-28 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-12 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090415.003\NAVENG.SYS [2009-4-15 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090415.003\NAVEX15.SYS [2009-4-15 876144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\documents and settings\hp_owner\my documents\download\doubllet\disk_1024.sys --> c:\documents and settings\hp_owner\my documents\download\doubllet\disk_1024.sys [?]
S3 Dua1;Dua1;\??\c:\documents and settings\hp_owner\my documents\duelengine 2\dualengi.sys --> c:\documents and settings\hp_owner\my documents\duelengine 2\DualEngi.sys [?]
S3 geebers12;geebers12;\??\c:\documents and settings\hp_owner\desktop\hacks\nvid888.sys --> c:\documents and settings\hp_owner\desktop\hacks\nvid888.sys [?]
S3 GGK;GGK;\??\c:\documents and settings\hp_owner\my documents\ggk\ggk.sys --> c:\documents and settings\hp_owner\my documents\ggk\ggk.sys [?]
S3 Nub1;Nub1;\??\c:\documents and settings\hp_owner\my documents\nubengine\nubbk32.sys --> c:\documents and settings\hp_owner\my documents\nubengine\Nubbk32.sys [?]
S3 saruen;saruen;\??\c:\documents and settings\hp_owner\desktop\akuma engine 33\saurengang 1.01\saruen.sys --> c:\documents and settings\hp_owner\desktop\akuma engine 33\saurengang 1.01\saruen.sys [?]
S3 sejt1;sejt1;\??\c:\documents and settings\hp_owner\desktop\akuma engine 33\sejt.sys --> c:\documents and settings\hp_owner\desktop\akuma engine 33\sejt.sys [?]
S3 zenx1;zenx1;\??\c:\documents and settings\hp_owner\desktop\hacks\zenx.sys --> c:\documents and settings\hp_owner\desktop\hacks\zenx.sys [?]

=============== Created Last 30 ================

2009-04-15 16:06 <DIR> --d----- c:\documents and settings\hp_owner\DoctorWeb
2009-04-13 17:27 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-04-12 22:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-12 22:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-12 22:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-12 15:35 <DIR> --d----- c:\program files\CCleaner
2009-04-12 15:14 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-12 15:14 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-04-12 15:14 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-12 15:14 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-12 15:14 <DIR> --d----- c:\program files\Symantec
2009-04-12 15:13 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-04-12 15:13 <DIR> --d----- c:\program files\Norton Internet Security
2009-04-12 15:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2009-04-12 12:03 <DIR> --d----- c:\program files\Trend Micro
2009-04-11 23:05 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Malwarebytes
2009-04-11 23:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-11 20:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-04-11 20:36 <DIR> --d----- c:\program files\NortonInstaller
2009-04-11 20:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-04-11 20:14 <DIR> --d----- c:\docume~1\hp_owner\applic~1\GetRightToGo
2009-04-11 19:07 <DIR> --d----- c:\program files\Enigma Software Group
2009-04-11 14:03 <DIR> --d----- c:\program files\Exterminate It!
2009-04-11 12:41 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-11 12:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-10 18:20 97,280 a------- c:\windows\system32\camoc.dll
2009-04-07 21:59 <DIR> --d----- c:\program files\iTunes
2009-04-07 21:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-04 10:49 <DIR> --dsh--- c:\documents and settings\hp_owner\IECompatCache
2009-04-02 19:02 <DIR> --dsh--- c:\documents and settings\hp_owner\PrivacIE
2009-04-02 19:00 <DIR> --dsh--- c:\documents and settings\hp_owner\IETldCache
2009-04-02 18:58 <DIR> --d----- c:\windows\ie8updates
2009-04-02 18:48 <DIR> -cd-h--- c:\windows\ie8
2009-04-02 18:46 105,984 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-01 12:59 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-03-31 18:45 <DIR> --d----- c:\windows\SxsCaPendDel
2009-03-30 20:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-30 20:45 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-30 20:45 <DIR> --d----- c:\docume~1\hp_owner\applic~1\SUPERAntiSpyware.com
2009-03-20 17:16 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-04-15 20:43 3,645 a------- c:\windows\viassary-hp.reg
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 04:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-06 21:07 3,698,584 a------- c:\windows\system32\dllcache\ieapfltr.dat
2007-12-01 12:45 81,920 a------- c:\docume~1\hp_owner\applic~1\ezpinst.exe
2007-12-01 12:45 47,360 a------- c:\docume~1\hp_owner\applic~1\pcouffin.sys
2007-08-19 19:41 87,608 a------- c:\docume~1\hp_owner\applic~1\inst.exe
2007-05-15 20:46 744 ac------ c:\docume~1\hp_owner\applic~1\wklnhst.dat
2006-10-17 18:20 1,544,851 ac-sh--- c:\windows\system\itanlxm.bak2
2007-02-02 19:05 1,546,408 ac-sh--- c:\windows\system\itanlxm.ini2
2008-09-11 16:18 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091120080912\index.dat

============= FINISH: 20:46:11.17 ===============


Thanks

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:33 PM

Posted 16 April 2009 - 05:56 AM

Hello,

Thats ok, seems there's still some entries left. Let's try this:

Registry Backup

Backup Your Registry with ERUNT
  • Download from here
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

OTMoveIt

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :services
    lcrljfbu
    DISK_DRIVE32
    Dua1
    geebers12
    GGK
    Nub1
    saruen
    sejt1
    zenx1
    
    :files
    c:\windows\system\mxlnati.dll
    c:\windows\system32\medemovo.dll
    c:\windows\system32\semasowa.dll
    c:\windows\system32\sawubiyi.dll
    c:\documents and settings\hp_owner\my documents\download\doubllet\disk_1024.sys
    c:\documents and settings\hp_owner\my documents\duelengine 2\DualEngi.sys 
    c:\documents and settings\hp_owner\desktop\hacks\nvid888.sys
    c:\documents and settings\hp_owner\my documents\ggk\ggk.sys
    c:\documents and settings\hp_owner\my documents\nubengine\Nubbk32.sys
    c:\documents and settings\hp_owner\desktop\akuma engine 33\saurengang 1.01\saruen.sys
    c:\documents and settings\hp_owner\desktop\akuma engine 33\sejt.sys
    c:\documents and settings\hp_owner\desktop\hacks\zenx.sys
    
    :reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mxlnati]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppinitDLLs"=-
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    
    :commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Gmer

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.


In your next reply, please post:
  • OTMI log
  • Gmer log
  • DDS log

Edited by Jat90, 16 April 2009 - 05:56 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 Tony73

Tony73
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 16 April 2009 - 07:07 PM

Hello again. When loading GMER, I wasn't prompted to scan immediately. After scanning under the Rootkit/Malware tab for some time with GMER, a message popped up and said that it detected rootkit activity and the scanning stopped. (this is how the process goes right?. Anyways, can you explain to me what exactly is a rootkit and what it does? Thanks.

Here are the logs.



OTMI

========== SERVICES/DRIVERS ==========

Service\Driver lcrljfbu deleted successfully.

Service\Driver DISK_DRIVE32 deleted successfully.

Service\Driver Dua1 deleted successfully.

Service\Driver geebers12 deleted successfully.

Service\Driver GGK deleted successfully.

Service\Driver Nub1 deleted successfully.

Service\Driver saruen deleted successfully.

Service\Driver sejt1 deleted successfully.

Service\Driver zenx1 deleted successfully.
========== FILES ==========
File/Folder c:\windows\system\mxlnati.dll not found.
File/Folder c:\windows\system32\medemovo.dll not found.
File/Folder c:\windows\system32\semasowa.dll not found.
File/Folder c:\windows\system32\sawubiyi.dll not found.
File/Folder c:\documents and settings\hp_owner\my documents\download\doubllet\disk_1024.sys not found.
File/Folder c:\documents and settings\hp_owner\my documents\duelengine 2\DualEngi.sys not found.
File/Folder c:\documents and settings\hp_owner\desktop\hacks\nvid888.sys not found.
File/Folder c:\documents and settings\hp_owner\my documents\ggk\ggk.sys not found.
File/Folder c:\documents and settings\hp_owner\my documents\nubengine\Nubbk32.sys not found.
File/Folder c:\documents and settings\hp_owner\desktop\akuma engine 33\saurengang 1.01\saruen.sys not found.
File/Folder c:\documents and settings\hp_owner\desktop\akuma engine 33\sejt.sys not found.
File/Folder c:\documents and settings\hp_owner\desktop\hacks\zenx.sys not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mxlnati\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\AppinitDLLs not found.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\etilqs_Iycp3bPEJHT5WOrgvSRl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\lxbmiayb.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JETF84A.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_108.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_74c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\TMP0000004994F9F974F43E4E5A scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4swm9ju6.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4swm9ju6.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4swm9ju6.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4swm9ju6.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4swm9ju6.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04162009_151130

Files moved on Reboot...
File C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\etilqs_Iycp3bPEJHT5WOrgvSRl not found!
File move failed. C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\hpodvd09.log scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll NOT unregistered.
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll moved successfully.
File C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\lxbmiayb.dat not found!
File C:\WINDOWS\temp\JETF84A.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_108.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_74c.dat not found!
File C:\WINDOWS\temp\TMP0000004994F9F974F43E4E5A not found!
File move failed. C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4swm9ju6.default\Cache\_CACHE_001_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4swm9ju6.default\Cache\_CACHE_002_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4swm9ju6.default\Cache\_CACHE_003_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4swm9ju6.default\Cache\_CACHE_MAP_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4swm9ju6.default\urlclassifier3.sqlite scheduled to be moved on reboot.





Gmer

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-16 16:47:53
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 86C1BAE0 ZwAlertResumeThread
SSDT 86903050 ZwAlertThread
SSDT 85CAC800 ZwAllocateVirtualMemory
SSDT 86B19E50 ZwAssignProcessToJobObject
SSDT 86AB5AA0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA8CFE040]
SSDT 85CA2FC0 ZwCreateMutant
SSDT 85C9D730 ZwCreateSymbolicLinkObject
SSDT 85CCC2F0 ZwCreateThread
SSDT 8692B050 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA8CFE2C0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA8CFE820]
SSDT 85CACA98 ZwDuplicateObject
SSDT 85CAB008 ZwFreeVirtualMemory
SSDT 869189F8 ZwImpersonateAnonymousToken
SSDT 8699BB00 ZwImpersonateThread
SSDT 869F6518 ZwLoadDriver
SSDT 85D39938 ZwMapViewOfSection
SSDT 86900050 ZwOpenEvent
SSDT 85CACDB8 ZwOpenProcess
SSDT 86B30C90 ZwOpenProcessToken
SSDT 86778398 ZwOpenSection
SSDT 85CACC28 ZwOpenThread
SSDT 85C9DE80 ZwProtectVirtualMemory
SSDT 86BFE2C8 ZwResumeThread
SSDT 8693FC80 ZwSetContextThread
SSDT 85CABBA8 ZwSetInformationProcess
SSDT 86B9CC98 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA8CFEA70]
SSDT 86C2C570 ZwSuspendProcess
SSDT 8694C680 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA8C24DF0]
SSDT 86C19C78 ZwTerminateThread
SSDT 86929050 ZwUnmapViewOfSection
SSDT 85CAC430 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CC8 80504564 4 Bytes CALL 129AEE38
.text ntkrnlpa.exe!ZwCallbackReturn + 2FA0 8050483C 4 Bytes JMP C0F4A8CF
PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 44F 805BB8ED 7 Bytes JMP 86D8EAD8
? SYMEFA.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll (*** hidden *** ) @ C:\Program Files\Microsoft Office\Office\OSA.EXE [588] 0x10000000
Library C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll (*** hidden *** ) @ C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [1684] 0x01470000
Library C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1932] 0x00BE0000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl (size mismatch) 8192/4096 bytes

---- EOF - GMER 1.0.15 ----





DDS

DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Owner at 16:52:19.26 on Thu 04/16/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.287 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {4EA7840B-5D43-49CF-8B59-F7F7E54D1540} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {b276a7a1-7486-409d-9c35-422591247825} - c:\windows\system32\camoc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 YFF3 Firefox/3.0.8 (.NET CLR 3.5.30729)" -"http://highered.mcgraw-hill.com/sites/0072957549/student_view0/chapter35/matching_exercise.html"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\hporga~1.lnk - c:\program files\hewlett-packard\hp organize\bin\displayAgent.exe
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\semasowa.dll c:\windows\system32\medemovo.dll,c:\windows\system32\sawubiyi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\4swm9ju6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1682449&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - F.T.A Customized Web Search
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1682449&SearchSource=2&q=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\4swm9ju6.default\extensions\{f904d379-5b2e-44ee-96c9-3b51bd98696c}\components\FFAlert.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 lcrljfbu;lcrljfbu;c:\windows\system32\drivers\lcrljfbu.sys [2004-8-3 23424]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-4-13 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-4-13 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-4-13 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090414.001\IDSXpx86.sys [2009-4-16 276344]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-4-13 115560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-28 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-12 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090416.006\NAVENG.SYS [2009-4-16 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090416.006\NAVEX15.SYS [2009-4-16 876144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-04-16 15:11 <DIR> --d----- C:\_OTMoveIt
2009-04-15 22:31 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-15 22:31 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-15 22:31 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-15 22:31 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-15 22:31 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 22:31 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 22:31 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 22:31 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 22:31 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-15 22:30 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 22:30 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-15 22:30 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 16:06 <DIR> --d----- c:\documents and settings\hp_owner\DoctorWeb
2009-04-13 17:27 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-04-12 22:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-12 22:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-12 22:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-12 15:35 <DIR> --d----- c:\program files\CCleaner
2009-04-12 15:14 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-12 15:14 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-04-12 15:14 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-12 15:14 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-12 15:14 <DIR> --d----- c:\program files\Symantec
2009-04-12 15:13 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-04-12 15:13 <DIR> --d----- c:\program files\Norton Internet Security
2009-04-12 15:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2009-04-12 12:03 <DIR> --d----- c:\program files\Trend Micro
2009-04-11 23:05 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Malwarebytes
2009-04-11 23:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-11 20:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-04-11 20:36 <DIR> --d----- c:\program files\NortonInstaller
2009-04-11 20:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-04-11 20:14 <DIR> --d----- c:\docume~1\hp_owner\applic~1\GetRightToGo
2009-04-11 19:07 <DIR> --d----- c:\program files\Enigma Software Group
2009-04-11 14:03 <DIR> --d----- c:\program files\Exterminate It!
2009-04-11 12:41 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-11 12:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-10 18:20 97,280 a------- c:\windows\system32\camoc.dll
2009-04-07 21:59 <DIR> --d----- c:\program files\iTunes
2009-04-07 21:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-04 10:49 <DIR> --dsh--- c:\documents and settings\hp_owner\IECompatCache
2009-04-02 19:02 <DIR> --dsh--- c:\documents and settings\hp_owner\PrivacIE
2009-04-02 19:00 <DIR> --dsh--- c:\documents and settings\hp_owner\IETldCache
2009-04-02 18:58 <DIR> --d----- c:\windows\ie8updates
2009-04-02 18:48 <DIR> -cd-h--- c:\windows\ie8
2009-04-02 18:46 105,984 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-01 12:59 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-03-31 18:45 <DIR> --d----- c:\windows\SxsCaPendDel
2009-03-30 20:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-30 20:45 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-30 20:45 <DIR> --d----- c:\docume~1\hp_owner\applic~1\SUPERAntiSpyware.com
2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-20 17:16 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-04-16 15:17 3,645 a------- c:\windows\viassary-hp.reg
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 04:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 21:07 3,698,584 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 04:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 04:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-02-06 03:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 03:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 12:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2007-12-01 12:45 81,920 a------- c:\docume~1\hp_owner\applic~1\ezpinst.exe
2007-12-01 12:45 47,360 a------- c:\docume~1\hp_owner\applic~1\pcouffin.sys
2007-08-19 19:41 87,608 a------- c:\docume~1\hp_owner\applic~1\inst.exe
2007-05-15 20:46 744 ac------ c:\docume~1\hp_owner\applic~1\wklnhst.dat
2006-10-17 18:20 1,544,851 ac-sh--- c:\windows\system\itanlxm.bak2
2007-02-02 19:05 1,546,408 ac-sh--- c:\windows\system\itanlxm.ini2
2008-09-11 16:18 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091120080912\index.dat

============= FINISH: 16:53:23.65 ===============

#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:33 PM

Posted 17 April 2009 - 05:16 AM

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 Tony73

Tony73
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 17 April 2009 - 04:22 PM

In the blue box, nothing appears and does not say "Please wait. Combofix is preparing to run."
What's wrong?

#8 Tony73

Tony73
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 18 April 2009 - 01:58 AM

Hi, I got ComboFix to work by downloading the windows recovery console, then dragging it and dropping it on the ComboFix.exe icon. I followed this here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Here's the log.

ComboFix 09-04-18.05 - HP_Owner 04/17/2009 23:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.464 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Owner\Application Data\inst.exe
c:\windows\system\itanlxm.bak2
c:\windows\system\itanlxm.ini
c:\windows\system\itanlxm.ini2
c:\windows\system\itanlxm.tmp
c:\windows\system\itanlxm.tmp2
c:\windows\system32\_000005_.tmp.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-16 22:11 . 2009-04-16 22:11 -------- d-----w C:\_OTMoveIt
2009-04-16 05:35 . 2009-04-16 05:37 1374 ----a-w c:\windows\imsins.BAK
2009-04-16 05:31 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 05:31 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 05:31 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 05:31 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 05:31 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 05:31 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 05:31 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 05:31 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 05:31 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 05:30 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 05:30 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 05:30 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 23:06 . 2009-04-15 23:06 -------- d-----w c:\documents and settings\HP_Owner\DoctorWeb
2009-04-14 01:20 . 2009-04-14 01:20 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-14 00:27 . 2009-03-12 08:42 36400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-04-13 05:00 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-13 05:00 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 05:00 . 2009-04-13 05:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-12 22:35 . 2009-04-12 22:35 -------- d-----w c:\program files\CCleaner
2009-04-12 22:14 . 2009-04-13 22:31 -------- d-----w c:\program files\Symantec
2009-04-12 22:14 . 2009-04-13 22:31 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-04-12 22:14 . 2009-04-13 22:31 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-12 22:14 . 2009-04-13 22:31 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-04-12 22:14 . 2009-04-13 22:31 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-12 22:13 . 2009-04-14 00:59 -------- d-----w c:\windows\system32\drivers\NIS
2009-04-12 22:13 . 2009-04-12 22:13 -------- d-----w c:\program files\Norton Internet Security
2009-04-12 22:13 . 2009-04-12 22:13 -------- d-----w c:\program files\Windows Sidebar
2009-04-12 22:07 . 2009-04-12 22:07 -------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2009-04-12 19:03 . 2009-04-12 19:03 -------- d-----w c:\program files\Trend Micro
2009-04-12 06:05 . 2009-04-12 06:05 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-04-12 06:05 . 2009-04-12 06:05 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-12 03:36 . 2009-04-12 22:13 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-04-12 03:36 . 2009-04-12 03:36 -------- d-----w c:\program files\NortonInstaller
2009-04-12 03:18 . 2009-04-12 22:13 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-12 03:14 . 2009-04-12 03:17 -------- d-----w c:\documents and settings\HP_Owner\Application Data\GetRightToGo
2009-04-12 02:07 . 2009-04-12 02:25 -------- d-----w c:\program files\Enigma Software Group
2009-04-11 22:53 . 2009-04-12 02:27 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-11 21:03 . 2009-04-11 21:55 -------- d-----w c:\program files\Exterminate It!
2009-04-11 19:41 . 2009-04-13 03:15 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-11 19:41 . 2009-04-11 19:44 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-11 01:20 . 2008-04-14 00:11 97280 ----a-w c:\windows\system32\camoc.dll
2009-04-08 04:59 . 2009-04-08 04:59 -------- d-----w c:\program files\iTunes
2009-04-08 04:59 . 2009-04-08 04:59 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-08 04:56 . 2009-04-08 04:57 -------- d-----w c:\program files\QuickTime
2009-04-08 04:44 . 2009-04-08 04:44 -------- d-----w c:\program files\Apple Software Update
2009-04-04 17:49 . 2009-04-04 17:49 -------- d-sh--w c:\documents and settings\HP_Owner\IECompatCache
2009-04-03 02:06 . 2009-04-03 02:06 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-03 02:02 . 2009-04-03 02:02 -------- d-sh--w c:\documents and settings\HP_Owner\PrivacIE
2009-04-03 02:00 . 2009-04-03 02:00 -------- d-sh--w c:\documents and settings\HP_Owner\IETldCache
2009-04-03 01:58 . 2009-04-03 01:58 -------- d-----w c:\windows\ie8updates
2009-04-03 01:48 . 2009-04-03 01:56 -------- dc-h--w c:\windows\ie8
2009-04-03 01:46 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll
2009-04-01 19:59 . 2009-01-09 19:19 1089593 ------w c:\windows\system32\dllcache\ntprint.cat
2009-04-01 01:45 . 2009-04-01 02:05 -------- d-----w c:\windows\SxsCaPendDel
2009-03-31 22:23 . 2009-03-31 22:23 -------- d-----w c:\program files\Windows Defender
2009-03-31 03:45 . 2009-03-31 03:45 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-31 03:45 . 2009-04-14 00:52 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-31 03:45 . 2009-04-14 00:52 -------- d-----w c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-21 00:16 . 2009-03-09 12:19 410984 ----a-w c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 06:38 . 2004-12-03 20:40 3645 ----a-w c:\windows\viassary-hp.reg
2009-04-17 00:19 . 2004-12-03 20:08 -------- d-----w c:\program files\Java
2009-04-16 22:41 . 2005-06-16 16:57 87280 -c--a-w c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 05:34 . 2007-10-20 20:19 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-14 00:51 . 2009-01-04 23:10 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-12 23:11 . 2004-12-03 20:58 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-12 22:11 . 2004-12-03 20:58 -------- d-----w c:\program files\Norton AntiVirus
2009-04-12 03:38 . 2004-12-03 20:58 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-12 02:33 . 2009-01-03 20:07 -------- d-----w c:\program files\Pando Networks
2009-04-08 04:59 . 2004-12-03 20:37 -------- d-----w c:\program files\iPod
2009-04-08 04:59 . 2008-01-06 03:43 -------- d-----w c:\program files\Common Files\Apple
2009-04-03 02:02 . 2006-07-20 04:54 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-03 01:51 . 2006-12-31 01:01 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-03 01:51 . 2005-07-15 03:37 -------- d-----w c:\program files\Yahoo!
2009-04-03 01:45 . 2007-07-28 21:18 -------- d-----w c:\program files\BitComet
2009-04-01 20:08 . 2009-01-02 03:27 -------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-03-19 23:32 . 2006-09-19 22:44 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 21:09 . 2004-08-04 04:00 638816 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-03-08 21:09 . 2004-08-04 04:00 391536 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 11:41 . 2004-08-04 04:00 5937152 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-03-08 11:39 . 2007-05-09 01:14 11063808 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-03-08 11:34 . 2004-08-04 04:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-08-04 04:00 914944 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-08 11:34 . 2004-08-04 04:00 1206784 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-03-08 11:34 . 2004-08-04 04:00 236544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-03-08 11:34 . 2004-08-04 04:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:34 . 2004-08-04 04:00 43008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 11:34 . 2004-08-04 04:00 105984 ----a-w c:\windows\system32\dllcache\url.dll
2009-03-08 11:34 . 2004-08-04 04:00 193536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-03-08 11:34 . 2004-08-04 04:00 109568 ----a-w c:\windows\system32\dllcache\occache.dll
2009-03-08 11:33 . 2004-08-04 04:00 759296 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-03-08 11:33 . 2004-08-04 04:00 18944 ----a-w c:\windows\system32\dllcache\corpol.dll
2009-03-08 11:33 . 2004-08-04 04:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-08-04 04:00 25600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 11:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\system32\dllcache\jscript.dll
2009-03-08 11:33 . 2004-08-04 04:00 229376 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 11:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\system32\dllcache\vbscript.dll
2009-03-08 11:33 . 2004-08-04 04:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:33 . 2004-08-04 04:00 125952 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 11:32 . 2004-08-04 04:00 72704 ----a-w c:\windows\system32\dllcache\admparse.dll
2009-03-08 11:32 . 2004-08-04 04:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-08-04 04:00 173056 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 11:32 . 2004-08-04 04:00 163840 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-03-08 11:32 . 2004-08-04 04:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2004-08-04 04:00 71680 ----a-w c:\windows\system32\dllcache\iesetup.dll
2009-03-08 11:32 . 2004-08-04 04:00 55808 ----a-w c:\windows\system32\dllcache\iernonce.dll
2009-03-08 11:32 . 2004-08-04 04:00 128512 ----a-w c:\windows\system32\dllcache\advpack.dll
2009-03-08 11:32 . 2004-08-04 04:00 94720 ----a-w c:\windows\system32\dllcache\inseng.dll
2009-03-08 11:32 . 2007-05-09 01:14 594432 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 11:32 . 2007-05-09 01:14 1985024 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-03-08 11:32 . 2004-08-04 04:00 611840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-03-08 11:24 . 2004-08-04 04:00 68608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 11:22 . 2004-08-04 04:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-08 11:22 . 2004-08-04 04:00 156160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-03-08 11:11 . 2007-05-09 01:14 445952 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-07 18:18 . 2008-11-28 18:56 -------- d-----w c:\program files\AIMTunes
2009-03-07 07:12 . 2006-12-07 02:35 -------- d-----w c:\program files\AIM6
2009-03-07 07:07 . 2007-08-20 02:38 -------- d-----w c:\program files\PopUp Killer
2009-03-07 06:34 . 2009-03-07 06:32 -------- d-----w c:\program files\CA Yahoo! Anti-Spy
2009-03-07 06:32 . 2006-07-20 04:54 -------- d-----w c:\program files\Common Files\Scanner
2009-03-06 14:22 . 2004-08-04 04:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-02 03:21 . 2007-06-06 02:05 -------- d-----w c:\documents and settings\HP_Owner\Application Data\LimeWire
2009-02-09 12:10 . 2004-08-04 04:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 04:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 04:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-10-14 22:20 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-04 04:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2008-10-14 22:20 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-07 04:07 . 2007-05-09 01:14 3698584 ----a-w c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 11:11 . 2004-08-04 04:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-14 22:20 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-14 22:20 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2004-08-04 04:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 04:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:39 . 2004-08-04 04:00 35328 ----a-w c:\windows\system32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-14 22:20 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 10:32 . 2004-08-04 11:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-04 04:00 56832 ----a-w c:\windows\system32\secur32.dll
2007-12-01 19:45 . 2007-09-26 02:28 81920 ----a-w c:\documents and settings\HP_Owner\Application Data\ezpinst.exe
2007-12-01 19:45 . 2007-08-19 19:13 47360 ----a-w c:\documents and settings\HP_Owner\Application Data\pcouffin.sys
2007-05-16 03:46 . 2006-02-19 03:33 744 -c--a-w c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2005-06-16 16:57 . 2005-06-16 16:52 131 -c--a-w c:\documents and settings\HP_Owner\Local Settings\Application Data\fusioncache.dat
2004-12-03 20:44 . 2009-04-14 01:19 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2006-06-21 03:51 . 2006-06-21 03:50 1080704 -csha-w c:\windows\system32\ehkmp.tmp
2008-09-11 23:18 . 2008-09-11 23:18 32768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091120080912\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B276A7A1-7486-409D-9C35-422591247825}]
2008-04-14 00:11 97280 ----a-w c:\windows\system32\camoc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-12-03 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-28 222720]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-18 61952]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-07 90112]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-04-07 2805248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-10 1634304]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-12-3 36864]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-12-3 45056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18637:TCP"= 18637:TCP:BitComet 18637 TCP
"18637:UDP"= 18637:UDP:BitComet 18637 UDP

S0 lcrljfbu;lcrljfbu;c:\windows\system32\drivers\lcrljfbu.sys [2004-08-04 23424]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1005000.087\SYMEFA.SYS [2009-03-12 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1005000.087\BHDrvx86.sys [2009-03-12 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1005000.087\ccHPx86.sys [2009-04-13 482352]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090414.001\IDSxpx86.sys [2009-01-29 276344]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [2009-03-12 115560]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-12 101936]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-04-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-04-18 c:\windows\Tasks\User_Feed_Synchronization-{499F650B-6AA7-43D1-A679-DA6FF2A36934}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4EA7840B-5D43-49CF-8B59-F7F7E54D1540} - (no file)
HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 YFF3 Firefox/3.0.8 (.NET
Notify-NavLogon - (no file)
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\4swm9ju6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1682449&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - F.T.A Customized Web Search
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1682449&SearchSource=2&q=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\4swm9ju6.default\extensions\{f904d379-5b2e-44ee-96c9-3b51bd98696c}\components\FFAlert.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-17 23:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1272678525-57598140-2859600444-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2576)
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\PC Connectivity Solution\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\nexon\MapleStory\npkcmsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Norton Internet Security\Engine\16.5.0.135\CLTLMH.EXE
.
**************************************************************************
.
Completion time: 2009-04-18 23:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 06:42

Pre-Run: 190,516,588,544 bytes free
Post-Run: 190,397,243,392 bytes free

366 --- E O F --- 2009-04-16 22:02


Am I suppose to delete ComboFix after using? Thanks.

#9 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:33 PM

Posted 18 April 2009 - 06:17 AM

Hello,

Viewpoint

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Reglockdel::
[HKEY_USERS\S-1-5-21-1272678525-57598140-2859600444-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

Driver::
lcrljfbu

File::
c:\windows\system32\ehkmp.tmp
c:\windows\system32\drivers\lcrljfbu.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#10 Tony73

Tony73
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 18 April 2009 - 12:56 PM

ComboFix 09-04-18.05 - HP_Owner 04/18/2009 10:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.527 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\drivers\lcrljfbu.sys
c:\windows\system32\ehkmp.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\drivers\lcrljfbu.sys
c:\windows\system32\ehkmp.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LCRLJFBU
-------\Service_lcrljfbu


((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-16 22:11 . 2009-04-16 22:11 -------- d-----w C:\_OTMoveIt
2009-04-16 05:35 . 2009-04-16 05:37 1374 ----a-w c:\windows\imsins.BAK
2009-04-16 05:31 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 05:31 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 05:31 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 05:31 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 05:31 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 05:31 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 05:31 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 05:31 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 05:31 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 05:30 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 05:30 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 05:30 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 23:06 . 2009-04-15 23:06 -------- d-----w c:\documents and settings\HP_Owner\DoctorWeb
2009-04-14 01:20 . 2009-04-14 01:20 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-14 00:27 . 2009-03-12 08:42 36400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-04-13 05:00 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-13 05:00 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 05:00 . 2009-04-13 05:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-12 22:35 . 2009-04-12 22:35 -------- d-----w c:\program files\CCleaner
2009-04-12 22:14 . 2009-04-13 22:31 -------- d-----w c:\program files\Symantec
2009-04-12 22:14 . 2009-04-13 22:31 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-04-12 22:14 . 2009-04-13 22:31 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-12 22:14 . 2009-04-13 22:31 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-04-12 22:14 . 2009-04-13 22:31 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-12 22:13 . 2009-04-14 00:59 -------- d-----w c:\windows\system32\drivers\NIS
2009-04-12 22:13 . 2009-04-12 22:13 -------- d-----w c:\program files\Norton Internet Security
2009-04-12 22:13 . 2009-04-12 22:13 -------- d-----w c:\program files\Windows Sidebar
2009-04-12 22:07 . 2009-04-12 22:07 -------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2009-04-12 19:03 . 2009-04-12 19:03 -------- d-----w c:\program files\Trend Micro
2009-04-12 06:05 . 2009-04-12 06:05 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-04-12 06:05 . 2009-04-12 06:05 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-12 03:36 . 2009-04-12 22:13 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-04-12 03:36 . 2009-04-12 03:36 -------- d-----w c:\program files\NortonInstaller
2009-04-12 03:18 . 2009-04-12 22:13 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-12 03:14 . 2009-04-12 03:17 -------- d-----w c:\documents and settings\HP_Owner\Application Data\GetRightToGo
2009-04-12 02:07 . 2009-04-12 02:25 -------- d-----w c:\program files\Enigma Software Group
2009-04-11 22:53 . 2009-04-12 02:27 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-11 21:03 . 2009-04-11 21:55 -------- d-----w c:\program files\Exterminate It!
2009-04-11 19:41 . 2009-04-13 03:15 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-11 19:41 . 2009-04-11 19:44 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-11 01:20 . 2008-04-14 00:11 97280 ----a-w c:\windows\system32\camoc.dll
2009-04-08 04:59 . 2009-04-08 04:59 -------- d-----w c:\program files\iTunes
2009-04-08 04:59 . 2009-04-08 04:59 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-08 04:56 . 2009-04-08 04:57 -------- d-----w c:\program files\QuickTime
2009-04-08 04:44 . 2009-04-08 04:44 -------- d-----w c:\program files\Apple Software Update
2009-04-04 17:49 . 2009-04-04 17:49 -------- d-sh--w c:\documents and settings\HP_Owner\IECompatCache
2009-04-03 02:06 . 2009-04-03 02:06 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-03 02:02 . 2009-04-03 02:02 -------- d-sh--w c:\documents and settings\HP_Owner\PrivacIE
2009-04-03 02:00 . 2009-04-03 02:00 -------- d-sh--w c:\documents and settings\HP_Owner\IETldCache
2009-04-03 01:58 . 2009-04-03 01:58 -------- d-----w c:\windows\ie8updates
2009-04-03 01:48 . 2009-04-03 01:56 -------- dc-h--w c:\windows\ie8
2009-04-03 01:46 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll
2009-04-01 19:59 . 2009-01-09 19:19 1089593 ------w c:\windows\system32\dllcache\ntprint.cat
2009-04-01 01:45 . 2009-04-01 02:05 -------- d-----w c:\windows\SxsCaPendDel
2009-03-31 22:23 . 2009-03-31 22:23 -------- d-----w c:\program files\Windows Defender
2009-03-31 03:45 . 2009-03-31 03:45 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-31 03:45 . 2009-04-14 00:52 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-31 03:45 . 2009-04-14 00:52 -------- d-----w c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-21 00:16 . 2009-03-09 12:19 410984 ----a-w c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 17:49 . 2004-12-03 20:40 3645 ----a-w c:\windows\viassary-hp.reg
2009-04-18 17:42 . 2004-08-04 04:00 23424 ----a-w c:\windows\system32\drivers\pmjwytrp.sys
2009-04-18 17:37 . 2007-01-12 02:20 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Viewpoint
2009-04-18 17:37 . 2005-06-19 01:03 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-18 17:37 . 2005-06-19 01:03 -------- d-----w c:\program files\Viewpoint
2009-04-17 00:19 . 2004-12-03 20:08 -------- d-----w c:\program files\Java
2009-04-16 22:41 . 2005-06-16 16:57 87280 -c--a-w c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 05:34 . 2007-10-20 20:19 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-14 00:51 . 2009-01-04 23:10 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-12 23:11 . 2004-12-03 20:58 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-12 22:11 . 2004-12-03 20:58 -------- d-----w c:\program files\Norton AntiVirus
2009-04-12 03:38 . 2004-12-03 20:58 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-12 02:33 . 2009-01-03 20:07 -------- d-----w c:\program files\Pando Networks
2009-04-08 04:59 . 2004-12-03 20:37 -------- d-----w c:\program files\iPod
2009-04-08 04:59 . 2008-01-06 03:43 -------- d-----w c:\program files\Common Files\Apple
2009-04-03 02:02 . 2006-07-20 04:54 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-03 01:51 . 2006-12-31 01:01 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-03 01:51 . 2005-07-15 03:37 -------- d-----w c:\program files\Yahoo!
2009-04-03 01:45 . 2007-07-28 21:18 -------- d-----w c:\program files\BitComet
2009-04-01 20:08 . 2009-01-02 03:27 -------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-03-19 23:32 . 2006-09-19 22:44 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 21:09 . 2004-08-04 04:00 638816 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-03-08 21:09 . 2004-08-04 04:00 391536 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 11:41 . 2004-08-04 04:00 5937152 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-03-08 11:39 . 2007-05-09 01:14 11063808 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-03-08 11:34 . 2004-08-04 04:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-08-04 04:00 914944 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-08 11:34 . 2004-08-04 04:00 1206784 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-03-08 11:34 . 2004-08-04 04:00 236544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-03-08 11:34 . 2004-08-04 04:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:34 . 2004-08-04 04:00 43008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 11:34 . 2004-08-04 04:00 105984 ----a-w c:\windows\system32\dllcache\url.dll
2009-03-08 11:34 . 2004-08-04 04:00 193536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-03-08 11:34 . 2004-08-04 04:00 109568 ----a-w c:\windows\system32\dllcache\occache.dll
2009-03-08 11:33 . 2004-08-04 04:00 759296 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-03-08 11:33 . 2004-08-04 04:00 18944 ----a-w c:\windows\system32\dllcache\corpol.dll
2009-03-08 11:33 . 2004-08-04 04:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-08-04 04:00 25600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 11:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\system32\dllcache\jscript.dll
2009-03-08 11:33 . 2004-08-04 04:00 229376 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 11:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\system32\dllcache\vbscript.dll
2009-03-08 11:33 . 2004-08-04 04:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:33 . 2004-08-04 04:00 125952 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 11:32 . 2004-08-04 04:00 72704 ----a-w c:\windows\system32\dllcache\admparse.dll
2009-03-08 11:32 . 2004-08-04 04:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-08-04 04:00 173056 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 11:32 . 2004-08-04 04:00 163840 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-03-08 11:32 . 2004-08-04 04:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2004-08-04 04:00 71680 ----a-w c:\windows\system32\dllcache\iesetup.dll
2009-03-08 11:32 . 2004-08-04 04:00 55808 ----a-w c:\windows\system32\dllcache\iernonce.dll
2009-03-08 11:32 . 2004-08-04 04:00 128512 ----a-w c:\windows\system32\dllcache\advpack.dll
2009-03-08 11:32 . 2004-08-04 04:00 94720 ----a-w c:\windows\system32\dllcache\inseng.dll
2009-03-08 11:32 . 2007-05-09 01:14 594432 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 11:32 . 2007-05-09 01:14 1985024 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-03-08 11:32 . 2004-08-04 04:00 611840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-03-08 11:24 . 2004-08-04 04:00 68608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 11:22 . 2004-08-04 04:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-08 11:22 . 2004-08-04 04:00 156160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-03-08 11:11 . 2007-05-09 01:14 445952 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-07 18:18 . 2008-11-28 18:56 -------- d-----w c:\program files\AIMTunes
2009-03-07 07:12 . 2006-12-07 02:35 -------- d-----w c:\program files\AIM6
2009-03-07 07:07 . 2007-08-20 02:38 -------- d-----w c:\program files\PopUp Killer
2009-03-07 06:34 . 2009-03-07 06:32 -------- d-----w c:\program files\CA Yahoo! Anti-Spy
2009-03-07 06:32 . 2006-07-20 04:54 -------- d-----w c:\program files\Common Files\Scanner
2009-03-06 14:22 . 2004-08-04 04:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-02 03:21 . 2007-06-06 02:05 -------- d-----w c:\documents and settings\HP_Owner\Application Data\LimeWire
2009-02-09 12:10 . 2004-08-04 04:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 04:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 04:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-10-14 22:20 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-04 04:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2008-10-14 22:20 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-07 04:07 . 2007-05-09 01:14 3698584 ----a-w c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 11:11 . 2004-08-04 04:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-14 22:20 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-14 22:20 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2004-08-04 04:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 04:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:39 . 2004-08-04 04:00 35328 ----a-w c:\windows\system32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-14 22:20 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 10:32 . 2004-08-04 11:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-04 04:00 56832 ----a-w c:\windows\system32\secur32.dll
2007-12-01 19:45 . 2007-09-26 02:28 81920 ----a-w c:\documents and settings\HP_Owner\Application Data\ezpinst.exe
2007-12-01 19:45 . 2007-08-19 19:13 47360 ----a-w c:\documents and settings\HP_Owner\Application Data\pcouffin.sys
2007-05-16 03:46 . 2006-02-19 03:33 744 -c--a-w c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2005-06-16 16:57 . 2005-06-16 16:52 131 -c--a-w c:\documents and settings\HP_Owner\Local Settings\Application Data\fusioncache.dat
2004-12-03 20:44 . 2009-04-14 01:19 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2008-09-11 23:18 . 2008-09-11 23:18 32768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091120080912\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-18_06.38.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-18 17:47 . 2009-04-18 17:47 16384 c:\windows\Temp\Perflib_Perfdata_7a8.dat
+ 2009-04-18 17:47 . 2009-04-18 17:47 16384 c:\windows\Temp\Perflib_Perfdata_718.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B276A7A1-7486-409D-9C35-422591247825}]
2008-04-14 00:11 97280 ----a-w c:\windows\system32\camoc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-12-03 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-28 222720]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-18 61952]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-07 90112]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-04-07 2805248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-10 1634304]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-12-3 36864]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-12-3 45056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18637:TCP"= 18637:TCP:BitComet 18637 TCP
"18637:UDP"= 18637:UDP:BitComet 18637 UDP

S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1005000.087\BHDrvx86.sys [2009-03-12 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1005000.087\ccHPx86.sys [2009-04-13 482352]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090414.001\IDSxpx86.sys [2009-01-29 276344]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-12 101936]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - LCRLJFBU

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-04-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-04-18 c:\windows\Tasks\User_Feed_Synchronization-{499F650B-6AA7-43D1-A679-DA6FF2A36934}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4EA7840B-5D43-49CF-8B59-F7F7E54D1540} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\4swm9ju6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1682449&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - F.T.A Customized Web Search
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1682449&SearchSource=2&q=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\4swm9ju6.default\extensions\{f904d379-5b2e-44ee-96c9-3b51bd98696c}\components\FFAlert.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 10:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2676)
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\PC Connectivity Solution\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
c:\windows\system32\wscntfy.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-18 10:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 17:52
ComboFix2.txt 2009-04-18 06:42

Pre-Run: 190,382,530,560 bytes free
Post-Run: 190,369,087,488 bytes free

366 --- E O F --- 2009-04-16 22:02

#11 Tony73

Tony73
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 18 April 2009 - 01:44 PM

Hello, I just scanned with CA Yahoo Antispy and it did not detect the 3 Trojan Sillydl.DJM :thumbup2: .

#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:33 PM

Posted 19 April 2009 - 05:57 AM

Hello,

Thats good to hear but one of the infections is rootkit related, so I should give you this warning:

:thumbup2: Rootkit Warning

Rootkits are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Please let me know what you decide to do.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 Tony73

Tony73
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 19 April 2009 - 08:03 PM

Since the best thing to do is to reformat, I would like to reformat, but then again I don't have the disk which came with the PC. However, I don't use this computer for any financial activities (only emails, games, etc.) so I don't think it is necessary to reformat.

You said "Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again." How likely is it that I will be re-infected and what can I do to prevent it?

I'm kind of stuck on deciding what to do, but more edging towards reformatting. What are your suggestions?

#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:33 PM

Posted 20 April 2009 - 05:33 AM

Its really your choice, we can kill it and in terms of reinfection, I really can't give you an answer. To try and reduce your chances update your anti virus frequently and use and anti-malware scanners such as MalwareBytes' on a frequent occasion. If you do not use it for financial purposes then the huge risk element has been reduced significantly but you must remember in the future that the pc has been compromised in the past and it will be risky to use it for any financial purposes. It is really your choice.

Edited by Jat90, 20 April 2009 - 10:52 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 Tony73

Tony73
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 22 April 2009 - 01:19 AM

Hi, I'm going to not reformat my PC. Since the Trojan Sillydl.DJM has been removed, are there any more instructions you have for me? Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users