Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

jacked by virtumonde, smitfraud others


  • This topic is locked This topic is locked
12 replies to this topic

#1 m850t

m850t

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 09 May 2009 - 06:34 PM

Any assistance would be most appreciated. I was hijacked on 5/2/09. Something was trying to open Word 2000-SR1, I tired to kill with Tskmg, but got an error message. I did kill with Crtl Alt Del.

On reboot, I had issues:
Windows Taskmanger: system administrator will not let me open/run
Browser redirects (both explorer and firefox)
Multiple popup windows when trying to execute anything specifically
windows is loading 15-30 instances of a "NO DISK" warning popup
Windows colorscheme changes
Message that I've be infected in browser window ("Anti-virus-xppro-2009" redirect)

I am now (5/9/09) getting DEP (data execution prevention) warnings.

I checked for new entry created on 5/2/09 at the hijack time, found new several new entries.
Download Spybot. Ran and disinfected. Rebooted. No luck, they returned along with a three RUNDLL
popup windows: "Error loading C:windowssystem32nupodate.dll",
"...rukabipe.dll", and "...tepufepu.dll"

Grabbed screenshots of suspect sytem32 files on 5/2/09. I'll attempt to attach. (No luck its in the my account|options|manage attachment portion of the forum if you can tell me how to post it). Files include: prnet.tmp, d3d9caps, ntdll64.dll, userinit, loadr49, frmwk32.

Backed up. Downloaded and ran DDS - report attached. Reran Spybot without disinfecting - report attached.

I'm having problems with the dds attachment. It has failed to load five times, each time kicking me off and closing the
browser.

Best regards,
Matthew


DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Administrator at 0:38:03.57 on Sat 05/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.507 [GMT -7:00]


============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesCommon FilesAOLACSAOLAcsd.exe
C:Program FilesCommon FilesAOLTopSpeed2.0aoltsmon.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:WINDOWSarservice.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:Program FilesCommon FilesLightScribeLSSrvc.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32HPZipm12.exe
svchost.exe
C:Program FilesTrend MicroAntivirusTmntsrv.exe
C:Program FilesTrend MicroAntivirustmproxy.exe
C:WINDOWSsystem32dllhost.exe
C:WINDOWSehomeehtray.exe
C:WINDOWSRTHDCPL.EXE
C:WINDOWSARPWRMSG.EXE
C:Program FilesHP DigitalMedia ArchiveDMAScheduler.exe
C:Program FilesTrend MicroAntiviruspccguide.exe
C:Program FilesTrend MicroAntivirusPCClient.exe
C:Program FilesTrend MicroAntivirusTMOAgent.exe
C:WINDOWSsystem32rundll32.exe
C:WINDOWSsystem32rundll32.exe
C:Documents and SettingsHP_AdministratorApplication Datapidlepidle.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
C:WINDOWSsystem32wscntfy.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:Program FilesHPDigital ImagingbinhpqSTE08.exe
c:windowssystemhpsysdrv.exe
C:Program FilesJavajre1.5.0_06binjusched.exe
C:WINDOWSeHomeehmsas.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesDISCDISCover.exe
C:Program FilesDISCDiscUpdMgr.exe
C:Program FilesiPodbiniPodService.exe
C:Documents and SettingsHP_AdministratorDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: c:windowssystem32afnoinkdsfe.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:windowssystem32afnoinkdsfe.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:program filesaol toolbartoolbar.dll
uRun: [MoneyAgent] "c:program filesmicrosoft moneysystemMoney Express.exe"
uRun: [updateMgr] "c:program filesadobeacrobat 7.0readerAdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [pidle] "c:documents and settingshp_administratorapplication datapidlepidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
uRun: [autochk] rundll32.exe c:docume~1hp_adm~1protect.dll,_IWMPEvents@16
mRun: [ehTray] c:windowsehomeehtray.exe
mRun: [ftutil2] "rundll32.exe" ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:windowssystem32NvCpl.dll,NvStartup
mRun: [DMAScheduler] "c:program fileshp digitalmedia archiveDMAScheduler.exe"
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:program fileshewlett-packardhp boot optimizerHPBootOp.exe" /run
mRun: [pccguide.exe] "c:program filestrend microantiviruspccguide.exe"
mRun: [PCClient.exe] "c:program filestrend microantivirusPCClient.exe"
mRun: [TM Outbreak Agent] "c:program filestrend microantivirusTMOAgent.exe" /run
mRun: [WorksFUD] "c:program filesmicrosoft workswkfud.exe"
mRun: [Microsoft Works Portfolio] "c:program filesmicrosoft worksWksSb.exe" /AllUsers
mRun: [Microsoft Works Update Detection] "c:program filesmicrosoft worksWkDetect.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [CPM5797dac8] Rundll32.exe "c:windowssystem32rukabipe.dll",a
mRun: [sekusokoto] Rundll32.exe "c:windowssystem32tepufepu.dll",s
mRun: [54a4e954] rundll32.exe "c:windowssystem32nupodate.dll",b
mRun: [autochk] rundll32.exe c:windowssystem32autochk.dll,_IWMPEvents@16
dRun: [DWQueuedReporting] "c:progra~1common~1micros~1dwdwtrig20.exe" -t
dRun: [<NO NAME>] c:windowstempryo1730g.exe
dRun: [uidenhiufgsduiazghs] c:windowstempryo1730g.exe
dRun: [Diagnostic Manager] c:windowstemp1007566574.exe
dRun: [A00FE1672.exe] c:windowstemp_A00FE1672.exe
dRun: [autochk] rundll32.exe c:docume~1locals~1protect.dll,_IWMPEvents@16
StartupFolder: c:documents and settingshp_administratorstart menuprogramsstartupChkDisk.dll
StartupFolder: c:docume~1hp_adm~1startm~1programsstartupchkdisk.lnk - c:windowssystem32rundll32.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadober~1.lnk - c:program filesadobeacrobat 7.0readerreader_sl.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuphpdigi~1.lnk - c:program fileshpdigital imagingbinhpqtra08.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupmicros~1.lnk - c:program filesmicrosoft officeofficeOSA9.EXE
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &AOL Toolbar search - c:program filesaol toolbartoolbar.dll/SEARCH.HTML
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:windowspchealthhelpctrvendorscn=hewlett-packard,l=cupertino,s=ca,c=usiebuttonsupport.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:program filesjavajre1.5.0_06binssv.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:program filesaol toolbartoolbar.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
LSP: c:windowstempntdll64.dll
Trusted Zone: google.comwww
Trusted Zone: live.comlogin
Trusted Zone: live.comonecare
Trusted Zone: msn.comg
Trusted Zone: msn.commoneycentral
Trusted Zone: trendmicro.comhousecall65
Trusted Zone: trymedia.com
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Notify: WRNotifier - WRLogonNTF.dll
Notify: __c00EDCD1 - c:windowssystem32__c00EDCD1.dat
AppInit_DLLs: c:windowssystem32vuzagama.dll c:windowssystem32 c:windowssystem32rukabipe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:windowssystem32rukabipe.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:windowssystem32rukabipe.dll
STS: c:windowssystem32afnoinkdsfe.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:windowssystem32afnoinkdsfe.dll
LSA: Notification Packages = scecli c:windowssystem32vuzagama.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1hp_adm~1applic~1mozillafirefoxprofiles7o90wn9u.default
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:program filesmozilla firefoxgreprefsall.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("signon.prefillForms", true);

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:windowsehomemcrdsvc.exe [2005-8-5 99328]
R2 Tmfilter;Tmfilter;c:windowssystem32driversTmXPFlt.sys [2006-9-13 201984]
R2 Tmntsrv;Trend NT Realtime Service;c:program filestrend microantivirusTmntsrv.exe [2006-9-13 241737]
R2 Tmpreflt;Tmpreflt;c:windowssystem32driverstmpreflt.sys [2006-9-13 20864]
R2 tmproxy;Trend Micro Proxy Service;c:program filestrend microantivirustmproxy.exe [2006-9-13 204873]

=============== Created Last 30 ================

2009-05-08 23:25 50 a------- C:xcrashdump.dat
2009-05-06 22:22 24,064 a--sh--- c:windowssystem32autochk.dll
2009-05-06 22:22 24,064 a--sh--- c:documents and settingshp_administratorprotect.dll
2009-05-05 21:30 27,136 a------- c:windowssystem32__c00EDCD1.dat
2009-05-05 21:30 36,864 a------- c:windowssystem32winglsetup.exe
2009-05-04 22:27 <DIR> --d----- c:windowssystem32NtmsData
2009-05-03 20:34 46 a------- c:windowssystem32p2hhr.bat
2009-05-03 20:34 15,000 a------- c:windowssystem32afnoinkdsfe.dll
2009-05-03 20:34 17,920 a------- c:windowssystem32ak1.exe
2009-05-03 02:43 451 a------- c:windowssystem32win32hlp.cnf
2009-05-03 02:43 1,406,509 ---sh--- c:windowssystem32etadopun.ini
2009-05-03 00:47 <DIR> --d----- c:program filesSpybot - Search & Destroy
2009-05-03 00:47 <DIR> --d----- c:docume~1alluse~1applic~1Spybot - Search & Destroy
2009-05-02 20:42 0 a------- c:windowssystem32NvApps.xml
2009-05-02 20:42 2,184 a------- c:windowssystem32wpa.dbl
2009-05-02 17:30 <DIR> --d----- c:docume~1hp_adm~1applic~1pidle
2009-04-28 07:07 <DIR> --d----- c:windowssystem32LogFiles

==================== Find3M ====================

2009-05-02 17:37 50,688 a--sh--- c:windowssystem32yigohene.exe
2009-03-21 07:18 986,112 -------- c:windowssystem32dllcachekernel32.dll
2009-03-06 07:44 283,648 -------- c:windowssystem32pdh.dll
2009-03-06 07:44 283,648 -------- c:windowssystem32dllcachepdh.dll
2009-03-02 16:27 1,499,136 -------- c:windowssystem32dllcacheshdocvw.dll
2009-02-20 14:44 3,067,904 -------- c:windowssystem32dllcachemshtml.dll
2009-02-19 02:50 18,432 -------- c:windowssystem32dllcacheiedw.exe
2009-02-09 03:20 399,360 a------- c:windowssystem32rpcss.dll
2009-02-09 03:20 723,456 -------- c:windowssystem32lsasrv.dll
2009-02-09 03:20 723,456 -------- c:windowssystem32dllcachelsasrv.dll
2009-02-09 03:20 399,360 -------- c:windowssystem32dllcacherpcss.dll
2009-02-09 03:20 714,752 -------- c:windowssystem32ntdll.dll
2009-02-09 03:20 714,752 -------- c:windowssystem32dllcachentdll.dll
2009-02-09 03:20 616,960 -------- c:windowssystem32dllcacheadvapi32.dll
2009-02-09 03:20 616,960 -------- c:windowssystem32advapi32.dll
2009-02-09 03:20 473,088 -------- c:windowssystem32dllcachefastprox.dll
2009-02-09 03:20 453,120 -------- c:windowssystem32dllcachewmiprvsd.dll
2009-02-09 03:19 1,846,272 a------- c:windowssystem32win32k.sys
2009-02-09 03:19 1,846,272 -------- c:windowssystem32dllcachewin32k.sys
2007-01-24 22:04 1,566 -------- c:docume~1hp_adm~1applic~1wklnhst.dat

============= FINISH: 0:42:01.51 ===============


Spybot.rpt


--- Report generated: 2009-05-09 13:33 ---

Fraud.XPAntivirus: [SBI $F39E0CF4] Settings (Registry value, nothing done)
HKEY_USERS.DEFAULTSoftwareMicrosoftWinId

Fraud.XPAntivirus: [SBI $F39E0CF4] Settings (Registry value, nothing done)
HKEY_USERSS-1-5-19SoftwareMicrosoftWinId

Fraud.XPAntivirus: [SBI $F39E0CF4] Settings (Registry value, nothing done)
HKEY_USERSS-1-5-20SoftwareMicrosoftWinId

Fraud.XPAntivirus: [SBI $F39E0CF4] Settings (Registry value, nothing done)
HKEY_USERSS-1-5-21-3171748865-3456956919-3650734605-1007SoftwareMicrosoftWinId

Fraud.XPAntivirus: [SBI $F39E0CF4] Settings (Registry value, nothing done)
HKEY_USERSS-1-5-18SoftwareMicrosoftWinId

Smitfraud-C.: [SBI $0C72A02F] Configuration file (File, nothing done)
C:WINDOWSsystem32win32hlp.cnf
Properties.size=451
Properties.md5=B7CD5419226DD1E385E7C56ED4817810
Properties.filedate=1241343822
Properties.filedatetext=2009-05-03 02:43:42

Microsoft.Windows.ActiveDesktop: [SBI $99FAD8A8] User settings (Registry change, nothing done)
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionPoliciesActiveDesktopNoChangingWallpaper

Microsoft.Windows.ActiveDesktop: [SBI $99FAD8A8] User settings (Registry change, nothing done)
HKEY_USERSS-1-5-21-3171748865-3456956919-3650734605-1007SoftwareMicrosoftWindowsCurrentVersionPoliciesActiveDesktopNoChangingWallpaper

Microsoft.Windows.ActiveDesktop: [SBI $99FAD8A8] User settings (Registry change, nothing done)
HKEY_USERSS-1-5-18SoftwareMicrosoftWindowsCurrentVersionPoliciesActiveDesktopNoChangingWallpaper

Microsoft.Windows.Explorer: [SBI $1931FF4D] Settings (Registry change, nothing done)
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoActiveDesktopChanges

Microsoft.Windows.Explorer: [SBI $1931FF4D] Settings (Registry change, nothing done)
HKEY_USERSS-1-5-21-3171748865-3456956919-3650734605-1007SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoActiveDesktopChanges

Microsoft.Windows.Explorer: [SBI $1931FF4D] Settings (Registry change, nothing done)
HKEY_USERSS-1-5-18SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoActiveDesktopChanges

Microsoft.Windows.Explorer: [SBI $DA080EA7] User settings (Registry change, nothing done)
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFolderOptions

Microsoft.Windows.Explorer: [SBI $DA080EA7] User settings (Registry change, nothing done)
HKEY_USERSS-1-5-21-3171748865-3456956919-3650734605-1007SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFolderOptions

Microsoft.Windows.Explorer: [SBI $DA080EA7] User settings (Registry change, nothing done)
HKEY_USERSS-1-5-18SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFolderOptions

Microsoft.WindowsSecurityCenter.FirewallBypass: [SBI $D80580B5] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsListC:WINDOWSexplorer.exe

Microsoft.WindowsSecurityCenter.FirewallBypass: [SBI $21695B76] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINESYSTEMControlSet003ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsListC:WINDOWSexplorer.exe

Microsoft.WindowsSecurityCenter.TaskManager: [SBI $FD4267D3] Settings (Registry change, nothing done)
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr

Microsoft.WindowsSecurityCenter.TaskManager: [SBI $FD4267D3] Settings (Registry change, nothing done)
HKEY_USERSS-1-5-21-3171748865-3456956919-3650734605-1007SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr

Microsoft.WindowsSecurityCenter.TaskManager: [SBI $FD4267D3] Settings (Registry change, nothing done)
HKEY_USERSS-1-5-18SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr

Microsoft.WindowsSecurityCenter.RegistryTools: [SBI $D60CD1E3] Settings (Registry change, nothing done)
HKEY_USERS.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemDisableRegistryTools

Microsoft.WindowsSecurityCenter.RegistryTools: [SBI $D60CD1E3] Settings (Registry change, nothing done)
HKEY_USERSS-1-5-21-3171748865-3456956919-3650734605-1007SOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemDisableRegistryTools

Microsoft.WindowsSecurityCenter.RegistryTools: [SBI $D60CD1E3] Settings (Registry change, nothing done)
HKEY_USERSS-1-5-18SOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemDisableRegistryTools

DNSFlush.cws: [SBI $893785D8] Autorun settings () (Registry value, nothing done)
HKEY_USERS.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionRun

DNSFlush.cws: [SBI $893785D8] Program file (File, nothing done)
C:WINDOWSTEMPryo1730g.exe
Properties.size=15001
Properties.md5=B2B7A1A52F620922330229A1B5DF161E
Properties.filedate=1241408055
Properties.filedatetext=2009-05-03 20:34:14

DNSFlush.cws: [SBI $893785D8] Autorun settings (uidenhiufgsduiazghs) (Registry value, nothing done)
HKEY_USERS.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionRunuidenhiufgsduiazghs

DNSFlush.cws: [SBI $893785D8] Autorun settings (Diagnostic Manager) (Registry value, nothing done)
HKEY_USERS.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionRunDiagnostic Manager

DNSFlush.cws: [SBI $893785D8] Program file (File, nothing done)
C:WINDOWSTEMP1007566574.exe
Properties.size=19457
Properties.md5=2BF204A1BAD739A7F6B9A30752F8BD32
Properties.filedate=1241408076
Properties.filedatetext=2009-05-03 20:34:35

DNSFlush.cws: [SBI $893785D8] Autorun settings (Diagnostic Manager) (Registry value, nothing done)
HKEY_USERSS-1-5-21-3171748865-3456956919-3650734605-1007SOFTWAREMicrosoftWindowsCurrentVersionRunDiagnostic Manager

DNSFlush.cws: [SBI $893785D8] Program file (File, nothing done)
C:DOCUME~1HP_ADM~1LOCALS~1Temp3016527910.exe
Properties.size=19457
Properties.md5=2BF204A1BAD739A7F6B9A30752F8BD32
Properties.filedate=1241895322
Properties.filedatetext=2009-05-09 11:55:21

DNSFlush.cws: [SBI $893785D8] Autorun settings () (Registry value, nothing done)
HKEY_USERSS-1-5-18SOFTWAREMicrosoftWindowsCurrentVersionRun

DNSFlush.cws: [SBI $893785D8] Autorun settings (uidenhiufgsduiazghs) (Registry value, nothing done)
HKEY_USERSS-1-5-18SOFTWAREMicrosoftWindowsCurrentVersionRunuidenhiufgsduiazghs

DNSFlush.cws: [SBI $893785D8] Autorun settings (Diagnostic Manager) (Registry value, nothing done)
HKEY_USERSS-1-5-18SOFTWAREMicrosoftWindowsCurrentVersionRunDiagnostic Manager

DNSFlush.cws: [SBI $455D41DA] User settings (Registry change, nothing done)
HKEY_USERSS-1-5-21-3171748865-3456956919-3650734605-1007SoftwareMicrosoftInternet ExplorerNew WindowsPopupMgr

DNSFlush.cws: [SBI $9C28881C] User settings (Registry change, nothing done)
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden

DNSFlush.cws: [SBI $9C28881C] User settings (Registry change, nothing done)
HKEY_USERSS-1-5-21-3171748865-3456956919-3650734605-1007SoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden

DNSFlush.cws: [SBI $9C28881C] User settings (Registry change, nothing done)
HKEY_USERSS-1-5-18SoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden

DNSFlush.cws: [SBI $FB926B58] User settings (Registry change, nothing done)
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHideFileExt

DNSFlush.cws: [SBI $FB926B58] User settings (Registry change, nothing done)
HKEY_USERSS-1-5-21-3171748865-3456956919-3650734605-1007SoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHideFileExt

DNSFlush.cws: [SBI $FB926B58] User settings (Registry change, nothing done)
HKEY_USERSS-1-5-18SoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHideFileExt

DNSFlush.cws: [SBI $A1906895] User settings (Registry change, nothing done)
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedSuperHidden

DNSFlush.cws: [SBI $A1906895] User settings (Registry change, nothing done)
HKEY_USERSS-1-5-21-3171748865-3456956919-3650734605-1007SoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedSuperHidden

DNSFlush.cws: [SBI $A1906895] User settings (Registry change, nothing done)
HKEY_USERSS-1-5-18SoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedSuperHidden

PWS.LDPinchIE: [SBI $32D83D62] User settings (Registry value, nothing done)
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExploreridstrf

PWS.LDPinchIE: [SBI $32D83D62] User settings (Registry value, nothing done)
HKEY_USERSS-1-5-21-3171748865-3456956919-3650734605-1007SoftwareMicrosoftWindowsCurrentVersionExploreridstrf

PWS.LDPinchIE: [SBI $32D83D62] User settings (Registry value, nothing done)
HKEY_USERSS-1-5-18SoftwareMicrosoftWindowsCurrentVersionExploreridstrf

Virtumonde: [SBI $379DCD9F] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify__c00EDCD1

Virtumonde: [SBI $B357FB6F] Library (File, nothing done)
C:WINDOWSsystem32__c00EDCD1.dat
Properties.size=27136
Properties.md5=E9BDD9027F1E1FA8BB556D7B2FDE0101
Properties.filedate=1241850080
Properties.filedatetext=2009-05-08 23:21:19

Virtumonde: [SBI $BA8653F6] Autorun settings (A00FE1672.exe) (Registry value, nothing done)
HKEY_USERS.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionRunA00FE1672.exe

Virtumonde: [SBI $BA8653F6] Program file (File, nothing done)
C:WINDOWSTEMP_A00FE1672.exe
Properties.size=36864
Properties.md5=92BA151F6F9D980146E5EADADF6FE933
Properties.filedate=1241584211
Properties.filedatetext=2009-05-05 21:30:11

Virtumonde: [SBI $BA8653F6] Autorun settings (A00FE1672.exe) (Registry value, nothing done)
HKEY_USERSS-1-5-18SOFTWAREMicrosoftWindowsCurrentVersionRunA00FE1672.exe

Virtumonde: [SBI $4D2BC948] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftcontim

Virtumonde: [SBI $D510A69C] Configuration file (File, nothing done)
C:WINDOWSsystem32etadopun.ini
Properties.size=1406509
Properties.md5=6A0802A26250B4808875BA815E84931E
Properties.filedate=1241343824
Properties.filedatetext=2009-05-03 02:43:44

Virtumonde.prx: [SBI $85112C1D] Autorun settings (CPM5797dac8) (Registry value, nothing done)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunCPM5797dac8

Virtumonde.prx: [SBI $85112C1D] Autorun settings (sekusokoto) (Registry value, nothing done)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunsekusokoto

Virtumonde.prx: [SBI $85112C1D] Autorun settings (54a4e954) (Registry value, nothing done)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun54a4e954

Virtumonde.sdn: [SBI $B1A14C09] Library (File, nothing done)
C:Documents and SettingsHP_Administratorprotect.dll
Properties.size=24064
Properties.md5=34394DABD7A6A9511413D1558376C1AF
Properties.filedate=1241673733
Properties.filedatetext=2009-05-06 22:22:13

Virtumonde.sdn: [SBI $B1A14C09] Library (File, nothing done)
C:Documents and SettingsLocalServiceprotect.dll
Properties.size=24064
Properties.md5=34394DABD7A6A9511413D1558376C1AF
Properties.filedate=1241673949
Properties.filedatetext=2009-05-06 22:25:49

Virtumonde.sdn: [SBI $B1A14C09] Library (File, nothing done)
C:WINDOWSsystem32configsystemprofileprotect.dll
Properties.size=24064
Properties.md5=34394DABD7A6A9511413D1558376C1AF
Properties.filedate=1241673733
Properties.filedatetext=2009-05-06 22:22:13

Win32.TDSS.rtk: [SBI $05E456BF] File (File, nothing done)
C:WINDOWSsystem32ovfsthcohblvftgvtrwycakddgcbgbwnomagsj.dll
Properties.size=0
Properties.md5=42CB8125BAB8199B232ED96570927173

Win32.TDSS.rtk: [SBI $05E456BF] File (File, nothing done)
C:WINDOWSsystem32ovfsthewamhcmkeodgdvkjuockiaonvdproocb.dll
Properties.size=0
Properties.md5=09917F084026ADA29573CE10F47FDCDB

Win32.TDSS.rtk: [SBI $05E456BF] File (File, nothing done)
C:WINDOWSsystem32ovfsthvjjftaythhnlgwuoyvbyetqghbaoscmn.dll
Properties.size=0
Properties.md5=223A2C5B6F789FE75A36C4CC061881CA

Win32.TDSS.rtk: [SBI $DB1744B9] File (File, nothing done)
C:WINDOWSsystem32driversovfsthxenkcjsappqtxeidowooudbdjuhrlkxx.sys
Properties.size=0
Properties.md5=653FA464ED4A41C2F4A7F38ACF9DFDEF

AdRevolver: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


BurstMedia: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


BurstMedia: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


DoubleClick: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: HP_Administrator (default)) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-05-03 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-03-25 IncludesAdware.sbi (*)
2009-04-28 IncludesAdwareC.sbi (*)
2009-01-22 IncludesCookies.sbi (*)
2009-03-31 IncludesDialer.sbi (*)
2009-04-21 IncludesDialerC.sbi (*)
2009-01-22 IncludesHeavyDuty.sbi (*)
2009-04-21 IncludesHijackers.sbi (*)
2009-04-28 IncludesHijackersC.sbi (*)
2009-03-17 IncludesKeyloggers.sbi (*)
2009-04-28 IncludesKeyloggersC.sbi (*)
2009-04-07 IncludesMalware.sbi (*)
2009-04-28 IncludesMalwareC.sbi (*)
2009-03-25 IncludesPUPS.sbi (*)
2009-04-28 IncludesPUPSC.sbi (*)
2009-01-22 IncludesRevision.sbi (*)
2009-01-13 IncludesSecurity.sbi (*)
2009-04-21 IncludesSecurityC.sbi (*)
2008-06-03 IncludesSpybots.sbi (*)
2008-06-03 IncludesSpybotsC.sbi (*)
2009-04-07 IncludesSpyware.sbi (*)
2009-04-28 IncludesSpywareC.sbi (*)
2009-04-07 IncludesTracks.uti
2009-04-29 IncludesTrojans.sbi (*)
2009-04-29 IncludesTrojansC.sbi (*)
2008-03-04 PluginsChai.dll
2008-03-05 PluginsFennel.dll
2008-02-26 PluginsMate.dll
2007-12-24 PluginsTCPIPAddress.dll

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:43 PM

Posted 25 May 2009 - 10:41 AM

Hi m850t,

Sorry for the delay the forums here at BC are always very busy and we do are best to keep up. Since
your log is quite old and alot could have changed, I would like to see a new log please. If you no
longer require any help could you let me no please, so this topic can be closed.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Thanks

unite.jpg


#3 m850t

m850t
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 25 May 2009 - 07:27 PM

Syler,
Matthew here. Good to hear from you, thank you for the response. RSIT logs to follow.
Current computer condition:
1. USB ports not reading thumb drives
2. Browser being redirected from links in google
3. Annoying windows notice popup of "No Disk" still occuringof Update since prior posting
4. Windows "bubble pop" sound being generated for no apparent reason.

I've done several passes with both Malebytesware and Spybot.
The infected items are in quarantine. Logs available.
(Virtumonde, Smitfraud, TDSS)
Dowloaded and ran M$ RootKit Revealer. Confirmed rootkit. Log available.
(TDSS rootkit)
I ran Kaspersky Online Scanner. Output log available.
(found Trojan-Downloader.Win32.Agent & Trojan-Downloader.Win32.Suurch.rc)
I down loaded and ran Avira AntiVir. Infected items are in quaratine. Log available.
(TR/Crypt.ZPACK.Gen same files as previously discovered rootkits)

Thank you again for your assistance.
Where do we start ?
I look foward to your reply.

Matthew
________________________________________________________________
Logfile of random's system information tool 1.06 (written by random/random)
Run by HP_Administrator at 2009-05-25 16:50:14
Microsoft Windows XP Professional Service Pack 2
System drive C: has 211 GB (92%) free of 229 GB
Total RAM: 958 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:39 PM, on 5/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\HP_Administrator\Desktop\RSIT.exe
C:\Program Files\trend micro\HP_Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] "rundll32.exe" ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [WorksFUD] "C:\Program Files\Microsoft Works\wkfud.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\HP_ADM~1\protect.dll,_IWMPEvents@16
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: login.live.com
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: g.msn.com
O15 - Trusted Zone: http://moneycentral.msn.com
O15 - Trusted Zone: http://housecall65.trendmicro.com
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\vuzagama.dll c:\windows\system32\ c:\windows\system32\rukabipe.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

--
End of file - 10414 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{4982D40A-C53B-4615-B15B-B5B5E98D167C} - AOL Toolbar - C:\Program Files\AOL Toolbar\toolbar.dll [2004-10-21 459968]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-09-29 67584]
"ftutil2"=ftutil2.dll,SetWriteCacheMode []
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-06-13 16239616]
"AlwaysReady Power Message APP"=C:\WINDOWS\ARPWRMSG.EXE [2005-08-02 77312]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-05-09 7311360]
"DMAScheduler"=c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe [2006-04-13 90112]
"PCDrProfiler"= []
"HPBootOp"=C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe [2006-02-15 249856]
"pccguide.exe"=C:\Program Files\Trend Micro\Antivirus\pccguide.exe [2006-09-13 950337]
"PCClient.exe"=C:\Program Files\Trend Micro\Antivirus\PCClient.exe [2006-09-13 634949]
"TM Outbreak Agent"=C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe [2006-09-13 290816]
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe [2000-08-08 24576]
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe [2005-08-18 749568]
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe [2000-08-08 28739]
"nwiz"=nwiz.exe /install []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-05-27 413696]
"autochk"=C:\WINDOWS\system32\autochk.dll [2009-05-24 23552]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"=C:\Program Files\Microsoft Money\System\Money Express.exe []
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
"autochk"=C:\DOCUME~1\HP_ADM~1\protect.dll [2009-05-24 23552]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE [2005-07-22 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\Windows\Creator\Remind_XP.exe [2004-12-14 663552]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup
ChkDisk.dll
ChkDisk.lnk - C:\WINDOWS\system32\rundll32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\vuzagama.dll c:\windows\system32\ c:\windows\system32\rukabipe.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
WRLogonNTF.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\vuzagama.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0
"NoSetActiveDesktop"=0
"NoActiveDesktopChanges"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\DISC\DISCover.exe"="C:\Program Files\DISC\DISCover.exe:*:Enabled:DISCover Drop & Play System"
"C:\Program Files\DISC\DiscStreamHub.exe"="C:\Program Files\DISC\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\Program Files\DISC\myFTP.exe"="C:\Program Files\DISC\myFTP.exe:*:Enabled:DISCover FTP"
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP"
"C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe:*:Enabled:Outbreak Warning Settings"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\1164676876\EE\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1164676876\EE\AOLServiceHost.exe:*:Disabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Disabled:AOL Application Loader"
"C:\Program Files\Common Files\AOL\1164676876\EE\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1164676876\EE\aolsoftware.exe:*:Disabled:AOL Shared Components"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Disabled:AOLTopSpeed"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Disabled:AOLTsMon"
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Disabled:Earthlink"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\WINDOWS\system32\frmwrk32.exe"="C:\WINDOWS\system32\frmwrk32.exe:*:Enabled:frmwrk32"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP"

======List of files/folders created in the last 1 months======

2009-05-25 16:50:14 ----D---- C:\rsit
2009-05-24 18:28:27 ----D---- C:\Program Files\Avira
2009-05-24 18:28:27 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-05-24 18:18:43 ----ASH---- C:\WINDOWS\system32\autochk.dll
2009-05-24 18:18:42 ----A---- C:\WINDOWS\system32\lmn_setup.exe
2009-05-24 17:49:58 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-05-23 08:56:57 ----D---- C:\Avenger
2009-05-22 23:09:35 ----A---- C:\43214354.xxx.txt
2009-05-22 11:57:08 ----A---- C:\WINDOWS\system32\vp_setup.exe.bat
2009-05-22 11:57:04 ----A---- C:\WINDOWS\system32\vp_setup.exe
2009-05-21 21:34:58 ----A---- C:\WINDOWS\system32\RootkitReveal.txt
2009-05-21 21:12:18 ----D---- C:\RootKitRevealer
2009-05-18 20:42:30 ----A---- C:\WINDOWS\system32\glsetup.exe
2009-05-15 09:30:21 ----A---- C:\43214354.txt
2009-05-12 23:39:07 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2009-05-12 23:38:53 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-12 23:38:53 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-11 21:47:08 ----SHD---- C:\WINDOWS\CSC
2009-05-11 21:46:57 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-09 11:42:21 ----D---- C:\WINDOWS\Netscape
2009-05-04 22:27:31 ----D---- C:\WINDOWS\system32\NtmsData
2009-05-03 00:47:14 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-05-03 00:47:14 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-02 20:16:33 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Netscape
2009-04-29 22:48:08 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2009-04-28 07:08:32 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-04-28 07:08:26 ----HDC---- C:\WINDOWS\$NtUninstallKB926239$
2009-04-28 07:07:33 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2009-04-28 07:07:07 ----D---- C:\WINDOWS\system32\LogFiles
2009-04-28 07:06:59 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$

======List of files/folders modified in the last 1 months======

2009-05-25 16:50:39 ----D---- C:\Program Files\Trend Micro
2009-05-25 16:40:20 ----AD---- C:\WINDOWS
2009-05-25 10:43:49 ----D---- C:\WINDOWS\Temp
2009-05-25 10:43:49 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-25 10:43:44 ----D---- C:\WINDOWS\Registration
2009-05-24 21:34:54 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-24 21:16:21 ----D---- C:\temp
2009-05-24 18:59:29 ----D---- C:\WINDOWS\Prefetch
2009-05-24 18:50:04 ----D---- C:\Program Files\Mozilla Firefox
2009-05-24 18:28:33 ----HD---- C:\WINDOWS\inf
2009-05-24 18:28:33 ----D---- C:\WINDOWS\system32\drivers
2009-05-24 18:28:27 ----D---- C:\Program Files
2009-05-24 18:26:52 ----SHD---- C:\WINDOWS\Installer
2009-05-24 18:26:52 ----HD---- C:\Config.Msi
2009-05-24 18:26:51 ----D---- C:\WINDOWS\WinSxS
2009-05-24 18:26:50 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-05-24 18:18:43 ----D---- C:\WINDOWS\system32
2009-05-24 18:03:01 ----D---- C:\WINDOWS\security
2009-05-24 16:41:15 ----SHD---- C:\RECYCLER
2009-05-22 23:29:19 ----A---- C:\WINDOWS\WININIT.INI
2009-05-17 21:48:18 ----D---- C:\Program Files\Rhapsody
2009-05-17 18:50:59 ----D---- C:\WINDOWS\Minidump
2009-05-17 18:02:44 ----D---- C:\WINDOWS\Help
2009-05-15 10:33:55 ----A---- C:\WINDOWS\Ulead32.ini
2009-05-15 10:33:55 ----A---- C:\WINDOWS\Pex.INI
2009-05-15 09:30:30 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-05-10 22:30:36 ----D---- C:\WINDOWS\system32\FxsTmp
2009-05-10 17:28:15 ----SD---- C:\WINDOWS\Tasks
2009-05-09 01:44:40 ----A---- C:\WINDOWS\IE4 Error Log.txt
2009-05-06 22:26:49 ----D---- C:\Program Files\Bonjour
2009-05-04 22:43:15 ----D---- C:\WINDOWS\repair
2009-05-03 13:53:02 ----D---- C:\Program Files\iPod
2009-05-03 13:45:11 ----D---- C:\Program Files\Common Files\Services
2009-05-02 15:11:46 ----D---- C:\Program Files\Microsoft Silverlight
2009-05-01 21:18:54 ----D---- C:\WINDOWS\system32\CatRoot
2009-04-28 07:19:16 ----D---- C:\WINDOWS\AppPatch
2009-04-28 07:08:33 ----A---- C:\WINDOWS\imsins.BAK
2009-04-28 07:07:44 ----D---- C:\Program Files\Windows Media Player
2009-04-28 07:04:31 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Real

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-02-13 28376]
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\System32\Drivers\tmtdi.sys [2006-09-13 14976]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-09 12032]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-03-24 55640]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 Tmfilter;Tmfilter; C:\WINDOWS\system32\drivers\TmXPFlt.sys [2006-09-13 201984]
R2 Tmpreflt;Tmpreflt; C:\WINDOWS\system32\drivers\Tmpreflt.sys [2006-09-13 20864]
R2 Vsapint;Vsapint; C:\WINDOWS\system32\drivers\Vsapint.sys [2006-09-13 929968]
R3 aracpi;aracpi; C:\WINDOWS\system32\DRIVERS\aracpi.sys [2005-08-02 22784]
R3 arkbcfltr;Microsoft PS2 Keyboard Filter; C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys [2005-08-02 5376]
R3 armoucfltr;Microsoft PS2 Mouse Filter; C:\WINDOWS\system32\DRIVERS\armoucfltr.sys [2005-08-02 4992]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-10 60800]
R3 ARPolicy;ARPolicy; C:\WINDOWS\system32\DRIVERS\arpolicy.sys [2005-08-02 10112]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-08 138752]
R3 HSX_DP;HSX_DP; C:\WINDOWS\system32\DRIVERS\HSX_DP.sys [2005-12-06 936448]
R3 HSXHWBS2;HSXHWBS2; C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys [2005-12-06 241664]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-06-14 4299264]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-10 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-05-09 3535680]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-03-03 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-03-03 13056]
R3 Ps2;PS2; C:\WINDOWS\system32\DRIVERS\PS2.sys [2005-12-12 19072]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2005-03-31 27008]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-09 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-09 26496]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
R3 winachsx;winachsx; C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys [2005-12-06 670208]
S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys []
S3 arhidfltr;MS Ar HID Filter Driver; C:\WINDOWS\system32\DRIVERS\arhidfltr.sys [2005-08-02 19200]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-02-18 30464]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-09 20480]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-04-01 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-03-02 185089]
R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2006-10-23 46640]
R2 AOL TopSpeedMonitor;AOL TopSpeed Monitor; C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [2004-10-15 100016]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]
R2 ARSVC;ARSVC; C:\WINDOWS\arservice.exe [2005-08-02 58880]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-12-15 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-06-21 49152]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-05-09 131139]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2006-03-03 69632]
R2 Tmntsrv;Trend NT Realtime Service; C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe [2006-09-13 241737]
R2 tmproxy;Trend Micro Proxy Service; C:\Program Files\Trend Micro\Antivirus\tmproxy.exe [2006-09-13 204873]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-06-02 504104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-09 267776]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2004-08-09 14336]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-09 14336]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2009-05-25 16:50:40

======Uninstall list======

-->"C:\Program Files\HP Games\Airstrike 2 Gulf Thunder\Uninstall.exe"
-->"C:\Program Files\HP Games\Alien Shooter\Uninstall.exe"
-->"C:\Program Files\HP Games\Bejeweled 2 Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Bistro Stars\Uninstall.exe"
-->"C:\Program Files\HP Games\Blackhawk Striker 2\Uninstall.exe"
-->"C:\Program Files\HP Games\Blasterball 2 Remix\Uninstall.exe"
-->"C:\Program Files\HP Games\Blasterball 2 Revolution\Uninstall.exe"
-->"C:\Program Files\HP Games\Bookworm Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Bounce Symphony\Uninstall.exe"
-->"C:\Program Files\HP Games\Cake Mania\Uninstall.exe"
-->"C:\Program Files\HP Games\Chuzzle Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Diner Dash\Uninstall.exe"
-->"C:\Program Files\HP Games\Family Feud\Uninstall.exe"
-->"C:\Program Files\HP Games\FATE\Uninstall.exe"
-->"C:\Program Files\HP Games\Garden Dreams\Uninstall.exe"
-->"C:\Program Files\HP Games\Insaniquarium Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\JEOPARDY\Uninstall.exe"
-->"C:\Program Files\HP Games\Jewel Quest\Uninstall.exe"
-->"C:\Program Files\HP Games\LEGO Builder Bots\Uninstall.exe"
-->"C:\Program Files\HP Games\Mah Jong Quest\Uninstall.exe"
-->"C:\Program Files\HP Games\Mystery Case Files\Uninstall.exe"
-->"C:\Program Files\HP Games\Penguins!\Uninstall.exe"
-->"C:\Program Files\HP Games\Polar Bowler\Uninstall.exe"
-->"C:\Program Files\HP Games\Polar Golfer\Uninstall.exe"
-->"C:\Program Files\HP Games\Ricochet Lost Worlds\Uninstall.exe"
-->"C:\Program Files\HP Games\SCRABBLE\Uninstall.exe"
-->"C:\Program Files\HP Games\Slingo Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Snowy Space Trip\Uninstall.exe"
-->"C:\Program Files\HP Games\Super Granny\Uninstall.exe"
-->"C:\Program Files\HP Games\Tradewinds\Uninstall.exe"
-->"C:\Program Files\HP Games\Wheel of Fortune\Uninstall.exe"
-->"C:\Program Files\WildTangent\Apps\My HP Game Console\Uninstall.exe"
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {F80239D8-7811-4D5E-B033-0D0BBFE32920}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
AOL Coach Version 2.0(Build:20041026.5 en)-->C:\Program Files\Common Files\AolCoach\en_en\AolCInUn.exe -lang=en_en -ext=UDP
AOL Deskbar-->"C:\Program Files\AOL Deskbar\UNWISE.EXE" /u "C:\Program Files\AOL Deskbar\INSTALL.LOG"
AOL Toolbar-->"C:\Program Files\AOL Toolbar\UNWISE.EXE" /u "C:\Program Files\AOL Toolbar\INSTALL.LOG"
AOL Uninstaller (Choose which Products to Remove)-->C:\Program Files\Common Files\AOL\uninstaller.exe
AOL You've Got Pictures Screensaver-->C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Bonjour-->MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Customer Experience Enhancement-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
Data Fax SoftModem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\HXFSETUP.EXE -U -ITrx200Ck.inf
DISCover-->"C:\Program Files\DISC\uninstall.exe"
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
FoneSync-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\FoneSync\Uninst.isu" -c"C:\Program Files\FoneSync\UninstSupport.dll"
GemMaster Mystic-->"C:\Program Files\GemMaster\uninstallgemmaster.exe"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 10 (KB910393)-->"C:\WINDOWS\$NtUninstallKB910393$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB893357)-->"C:\WINDOWS\$NtUninstallKB893357$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB906569)-->"C:\WINDOWS\$NtUninstallKB906569$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB912024)-->"C:\WINDOWS\$NtUninstallKB912024$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB935448)-->"C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HouseCall 6.6-->"C:\Documents and Settings\HP_Administrator\Application Data\HouseCall 6.6\uninstaller.exe"
HP Boot Optimizer-->MsiExec.exe /X{1341D838-719C-4A05-B50F-49420CA1B4BB}
HP Customer Participation Program 7.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP DigitalMedia Archive-->MsiExec.exe /X{F80239D8-7811-4D5E-B033-0D0BBFE32920}
HP DVD Play 2.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
HP Imaging Device Functions 7.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart and Deskjet 7.0 Software-->C:\Program Files\HP\Digital Imaging\{D2A3C9D5-0B56-4656-8277-7EDC65D62B6E}\setup\hpzscr01.exe -datfile hphscr12.dat -showdisconnect -forcereboot
HP Photosmart Essential-->MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP Photosmart for Media Center PC-->c:\Program Files\HP\Digital Imaging\bin\mcpc\setupmcl.exe /u
HP Photosmart Premier Software 6.5-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Software Update-->MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Solution Center 7.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Web Helper-->regsvr32 /u /s "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll"
iTunes-->MsiExec.exe /I{9F70BF98-003C-491D-81FC-FF9792206AF0}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Macromedia Flash Player 8-->C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.0 Hotfix (KB887998)-->"C:\WINDOWS\$NtUninstallKB887998$\spuninst\spuninst.exe"
Microsoft .NET Framework 1.0 Hotfix (KB930494)-->"C:\WINDOWS\$NtUninstallKB930494$\spuninst\spuninst.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Money 2006-->"C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office Standard Edition 2003 60 days trial-->c:\hp\bin\cloaker.exe c:\hp\bin\MSOffice\uninst.cmd
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Streets and Trips 2001-->MsiExec.exe /I{3D719053-5593-11D3-8F25-0060085C1758}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Word 2000 SR-1-->MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7}
Microsoft Works 2001 Setup Launcher-->C:\Program Files\Microsoft Works Suite 2001\Setup\Launcher.exe E:\
Microsoft Works 6.0-->MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
Microsoft Works Suite Add-in for Microsoft Word-->MsiExec.exe /I{5F629FE8-5B4C-4863-937A-AFC2961F7DD3}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (1.5)-->C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5 (en-US)"
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
muvee autoProducer 5.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB4740B3-2530-452D-A825-F7AB246CA7DF}\setup.exe" -l0x9
muvee autoProducer unPlugged 2.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5FDD0538-C67A-4F67-B3F8-09D1AAF04D99}\setup.exe" -l0x9
My HP Games-->"C:\Program Files\HP Games\Uninstall.exe"
Netscape Browser (remove only)-->"C:\Program Files\Netscape\Netscape Browser\NSUninst.exe"
NVIDIA Drivers-->C:\WINDOWS\system32\nvunrm.exe UninstallGUI
Otto-->"C:\Program Files\EnglishOtto\uninstallotto.exe"
PC-Doctor 5 for Windows-->C:\Program Files\PC-Doctor 5 for Windows\uninst.exe
Pure Networks Port Magic-->C:\Program Files\Pure Networks\Port Magic\PortAOL.exe -Uninstall -ShowUI
Python 2.2 pywin32 extensions (build 203)-->"C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3-->C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2006-->MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime-->MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Remove WeatherBug Installer-->c:\hp\bin\cloaker.exe c:\hp\bin\commands.exe /c c:\hp\bin\wbug\clean.bat
Security Update for Microsoft .NET Framework 2.0 (KB928365)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928090)-->"C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929969)-->"C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931768)-->"C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933566)-->"C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937143)-->"C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB939653)-->"C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338)-->"C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\INSTALL.LOG
Solitaire Master 5-->C:\PROGRA~1\eGames\SOLITA~1\UNWISE.EXE C:\PROGRA~1\eGames\SOLITA~1\INSTALL.LOG
Sonic Express Labeler-->MsiExec.exe /X{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus-->MsiExec.exe /X{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio-->MsiExec.exe /X{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy-->MsiExec.exe /X{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data-->MsiExec.exe /X{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager-->MsiExec.exe /X{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Trend Micro Antivirus-->MsiExec.exe /X{3ACF3AF1-8DBC-4EFB-AF03-37E212DDA83C}
Ulead Photo Explorer 7.0 Pro-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E38E1721-7FE7-11D4-A898-0000E83DCDA6}\setup.exe"
Update for Windows Media Player 10 (KB913800)-->"C:\WINDOWS\$NtUninstallKB913800$\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB926251)-->"C:\WINDOWS\$NtUninstallKB926251$\spuninst\spuninst.exe"
Update for Windows XP (KB912945)-->"C:\WINDOWS\$NtUninstallKB912945$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB929338)-->"C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB953356)-->"C:\WINDOWS\$NtUninstallKB953356$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Updates from HP (remove only)-->C:\WINDOWS\HPCPCUninstall-9972322\HPBWSetup.exe -appid 9972322 -uninstall
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB883667-->C:\WINDOWS\$NtUninstallKB883667$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB892050-->"C:\WINDOWS\$NtUninstallKB892050$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB908246-->"C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB912067-->"C:\WINDOWS\$NtUninstallKB912067$\spuninst\spuninst.exe"
Yahoo! Toolbar for Internet Explorer-->C:\PROGRA~1\Yahoo!\Common\unyt.exe

======Hosts File======

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

======Security center information======

AV: AntiVir Desktop (outdated)

======System event log======

Computer Name: YOUR-4DACD0EA75
Event Code: 3023
Message: The Logical Disk Manager Service failed while registering for device handle notifications on device \\?\storage#removablemedia#7&33317da3&0&rm#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}. Win32 Error: 1381.

Record Number: 26874
Source Name: LDMS
Time Written: 20090517110319.000000-420
Event Type: error
User:

Computer Name: YOUR-4DACD0EA75
Event Code: 3023
Message: The Logical Disk Manager Service failed while registering for device handle notifications on device \\?\storage#removablemedia#7&2c889678&0&rm#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}. Win32 Error: 1381.

Record Number: 26873
Source Name: LDMS
Time Written: 20090517110319.000000-420
Event Type: error
User:

Computer Name: YOUR-4DACD0EA75
Event Code: 3023
Message: The Logical Disk Manager Service failed while registering for device handle notifications on device \\?\storage#removablemedia#7&2c40c824&0&rm#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}. Win32 Error: 1381.

Record Number: 26872
Source Name: LDMS
Time Written: 20090517110319.000000-420
Event Type: error
User:

Computer Name: YOUR-4DACD0EA75
Event Code: 3023
Message: The Logical Disk Manager Service failed while registering for device handle notifications on device \\?\storage#removablemedia#7&26ebca8a&0&rm#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}. Win32 Error: 1381.

Record Number: 26871
Source Name: LDMS
Time Written: 20090517110319.000000-420
Event Type: error
User:

Computer Name: YOUR-4DACD0EA75
Event Code: 1003
Message: Error code 1000007e, parameter1 c0000005, parameter2 805887b3, parameter3 f79c3bcc, parameter4 f79c38c8.

Record Number: 26863
Source Name: System Error
Time Written: 20090516110401.000000-420
Event Type: error
User:

=====Application event log=====

Computer Name: YOUR-4DACD0EA75
Event Code: 1517
Message: Windows saved user YOUR-4DACD0EA75\HP_Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 4598
Source Name: Userenv
Time Written: 20081126235457.000000-480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-4DACD0EA75
Event Code: 1517
Message: Windows saved user YOUR-4DACD0EA75\HP_Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 4588
Source Name: Userenv
Time Written: 20081126021028.000000-480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-4DACD0EA75
Event Code: 1517
Message: Windows saved user YOUR-4DACD0EA75\HP_Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 4577
Source Name: Userenv
Time Written: 20081125022435.000000-480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-4DACD0EA75
Event Code: 1517
Message: Windows saved user YOUR-4DACD0EA75\HP_Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 4548
Source Name: Userenv
Time Written: 20081123161504.000000-480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-4DACD0EA75
Event Code: 1517
Message: Windows saved user YOUR-4DACD0EA75\HP_Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 4518
Source Name: Userenv
Time Written: 20081121034953.000000-480
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Python22;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=4b02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip

-----------------EOF-----------------

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:43 PM

Posted 26 May 2009 - 04:34 AM

Hi Matthew,

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



We will begin with ComboFix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT
be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Next

We need to scan for Rootkits with GMER

1. Please download GMER from one of the following locations, and save it to your desktop: This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
2. Close any and all open programs, as this process may crash your computer.
3. Double click Posted Imageor Posted Image on your desktop.
4. Allow the gmer.sys driver to load if asked.
5. You may see this window. If you do, click No.
Posted Image
6. Click onPosted Image and wait for the scan to finish.
7. If you see a rootkit warning window, click OK.
8. Push Posted Image and save the logfile to your desktop.
9. Copy and Paste the contents of that file in your next post.


Then please post back with the Gmer logfile and ComboFix.txt.

Thanks

Gary

Edited by syler, 26 May 2009 - 04:35 AM.

unite.jpg


#5 m850t

m850t
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 28 May 2009 - 11:16 AM

Gary,

I've given long consideration to your warnings. I spent a lot of time at DSL reports, and links from there. I've a question that I never really saw addressed. If your transactions are conducted as a "secure" link via HTTPS, and you store no passwords or other sensitive information directly on the computer, how great is the risk? As far as the computer being trustworthy, I suspect that even if I did a clean install, at some point no matter what security I put into place I could still be breeched by a determined soul, and some other backdoor could be installed without my knowledge.

Given the nature of the rootkit, and its low threat, we will proceed. Combofix and GMER logs attached.

I look foward to your reply on addditional action to take and any comments,

Matthew

ComboFix 09-05-26.02 - HP_Administrator 05/26/2009 22:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.620 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\HP_Administrator\protect.dll
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\protect.dll
c:\windows\IE4 Error Log.txt
c:\windows\ld08.exe
c:\windows\pp10.exe
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthxenkcjsappqtxeidowooudbdjuhrlkxx.sys
c:\windows\system32\glsetup.exe
c:\windows\system32\lmn_setup.exe
c:\windows\system32\ovfsthcohblvftgvtrwycakddgcbgbwnomagsj.dll
c:\windows\system32\ovfsthewamhcmkeodgdvkjuockiaonvdproocb.dll
c:\windows\system32\ovfsthjgnijyrgsklnddmoyrpmrexyrqmlsfuo.dat
c:\windows\system32\ovfsthvjjftaythhnlgwuoyvbyetqghbaoscmn.dll
c:\windows\system32\ovfsthyiitukdchtrxunybmawrhednkvxcxfgg.dat
c:\windows\system32\SYSDLL.exe
c:\windows\system32\vp_setup.exe
c:\windows\system32\vp_setup.exe.bat
C:\xcrashdump.dat
D:\Autorun.inf
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfstheinpavibtkyiyekkmlxjklbrrpapkmkv


((((((((((((((((((((((((( Files Created from 2009-04-27 to 2009-05-27 )))))))))))))))))))))))))))))))
.

2009-05-27 04:12 . 2009-05-27 04:12 2 ---h--w c:\windows\sonce122730.dat
2009-05-27 04:12 . 2009-05-27 04:12 -------- d-----w c:\windows\system32\sysloc
2009-05-25 23:50 . 2009-05-27 04:02 -------- d-----w C:\rsit
2009-05-25 01:28 . 2009-03-30 17:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys
2009-05-25 01:28 . 2009-03-24 23:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-25 01:28 . 2009-02-13 19:29 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys
2009-05-25 01:28 . 2009-02-13 19:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys
2009-05-25 01:28 . 2009-05-25 01:35 -------- d-----w c:\program files\Avira
2009-05-25 01:28 . 2009-05-25 01:28 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-25 00:49 . 2009-05-25 00:49 -------- d--h--w c:\windows\system32\GroupPolicy
2009-05-24 23:59 . 2009-05-24 23:59 -------- d-----w c:\documents and settings\Administrator\Application Data\HPQ
2009-05-24 23:53 . 2009-05-24 23:53 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-05-24 23:34 . 2009-05-24 23:34 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-22 18:52 . 2009-05-22 18:52 -------- d-s---w c:\documents and settings\Administrator\UserData
2009-05-22 04:12 . 2009-05-22 04:18 -------- d-----w C:\RootKitRevealer
2009-05-13 06:39 . 2009-05-13 06:39 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-05-13 06:38 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-13 06:38 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-13 06:38 . 2009-05-13 06:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-13 06:38 . 2009-05-13 06:38 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-09 18:42 . 2009-05-09 18:42 -------- d-----w c:\windows\Netscape
2009-05-05 05:27 . 2009-05-18 01:39 -------- d-----w c:\windows\system32\NtmsData
2009-05-03 07:47 . 2009-05-03 07:50 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-03 07:47 . 2009-05-03 07:50 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-03 03:16 . 2009-05-03 03:16 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Netscape
2009-04-28 14:07 . 2009-04-28 14:07 -------- d-----w c:\windows\system32\drivers\UMDF
2009-04-28 14:07 . 2009-04-28 14:07 -------- d-----w c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 23:50 . 2006-11-28 01:16 -------- d-----w c:\program files\Trend Micro
2009-05-18 04:48 . 2006-08-01 02:19 -------- d-----w c:\program files\Rhapsody
2009-05-07 05:26 . 2008-07-04 17:09 -------- d-----w c:\program files\Bonjour
2009-05-03 20:53 . 2008-07-04 17:09 -------- d-----w c:\program files\iPod
2009-05-02 22:11 . 2008-08-09 17:16 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-09 05:15 . 2006-11-28 00:54 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\U3
2009-03-30 03:27 . 2009-03-30 03:23 -------- d-----w c:\program files\Windows Live Safety Center
2009-03-06 14:44 . 2004-08-10 04:00 283648 ------w c:\windows\system32\pdh.dll
2008-09-23 05:09 . 2008-09-23 05:09 61038 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-09-23 05:09 . 2008-09-23 05:09 49256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-09-23 05:09 . 2008-09-23 05:09 166000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"pccguide.exe"="c:\program files\Trend Micro\Antivirus\pccguide.exe" [2006-09-14 950337]
"PCClient.exe"="c:\program files\Trend Micro\Antivirus\PCClient.exe" [2006-09-14 634949]
"TM Outbreak Agent"="c:\program files\Trend Micro\Antivirus\TMOAgent.exe" [2006-09-14 290816]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2005-08-18 749568]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SYSDLL"="SYSDLL" [X]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-8-8 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"prnet"="c:\windows\system32\prnet.tmp"
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe"
"HostManager"=c:\program files\Common Files\AOL\1164676876\ee\AOLSoftware.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"prnet"="c:\windows\system32\prnet.tmp"
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Trend Micro\\Antivirus\\TMOAgent.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1164676876\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1164676876\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/24/2009 6:28 PM 108289]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [9/13/2006 10:00 PM 201984]
R2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Antivirus\Tmntsrv.exe [9/13/2006 10:00 PM 241737]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/13/2006 10:00 PM 20864]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [9/13/2006 10:00 PM 204873]
.
Contents of the 'Scheduled Tasks' folder

2009-05-11 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-05-03 22:31]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\Money Express.exe
HKLM-Run-PCDrProfiler - (no file)
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
Trusted Zone: google.com\www
Trusted Zone: live.com\login
Trusted Zone: live.com\onecare
Trusted Zone: msn.com\g
Trusted Zone: msn.com\moneycentral
Trusted Zone: trendmicro.com\housecall65
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\7o90wn9u.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-26 22:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3171748865-3456956919-3650734605-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1608)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-05-27 22:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-27 05:54

Pre-Run: 220,696,969,216 bytes free
Post-Run: 220,732,678,144 bytes free

241 --- E O F --- 2009-05-27 05:51
/
/
/
/
/
/
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-27 00:32:45
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT F7C11E56 ZwCreateKey
SSDT F7C11E4C ZwCreateThread
SSDT F7C11E5B ZwDeleteKey
SSDT F7C11E65 ZwDeleteValueKey
SSDT F7C11E6A ZwLoadKey
SSDT F7C11E38 ZwOpenProcess
SSDT F7C11E3D ZwOpenThread
SSDT F7C11E74 ZwReplaceKey
SSDT F7C11E6F ZwRestoreKey
SSDT F7C11E60 ZwSetValueKey
SSDT F7C11E47 ZwTerminateProcess

Code \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1540] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

---- EOF - GMER 1.0.15 ----

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:43 PM

Posted 28 May 2009 - 03:06 PM

Hi Matthew,

Once you get one of these type of infections nothing can really be considered "secure"
that is why I gave you the warning about it. You had some nasty infections on your
computer, so I could not guarantee you it would be %100 secure after we have finished
cleaning it, wether you want to format is up to you.

You are right that even if you did format and start again you are still at risk of being
infected, although the amount of risk is really down to you. If you have good security,
surf safely, avoid P2P, etc then you will dramatically reduce the risk of this happening
again.


I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AntiVir or Trend Micro.

Additional instructions can be found here if needed



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\sonce122730.dat
c:\windows\system32\prnet.tmp

Folder::
c:\windows\system32\sysloc

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SYSDLL"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"prnet"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"prnet"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
"ProxyOverride"=-

Firefox::
FireFox -: Profile - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\7o90wn9u.default\
FireFox -: prefs.js - network.proxy.http - 
FireFox -: prefs.js - network.proxy.http_port -

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by syler, 28 May 2009 - 03:06 PM.

unite.jpg


#7 m850t

m850t
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 29 May 2009 - 03:29 AM

Gary,

I'd don't know exactly how nasty the infections were, but I will say that they were extremely obnoxious and persistent.

I hear that. I know exactly where the I got hit at. Pirate Bay. I was just cruzin' thru the neighborhood as it had been in the news lately. No P2P file shares, no downloads, just clicked a few links "in the cloud", and wham. Entirely my fault. It didn't help that I had been extremely lax about tightening up this current system. It was a hand me down from my mother-in-law after my wife and I upgraded the M-I-l to a laptop with for wireless broadband. My wife shipped the the old system back home, and I installed "as is", replacing a dial up WIN95 system. I did nothing to tighten up the gaping holes in its set up, which I knew existed. After getting infected, I would have done a format and fresh install, but somehow during the move from the M-I-L to the S-I-L, all the software including the XP SP2 disc went missing. Hence the attempt cleaning. Enuf.

Aware of conflict in running concurrent AV programs. Trend Micro was not active. AntiVir download to cross check Kaspersky on line scanner. Trend Micro had been uninstalled.

Attached is the Combofix log. Good catch on the prnet. It was part of the original infection on 5/2/08. I'm really taking a shine to ComboFix.

What is next on the action list?

Best regards,
Matthew



ComboFix 09-05-26.02 - HP_Administrator 05/28/2009 22:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.626 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\sonce122730.dat"
"c:\windows\system32\prnet.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\sonce122730.dat
c:\windows\system32\sysloc
c:\windows\system32\sysloc\sysloc.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-29 )))))))))))))))))))))))))))))))
.

2009-05-25 23:50 . 2009-05-27 04:02 -------- d-----w C:\rsit
2009-05-25 01:28 . 2009-03-30 17:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys
2009-05-25 01:28 . 2009-03-24 23:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-25 01:28 . 2009-02-13 19:29 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys
2009-05-25 01:28 . 2009-02-13 19:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys
2009-05-25 01:28 . 2009-05-25 01:35 -------- d-----w c:\program files\Avira
2009-05-25 01:28 . 2009-05-25 01:28 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-25 00:49 . 2009-05-25 00:49 -------- d--h--w c:\windows\system32\GroupPolicy
2009-05-24 23:59 . 2009-05-24 23:59 -------- d-----w c:\documents and settings\Administrator\Application Data\HPQ
2009-05-24 23:53 . 2009-05-24 23:53 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-05-24 23:34 . 2009-05-24 23:34 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-22 18:52 . 2009-05-22 18:52 -------- d-s---w c:\documents and settings\Administrator\UserData
2009-05-22 04:12 . 2009-05-22 04:18 -------- d-----w C:\RootKitRevealer
2009-05-13 06:39 . 2009-05-13 06:39 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-05-13 06:38 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-13 06:38 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-13 06:38 . 2009-05-13 06:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-13 06:38 . 2009-05-13 06:38 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-09 18:42 . 2009-05-09 18:42 -------- d-----w c:\windows\Netscape
2009-05-05 05:27 . 2009-05-18 01:39 -------- d-----w c:\windows\system32\NtmsData
2009-05-03 07:47 . 2009-05-03 07:50 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-03 07:47 . 2009-05-03 07:50 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-03 03:16 . 2009-05-03 03:16 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Netscape

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 23:50 . 2006-11-28 01:16 -------- d-----w c:\program files\Trend Micro
2009-05-18 04:48 . 2006-08-01 02:19 -------- d-----w c:\program files\Rhapsody
2009-05-07 05:26 . 2008-07-04 17:09 -------- d-----w c:\program files\Bonjour
2009-05-03 20:53 . 2008-07-04 17:09 -------- d-----w c:\program files\iPod
2009-05-02 22:11 . 2008-08-09 17:16 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-09 05:15 . 2006-11-28 00:54 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\U3
2009-03-06 14:44 . 2004-08-10 04:00 283648 ------w c:\windows\system32\pdh.dll
2008-09-23 05:09 . 2008-09-23 05:09 61038 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-09-23 05:09 . 2008-09-23 05:09 49256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-09-23 05:09 . 2008-09-23 05:09 166000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-27_05.49.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-29 04:03 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2005-08-18 749568]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-8-8 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe"
"HostManager"=c:\program files\Common Files\AOL\1164676876\ee\AOLSoftware.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1164676876\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1164676876\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/24/2009 6:28 PM 108289]
.
Contents of the 'Scheduled Tasks' folder

2009-05-11 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-05-03 22:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
Trusted Zone: google.com\www
Trusted Zone: live.com\login
Trusted Zone: live.com\onecare
Trusted Zone: msn.com\g
Trusted Zone: msn.com\moneycentral
Trusted Zone: trendmicro.com\housecall65
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\7o90wn9u.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-28 22:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3171748865-3456956919-3650734605-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-05-29 22:27
ComboFix-quarantined-files.txt 2009-05-29 05:27
ComboFix2.txt 2009-05-27 05:54

Pre-Run: 220,493,242,368 bytes free
Post-Run: 220,555,472,896 bytes free

169 --- E O F --- 2009-05-29 04:05

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:43 PM

Posted 29 May 2009 - 05:53 AM

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Firefox::
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\7o90wn9u.default\
FF - prefs.js: network.proxy.http - 
FF - prefs.js: network.proxy.http_port -

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next

You don't have the latest service pack for windows, The service packs patch security vulnerabilities found in windows. You should
keep these upto date to keep you protected against malware, that can take advantage of these security vulnerabilities to attack
your system.The latest service pack is SP3, Click on Start >> All programs >> Windows update then select Express
and allow it to install all updates including SP3.
Note: If it prompts you to install an ActiveX control allow it to install it.

Next

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 13...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

J2SE Runtime Environment 5.0 Update 6

Additional instructions can be found here if needed

Next

Please download: DelDomains.inf
Locate DelDomains.inf right-click and select: Install
Note: you will not see any on-screen action ...
This will remove all entries in the Trusted, Restricted,and Enhanced Security Configuration Zones.
Note once you do this, any previous restricted zone hacks (spywareblaster, ie-spyad, etc) will need to be reapplyed.


Now please post back with Combofix.txt and a HijackThis log. Also let
me no how the computer is running and if their are anymore problems.

Thanks

Edited by syler, 29 May 2009 - 05:53 AM.

unite.jpg


#9 m850t

m850t
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 29 May 2009 - 11:57 PM

Gary,

Computer appears to be back to nominal. Last combofix script finally killed the app browser redirects when using google.

Re: SP3 - done. I've been using automatic updates on a regular basis. SP releases not be part of the automatic update process?

Re: JAVA - done

Re: DelDomains - problems with the DelDomains instructions. I finally opened the link, selected all, and saved file on desktop, and then installed. The script did not remove the the entries in the restricted zones. Registry still has the entries in the "escape domains".

HJT - from RSIT tool run

I think I see light at the end of the tunnel!

Thanks,

Matthew


ComboFix 09-05-26.02 - HP_Administrator 05/29/2009 12:13.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.583 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-29 )))))))))))))))))))))))))))))))
.

2009-05-29 17:15 . 2009-05-29 17:15 -------- d-----w c:\windows\LastGood
2009-05-25 23:50 . 2009-05-27 04:02 -------- d-----w C:\rsit
2009-05-25 01:28 . 2009-03-30 17:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys
2009-05-25 01:28 . 2009-03-24 23:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-25 01:28 . 2009-02-13 19:29 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys
2009-05-25 01:28 . 2009-02-13 19:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys
2009-05-25 01:28 . 2009-05-25 01:35 -------- d-----w c:\program files\Avira
2009-05-25 01:28 . 2009-05-25 01:28 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-25 00:49 . 2009-05-25 00:49 -------- d--h--w c:\windows\system32\GroupPolicy
2009-05-24 23:59 . 2009-05-24 23:59 -------- d-----w c:\documents and settings\Administrator\Application Data\HPQ
2009-05-24 23:53 . 2009-05-24 23:53 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-05-24 23:34 . 2009-05-24 23:34 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-22 18:52 . 2009-05-22 18:52 -------- d-s---w c:\documents and settings\Administrator\UserData
2009-05-22 04:12 . 2009-05-22 04:18 -------- d-----w C:\RootKitRevealer
2009-05-13 06:39 . 2009-05-13 06:39 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-05-13 06:38 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-13 06:38 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-13 06:38 . 2009-05-13 06:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-13 06:38 . 2009-05-13 06:38 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-09 18:42 . 2009-05-09 18:42 -------- d-----w c:\windows\Netscape
2009-05-05 05:27 . 2009-05-18 01:39 -------- d-----w c:\windows\system32\NtmsData
2009-05-03 07:47 . 2009-05-03 07:50 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-03 07:47 . 2009-05-03 07:50 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-03 03:16 . 2009-05-03 03:16 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Netscape

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 17:18 . 2009-03-30 03:23 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-25 23:50 . 2006-11-28 01:16 -------- d-----w c:\program files\Trend Micro
2009-05-18 04:48 . 2006-08-01 02:19 -------- d-----w c:\program files\Rhapsody
2009-05-07 05:26 . 2008-07-04 17:09 -------- d-----w c:\program files\Bonjour
2009-05-03 20:53 . 2008-07-04 17:09 -------- d-----w c:\program files\iPod
2009-05-02 22:11 . 2008-08-09 17:16 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-09 05:15 . 2006-11-28 00:54 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\U3
2009-03-06 14:44 . 2004-08-10 04:00 283648 ------w c:\windows\system32\pdh.dll
2008-09-23 05:09 . 2008-09-23 05:09 61038 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-09-23 05:09 . 2008-09-23 05:09 49256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-09-23 05:09 . 2008-09-23 05:09 166000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-27_05.49.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-29 04:03 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2005-08-18 749568]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-8-8 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe"
"HostManager"=c:\program files\Common Files\AOL\1164676876\ee\AOLSoftware.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1164676876\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1164676876\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/24/2009 6:28 PM 108289]
.
Contents of the 'Scheduled Tasks' folder

2009-05-11 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-05-03 22:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
Trusted Zone: google.com\www
Trusted Zone: live.com\login
Trusted Zone: live.com\onecare
Trusted Zone: msn.com\g
Trusted Zone: msn.com\moneycentral
Trusted Zone: trendmicro.com\housecall65
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\7o90wn9u.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-29 12:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3171748865-3456956919-3650734605-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2740)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-29 12:15
ComboFix-quarantined-files.txt 2009-05-29 19:15
ComboFix2.txt 2009-05-29 05:27
ComboFix3.txt 2009-05-27 05:54

Pre-Run: 220,509,843,456 bytes free
Post-Run: 220,540,366,848 bytes free

169 --- E O F --- 2009-05-29 04:05
=
=
=
=
=
=
=
Logfile of random's system information tool 1.06 (written by random/random)
Run by HP_Administrator at 2009-05-29 21:52:21
Microsoft Windows XP Professional Service Pack 3
System drive C: has 208 GB (91%) free of 229 GB
Total RAM: 958 MB (56% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:27 PM, on 5/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DISCover.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\HP_Administrator\Desktop\RSIT.exe
C:\Program Files\trend micro\HP_Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] "rundll32.exe" ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [WorksFUD] "C:\Program Files\Microsoft Works\wkfud.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8249 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-05-29 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-05-29 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{4982D40A-C53B-4615-B15B-B5B5E98D167C} - AOL Toolbar - C:\Program Files\AOL Toolbar\toolbar.dll [2004-10-21 459968]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-09-29 67584]
"ftutil2"=ftutil2.dll,SetWriteCacheMode []
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-06-13 16239616]
"AlwaysReady Power Message APP"=C:\WINDOWS\ARPWRMSG.EXE [2005-08-02 77312]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-05-09 7311360]
"DMAScheduler"=c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe [2006-04-13 90112]
"HPBootOp"=C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe [2006-02-15 249856]
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe [2000-08-08 24576]
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe [2005-08-18 749568]
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe [2000-08-08 28739]
"nwiz"=nwiz.exe /install []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-05-27 413696]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-29 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE [2005-07-22 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\Windows\Creator\Remind_XP.exe [2004-12-14 663552]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
WRLogonNTF.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDriveAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\DISC\DISCover.exe"="C:\Program Files\DISC\DISCover.exe:*:Enabled:DISCover Drop & Play System"
"C:\Program Files\DISC\DiscStreamHub.exe"="C:\Program Files\DISC\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\Program Files\DISC\myFTP.exe"="C:\Program Files\DISC\myFTP.exe:*:Enabled:DISCover FTP"
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\1164676876\EE\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1164676876\EE\AOLServiceHost.exe:*:Disabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Disabled:AOL Application Loader"
"C:\Program Files\Common Files\AOL\1164676876\EE\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1164676876\EE\aolsoftware.exe:*:Disabled:AOL Shared Components"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Disabled:AOLTopSpeed"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Disabled:AOLTsMon"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-05-29 15:11:12 ----A---- C:\WINDOWS\system32\javaws.exe
2009-05-29 15:11:12 ----A---- C:\WINDOWS\system32\javaw.exe
2009-05-29 15:11:12 ----A---- C:\WINDOWS\system32\java.exe
2009-05-29 15:11:12 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-05-29 14:08:51 ----D---- C:\WINDOWS\system32\XPSViewer
2009-05-29 14:08:48 ----D---- C:\Program Files\MSBuild
2009-05-29 14:08:44 ----D---- C:\Program Files\Reference Assemblies
2009-05-29 14:08:19 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-05-29 14:08:19 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-05-29 14:08:19 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-05-29 14:08:19 ----D---- C:\acfc125de74a0e3a60c73f566e
2009-05-29 14:05:26 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-05-29 14:05:21 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-05-29 14:05:12 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-05-29 13:38:57 ----SHD---- C:\RECYCLER
2009-05-29 13:18:05 ----D---- C:\WINDOWS\Prefetch
2009-05-29 13:16:15 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-05-29 13:16:09 ----HDC---- C:\WINDOWS\$NtUninstallKB963027$
2009-05-29 13:16:03 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-05-29 13:15:58 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-05-29 13:15:53 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2009-05-29 13:15:48 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-05-29 13:15:43 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-05-29 13:15:38 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-05-29 13:15:33 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-05-29 13:15:29 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-05-29 13:15:23 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2009-05-29 13:15:18 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-05-29 13:15:14 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-05-29 13:15:10 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-05-29 13:15:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-05-29 13:15:00 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-05-29 13:14:51 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-05-29 13:14:43 ----HDC---- C:\WINDOWS\$NtUninstallKB956390$
2009-05-29 13:14:37 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-05-29 13:14:32 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-05-29 13:14:28 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-05-29 13:14:21 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2009-05-29 13:14:15 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-05-29 13:14:11 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-05-29 13:14:06 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-05-29 13:14:00 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-05-29 13:13:56 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-05-29 13:13:52 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-05-29 13:13:46 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-05-29 13:13:42 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-05-29 13:13:37 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-05-29 13:13:31 ----HDC---- C:\WINDOWS\$NtUninstallKB950759$
2009-05-29 13:13:26 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-05-29 13:13:22 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-05-29 13:13:16 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-05-29 13:09:23 ----D---- C:\WINDOWS\system32\en-us
2009-05-29 13:09:22 ----D---- C:\WINDOWS\system32\scripting
2009-05-29 13:09:22 ----D---- C:\WINDOWS\system32\en
2009-05-29 13:09:22 ----D---- C:\WINDOWS\l2schemas
2009-05-29 13:09:21 ----D---- C:\WINDOWS\system32\bits
2009-05-29 13:07:51 ----D---- C:\WINDOWS\ServicePackFiles
2009-05-29 13:05:57 ----D---- C:\WINDOWS\network diagnostic
2009-05-29 13:02:14 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-05-29 12:28:33 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2009-05-29 12:15:53 ----D---- C:\WINDOWS\temp
2009-05-29 12:15:52 ----A---- C:\ComboFix.txt
2009-05-28 21:03:28 ----A---- C:\WINDOWS\system32\MRT.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\zip.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\SWSC.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\SWREG.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\sed.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\PEV.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\NIRCMD.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\grep.exe
2009-05-26 21:36:53 ----D---- C:\WINDOWS\ERDNT
2009-05-26 21:36:45 ----D---- C:\Qoobox
2009-05-25 16:50:14 ----D---- C:\rsit
2009-05-24 18:28:27 ----D---- C:\Program Files\Avira
2009-05-24 18:28:27 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-05-24 17:49:58 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-05-21 21:34:58 ----A---- C:\WINDOWS\system32\RootkitReveal.txt
2009-05-21 21:12:18 ----D---- C:\RootKitRevealer
2009-05-12 23:39:07 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2009-05-12 23:38:53 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-12 23:38:53 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-11 21:47:08 ----SHD---- C:\WINDOWS\CSC
2009-05-11 21:46:57 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-09 11:42:21 ----D---- C:\WINDOWS\Netscape
2009-05-04 22:27:31 ----D---- C:\WINDOWS\system32\NtmsData
2009-05-03 00:47:14 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-05-03 00:47:14 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-02 20:16:33 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Netscape

======List of files/folders modified in the last 1 months======

2009-05-29 21:52:22 ----D---- C:\Program Files\Trend Micro
2009-05-29 21:34:30 ----AD---- C:\WINDOWS
2009-05-29 20:34:27 ----D---- C:\Program Files\Mozilla Firefox
2009-05-29 20:33:33 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-29 20:33:31 ----D---- C:\WINDOWS\Registration
2009-05-29 17:03:53 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-29 15:11:27 ----SHD---- C:\WINDOWS\Installer
2009-05-29 15:11:14 ----HD---- C:\Config.Msi
2009-05-29 15:11:12 ----D---- C:\WINDOWS\system32
2009-05-29 15:11:01 ----D---- C:\Program Files\Java
2009-05-29 15:05:06 ----D---- C:\Program Files\Common Files
2009-05-29 14:26:13 ----SD---- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft
2009-05-29 14:14:05 ----D---- C:\WINDOWS\Microsoft.NET
2009-05-29 14:14:04 ----RSD---- C:\WINDOWS\assembly
2009-05-29 14:11:42 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-29 14:11:29 ----D---- C:\WINDOWS\WinSxS
2009-05-29 14:08:48 ----D---- C:\Program Files
2009-05-29 14:08:46 ----RSD---- C:\WINDOWS\Fonts
2009-05-29 14:08:33 ----HD---- C:\WINDOWS\inf
2009-05-29 14:08:32 ----D---- C:\WINDOWS\system32\spool
2009-05-29 14:08:28 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-05-29 14:07:03 ----D---- C:\Program Files\Internet Explorer
2009-05-29 14:05:27 ----A---- C:\WINDOWS\imsins.BAK
2009-05-29 13:57:14 ----HD---- C:\WINDOWS\$hf_mig$
2009-05-29 13:20:28 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-29 13:19:14 ----A---- C:\WINDOWS\OEWABLog.txt
2009-05-29 13:18:48 ----A---- C:\WINDOWS\setuplog.txt
2009-05-29 13:17:42 ----D---- C:\WINDOWS\system32\Setup
2009-05-29 13:17:42 ----D---- C:\WINDOWS\AppPatch
2009-05-29 13:17:41 ----D---- C:\WINDOWS\system32\wbem
2009-05-29 13:17:41 ----D---- C:\Program Files\Common Files\System
2009-05-29 13:17:35 ----D---- C:\WINDOWS\system32\drivers
2009-05-29 13:13:28 ----D---- C:\Program Files\Messenger
2009-05-29 13:13:02 ----D---- C:\WINDOWS\security
2009-05-29 13:09:31 ----D---- C:\WINDOWS\system32\inetsrv
2009-05-29 13:09:31 ----D---- C:\WINDOWS\ime
2009-05-29 13:09:31 ----D---- C:\WINDOWS\Help
2009-05-29 13:09:23 ----D---- C:\WINDOWS\system32\usmt
2009-05-29 13:09:21 ----D---- C:\WINDOWS\PeerNet
2009-05-29 13:09:21 ----D---- C:\Program Files\Movie Maker
2009-05-29 13:07:42 ----D---- C:\WINDOWS\system32\Restore
2009-05-29 13:07:42 ----D---- C:\WINDOWS\system32\npp
2009-05-29 13:07:42 ----D---- C:\WINDOWS\mui
2009-05-29 13:07:41 ----D---- C:\WINDOWS\msagent
2009-05-29 13:07:40 ----D---- C:\WINDOWS\srchasst
2009-05-29 13:07:40 ----D---- C:\Program Files\NetMeeting
2009-05-29 13:07:38 ----D---- C:\WINDOWS\system32\Com
2009-05-29 13:07:36 ----D---- C:\Program Files\Windows NT
2009-05-29 13:07:36 ----D---- C:\Program Files\Outlook Express
2009-05-29 13:07:21 ----D---- C:\WINDOWS\system32\oobe
2009-05-29 13:07:19 ----D---- C:\WINDOWS\system
2009-05-29 13:04:46 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-05-29 13:02:12 ----AD---- C:\WINDOWS\ehome
2009-05-29 12:22:47 ----D---- C:\WINDOWS\SoftwareDistribution
2009-05-29 12:14:23 ----A---- C:\WINDOWS\system.ini
2009-05-29 10:18:25 ----D---- C:\Program Files\Windows Live Safety Center
2009-05-26 22:48:17 ----D---- C:\WINDOWS\system32\config
2009-05-26 21:11:11 ----A---- C:\WINDOWS\Ulead32.ini
2009-05-26 21:11:11 ----A---- C:\WINDOWS\Pex.INI
2009-05-25 23:08:33 ----A---- C:\WINDOWS\orun32.ini
2009-05-24 21:16:21 ----D---- C:\temp
2009-05-24 18:26:50 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-05-22 23:29:19 ----A---- C:\WINDOWS\WININIT.INI
2009-05-17 21:48:18 ----D---- C:\Program Files\Rhapsody
2009-05-17 18:50:59 ----D---- C:\WINDOWS\Minidump
2009-05-10 22:30:36 ----D---- C:\WINDOWS\system32\FxsTmp
2009-05-10 17:28:15 ----SD---- C:\WINDOWS\Tasks
2009-05-06 22:26:49 ----D---- C:\Program Files\Bonjour
2009-05-04 22:43:15 ----D---- C:\WINDOWS\repair
2009-05-03 13:53:02 ----D---- C:\Program Files\iPod
2009-05-03 13:45:11 ----D---- C:\Program Files\Common Files\Services
2009-05-02 15:11:46 ----D---- C:\Program Files\Microsoft Silverlight

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-02-13 28376]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-09 12032]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-03-24 55640]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 aracpi;aracpi; C:\WINDOWS\system32\DRIVERS\aracpi.sys [2005-08-02 22784]
R3 arkbcfltr;Microsoft PS2 Keyboard Filter; C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys [2005-08-02 5376]
R3 armoucfltr;Microsoft PS2 Mouse Filter; C:\WINDOWS\system32\DRIVERS\armoucfltr.sys [2005-08-02 4992]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ARPolicy;ARPolicy; C:\WINDOWS\system32\DRIVERS\arpolicy.sys [2005-08-02 10112]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HSX_DP;HSX_DP; C:\WINDOWS\system32\DRIVERS\HSX_DP.sys [2005-12-06 936448]
R3 HSXHWBS2;HSXHWBS2; C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys [2005-12-06 241664]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-06-14 4299264]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-05-09 3535680]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-03-03 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-03-03 13056]
R3 Ps2;PS2; C:\WINDOWS\system32\DRIVERS\PS2.sys [2005-12-12 19072]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
R3 winachsx;winachsx; C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys [2005-12-06 670208]
S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys []
S3 arhidfltr;MS Ar HID Filter Driver; C:\WINDOWS\system32\DRIVERS\arhidfltr.sys [2005-08-02 19200]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-02-18 30464]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-04-01 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-03-02 185089]
R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2006-10-23 46640]
R2 AOL TopSpeedMonitor;AOL TopSpeed Monitor; C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [2004-10-15 100016]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]
R2 ARSVC;ARSVC; C:\WINDOWS\arservice.exe [2005-08-02 58880]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-12-15 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-29 152984]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-06-21 49152]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-05-09 131139]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2006-03-03 69632]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-06-02 504104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:43 PM

Posted 30 May 2009 - 01:26 PM

Hi Matthew,

It looks like we are getting there, just a couple of thing to clean up, can you try DelDomains
again please, im not sure why it hasn't worked.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now.

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Remove WeatherBug Installer
Viewpoint Media Player


Additional instructions can be found here if needed.

Next

Right click here and select Save Link As (in IE it's "Save Target As").
Save it as DelDomains.inf and in "Save as type" select all files then save it to to your desktop.
Locate DelDomains.inf right-click and select: Install
Note: you will not see any on-screen action ...
This will remove all entries in the Trusted, Restricted,and Enhanced Security Configuration Zones.
Note once you do this, any previous restricted zone hacks (spywareblaster, ie-spyad, etc) will need to be reapplyed.

Next

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Then post back with the Kaspersky results and a fresh Rsit log.

Thanks

unite.jpg


#11 m850t

m850t
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 31 May 2009 - 05:25 AM

Hey Gary,

Hope your week went well.

Removed WeatherBug Installer
Removed Viewpoint Media Player
CPU not rebooted after deinstall.

Deleted my copy of DelDomains, recopied and rerun. No change.

KASPERSKY and RIST log attached.

I'll be cleaning out the AOL stuff, other unused game/media programs, and I anything else I can strip away after we are finished. Like a I mentioned, it's an inheited system and it is bloated.

Have a good weekend.

Best regards,
Matthew



KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 31, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 31, 2009 08:20:15
Records in database: 2283340


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics
Files scanned 113346
Threat name 2
Infected objects 8
Suspicious objects 0
Duration of the scan 02:15:46

File name Threat name Threats count
C:\Program Files\AOL Toolbar\toolbar.dll Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP320\A0041763.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

D:\I386\APPS\APP02906\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

D:\I386\APPS\APP02906\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

The selected area was scanned.








Logfile of random's system information tool 1.06 (written by random/random)
Run by HP_Administrator at 2009-05-31 03:04:11
Microsoft Windows XP Professional Service Pack 3
System drive C: has 208 GB (91%) free of 229 GB
Total RAM: 958 MB (57% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:18 AM, on 5/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\HP_Administrator\Desktop\RSIT.exe
C:\Program Files\trend micro\HP_Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] "rundll32.exe" ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [WorksFUD] "C:\Program Files\Microsoft Works\wkfud.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8189 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-05-29 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-05-29 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{4982D40A-C53B-4615-B15B-B5B5E98D167C} - AOL Toolbar - C:\Program Files\AOL Toolbar\toolbar.dll [2004-10-21 459968]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-09-29 67584]
"ftutil2"=ftutil2.dll,SetWriteCacheMode []
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-06-13 16239616]
"AlwaysReady Power Message APP"=C:\WINDOWS\ARPWRMSG.EXE [2005-08-02 77312]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-05-09 7311360]
"DMAScheduler"=c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe [2006-04-13 90112]
"HPBootOp"=C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe [2006-02-15 249856]
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe [2000-08-08 24576]
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe [2005-08-18 749568]
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe [2000-08-08 28739]
"nwiz"=nwiz.exe /install []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-05-27 413696]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-29 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE [2005-07-22 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\Windows\Creator\Remind_XP.exe [2004-12-14 663552]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
WRLogonNTF.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDriveAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\DISC\DISCover.exe"="C:\Program Files\DISC\DISCover.exe:*:Enabled:DISCover Drop & Play System"
"C:\Program Files\DISC\DiscStreamHub.exe"="C:\Program Files\DISC\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\Program Files\DISC\myFTP.exe"="C:\Program Files\DISC\myFTP.exe:*:Enabled:DISCover FTP"
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\1164676876\EE\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1164676876\EE\AOLServiceHost.exe:*:Disabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Disabled:AOL Application Loader"
"C:\Program Files\Common Files\AOL\1164676876\EE\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1164676876\EE\aolsoftware.exe:*:Disabled:AOL Shared Components"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Disabled:AOLTopSpeed"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Disabled:AOLTsMon"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-05-29 15:11:12 ----A---- C:\WINDOWS\system32\javaws.exe
2009-05-29 15:11:12 ----A---- C:\WINDOWS\system32\javaw.exe
2009-05-29 15:11:12 ----A---- C:\WINDOWS\system32\java.exe
2009-05-29 15:11:12 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-05-29 14:08:51 ----D---- C:\WINDOWS\system32\XPSViewer
2009-05-29 14:08:48 ----D---- C:\Program Files\MSBuild
2009-05-29 14:08:44 ----D---- C:\Program Files\Reference Assemblies
2009-05-29 14:08:19 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-05-29 14:08:19 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-05-29 14:08:19 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-05-29 14:08:19 ----D---- C:\acfc125de74a0e3a60c73f566e
2009-05-29 14:05:26 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-05-29 14:05:21 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-05-29 14:05:12 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-05-29 13:38:57 ----SHD---- C:\RECYCLER
2009-05-29 13:18:05 ----D---- C:\WINDOWS\Prefetch
2009-05-29 13:16:15 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-05-29 13:16:09 ----HDC---- C:\WINDOWS\$NtUninstallKB963027$
2009-05-29 13:16:03 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-05-29 13:15:58 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-05-29 13:15:53 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2009-05-29 13:15:48 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-05-29 13:15:43 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-05-29 13:15:38 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-05-29 13:15:33 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-05-29 13:15:29 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-05-29 13:15:23 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2009-05-29 13:15:18 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-05-29 13:15:14 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-05-29 13:15:10 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-05-29 13:15:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-05-29 13:15:00 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-05-29 13:14:51 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-05-29 13:14:43 ----HDC---- C:\WINDOWS\$NtUninstallKB956390$
2009-05-29 13:14:37 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-05-29 13:14:32 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-05-29 13:14:28 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-05-29 13:14:21 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2009-05-29 13:14:15 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-05-29 13:14:11 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-05-29 13:14:06 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-05-29 13:14:00 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-05-29 13:13:56 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-05-29 13:13:52 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-05-29 13:13:46 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-05-29 13:13:42 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-05-29 13:13:37 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-05-29 13:13:31 ----HDC---- C:\WINDOWS\$NtUninstallKB950759$
2009-05-29 13:13:26 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-05-29 13:13:22 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-05-29 13:13:16 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-05-29 13:09:23 ----D---- C:\WINDOWS\system32\en-us
2009-05-29 13:09:22 ----D---- C:\WINDOWS\system32\scripting
2009-05-29 13:09:22 ----D---- C:\WINDOWS\system32\en
2009-05-29 13:09:22 ----D---- C:\WINDOWS\l2schemas
2009-05-29 13:09:21 ----D---- C:\WINDOWS\system32\bits
2009-05-29 13:07:51 ----D---- C:\WINDOWS\ServicePackFiles
2009-05-29 13:05:57 ----D---- C:\WINDOWS\network diagnostic
2009-05-29 13:02:14 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-05-29 12:28:33 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2009-05-29 12:15:53 ----D---- C:\WINDOWS\temp
2009-05-29 12:15:52 ----A---- C:\ComboFix.txt
2009-05-28 21:03:28 ----A---- C:\WINDOWS\system32\MRT.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\zip.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\SWSC.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\SWREG.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\sed.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\PEV.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\NIRCMD.exe
2009-05-26 21:37:08 ----A---- C:\WINDOWS\grep.exe
2009-05-26 21:36:53 ----D---- C:\WINDOWS\ERDNT
2009-05-26 21:36:45 ----D---- C:\Qoobox
2009-05-25 16:50:14 ----D---- C:\rsit
2009-05-24 18:28:27 ----D---- C:\Program Files\Avira
2009-05-24 18:28:27 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-05-24 17:49:58 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-05-21 21:34:58 ----A---- C:\WINDOWS\system32\RootkitReveal.txt
2009-05-21 21:12:18 ----D---- C:\RootKitRevealer
2009-05-12 23:39:07 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2009-05-12 23:38:53 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-12 23:38:53 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-11 21:47:08 ----SHD---- C:\WINDOWS\CSC
2009-05-11 21:46:57 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-09 11:42:21 ----D---- C:\WINDOWS\Netscape
2009-05-04 22:27:31 ----D---- C:\WINDOWS\system32\NtmsData
2009-05-03 00:47:14 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-05-03 00:47:14 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-02 20:16:33 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Netscape

======List of files/folders modified in the last 1 months======

2009-05-31 03:04:12 ----D---- C:\Program Files\Trend Micro
2009-05-31 02:35:16 ----AD---- C:\WINDOWS
2009-05-30 23:07:11 ----D---- C:\Program Files\Common Files\AOL
2009-05-30 23:04:19 ----D---- C:\Program Files
2009-05-30 22:46:27 ----D---- C:\Program Files\Mozilla Firefox
2009-05-30 18:02:16 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-30 18:02:12 ----D---- C:\WINDOWS\Registration
2009-05-29 23:28:09 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-29 22:44:44 ----D---- C:\WINDOWS\Microsoft.NET
2009-05-29 22:44:43 ----RSD---- C:\WINDOWS\assembly
2009-05-29 15:11:27 ----SHD---- C:\WINDOWS\Installer
2009-05-29 15:11:14 ----HD---- C:\Config.Msi
2009-05-29 15:11:12 ----D---- C:\WINDOWS\system32
2009-05-29 15:11:01 ----D---- C:\Program Files\Java
2009-05-29 15:05:06 ----D---- C:\Program Files\Common Files
2009-05-29 14:26:13 ----SD---- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft
2009-05-29 14:11:42 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-29 14:11:29 ----D---- C:\WINDOWS\WinSxS
2009-05-29 14:08:46 ----RSD---- C:\WINDOWS\Fonts
2009-05-29 14:08:33 ----HD---- C:\WINDOWS\inf
2009-05-29 14:08:32 ----D---- C:\WINDOWS\system32\spool
2009-05-29 14:08:28 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-05-29 14:07:03 ----D---- C:\Program Files\Internet Explorer
2009-05-29 14:05:27 ----A---- C:\WINDOWS\imsins.BAK
2009-05-29 13:57:14 ----HD---- C:\WINDOWS\$hf_mig$
2009-05-29 13:20:28 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-29 13:19:14 ----A---- C:\WINDOWS\OEWABLog.txt
2009-05-29 13:18:48 ----A---- C:\WINDOWS\setuplog.txt
2009-05-29 13:17:42 ----D---- C:\WINDOWS\system32\Setup
2009-05-29 13:17:42 ----D---- C:\WINDOWS\AppPatch
2009-05-29 13:17:41 ----D---- C:\WINDOWS\system32\wbem
2009-05-29 13:17:41 ----D---- C:\Program Files\Common Files\System
2009-05-29 13:17:35 ----D---- C:\WINDOWS\system32\drivers
2009-05-29 13:13:28 ----D---- C:\Program Files\Messenger
2009-05-29 13:13:02 ----D---- C:\WINDOWS\security
2009-05-29 13:09:31 ----D---- C:\WINDOWS\system32\inetsrv
2009-05-29 13:09:31 ----D---- C:\WINDOWS\ime
2009-05-29 13:09:31 ----D---- C:\WINDOWS\Help
2009-05-29 13:09:23 ----D---- C:\WINDOWS\system32\usmt
2009-05-29 13:09:21 ----D---- C:\WINDOWS\PeerNet
2009-05-29 13:09:21 ----D---- C:\Program Files\Movie Maker
2009-05-29 13:07:42 ----D---- C:\WINDOWS\system32\Restore
2009-05-29 13:07:42 ----D---- C:\WINDOWS\system32\npp
2009-05-29 13:07:42 ----D---- C:\WINDOWS\mui
2009-05-29 13:07:41 ----D---- C:\WINDOWS\msagent
2009-05-29 13:07:40 ----D---- C:\WINDOWS\srchasst
2009-05-29 13:07:40 ----D---- C:\Program Files\NetMeeting
2009-05-29 13:07:38 ----D---- C:\WINDOWS\system32\Com
2009-05-29 13:07:36 ----D---- C:\Program Files\Windows NT
2009-05-29 13:07:36 ----D---- C:\Program Files\Outlook Express
2009-05-29 13:07:21 ----D---- C:\WINDOWS\system32\oobe
2009-05-29 13:07:19 ----D---- C:\WINDOWS\system
2009-05-29 13:04:46 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-05-29 13:02:12 ----AD---- C:\WINDOWS\ehome
2009-05-29 12:22:47 ----D---- C:\WINDOWS\SoftwareDistribution
2009-05-29 12:14:23 ----A---- C:\WINDOWS\system.ini
2009-05-29 10:18:25 ----D---- C:\Program Files\Windows Live Safety Center
2009-05-26 22:48:17 ----D---- C:\WINDOWS\system32\config
2009-05-26 21:11:11 ----A---- C:\WINDOWS\Ulead32.ini
2009-05-26 21:11:11 ----A---- C:\WINDOWS\Pex.INI
2009-05-25 23:08:33 ----A---- C:\WINDOWS\orun32.ini
2009-05-24 21:16:21 ----D---- C:\temp
2009-05-24 18:26:50 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-05-22 23:29:19 ----A---- C:\WINDOWS\WININIT.INI
2009-05-17 21:48:18 ----D---- C:\Program Files\Rhapsody
2009-05-17 18:50:59 ----D---- C:\WINDOWS\Minidump
2009-05-10 22:30:36 ----D---- C:\WINDOWS\system32\FxsTmp
2009-05-10 17:28:15 ----SD---- C:\WINDOWS\Tasks
2009-05-06 22:26:49 ----D---- C:\Program Files\Bonjour
2009-05-04 22:43:15 ----D---- C:\WINDOWS\repair
2009-05-03 13:53:02 ----D---- C:\Program Files\iPod
2009-05-03 13:45:11 ----D---- C:\Program Files\Common Files\Services
2009-05-02 15:11:46 ----D---- C:\Program Files\Microsoft Silverlight

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-02-13 28376]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-09 12032]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-03-24 55640]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 aracpi;aracpi; C:\WINDOWS\system32\DRIVERS\aracpi.sys [2005-08-02 22784]
R3 arkbcfltr;Microsoft PS2 Keyboard Filter; C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys [2005-08-02 5376]
R3 armoucfltr;Microsoft PS2 Mouse Filter; C:\WINDOWS\system32\DRIVERS\armoucfltr.sys [2005-08-02 4992]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ARPolicy;ARPolicy; C:\WINDOWS\system32\DRIVERS\arpolicy.sys [2005-08-02 10112]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HSX_DP;HSX_DP; C:\WINDOWS\system32\DRIVERS\HSX_DP.sys [2005-12-06 936448]
R3 HSXHWBS2;HSXHWBS2; C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys [2005-12-06 241664]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-06-14 4299264]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-05-09 3535680]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-03-03 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-03-03 13056]
R3 Ps2;PS2; C:\WINDOWS\system32\DRIVERS\PS2.sys [2005-12-12 19072]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
R3 winachsx;winachsx; C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys [2005-12-06 670208]
S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys []
S3 arhidfltr;MS Ar HID Filter Driver; C:\WINDOWS\system32\DRIVERS\arhidfltr.sys [2005-08-02 19200]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-02-18 30464]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-04-01 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-03-02 185089]
R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2006-10-23 46640]
R2 AOL TopSpeedMonitor;AOL TopSpeed Monitor; C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [2004-10-15 100016]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]
R2 ARSVC;ARSVC; C:\WINDOWS\arservice.exe [2005-08-02 58880]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-12-15 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-29 152984]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-06-21 49152]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-05-09 131139]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2006-03-03 69632]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-06-02 504104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:43 PM

Posted 31 May 2009 - 06:17 AM

Hi Matthew,

Thats all looks good to me now :)

Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes
Congratulations! You now appear clean! :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Cleaning and creating restore points
  • Click Start, right click My Computer and select properties.
  • Select the System Restore tab then check the box "Turn off System Restore".
  • Click Apply then Ok, then restart your computer
  • Now follow these steps again, but instead of checking "Turn off System Restore" Uncheck it.
Now that you have cleaned out you restore points you need to set a new restore point
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Select "Create a restore point" then click Next.
  • Type a name under Restore point description then click Create.
Additional instructions can be found here if needed.

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates is always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install a Firewall
I can not stress how important it is that you use a third party Firewall on your computer. Without a firewall your computer is
succeptible to being hacked and taken over. Windows firewall is good for blocking inbound connections but it does not block
outbound connections. So if Malware manages to get onto your computer it will be able to send data out when it wants.
Here are some free firewalls I would recomend, only install one of these.

Zone Alarm
comodo Note: Only Install the Firewall as a standalone if you already have an AntiVirus installed on your computer.

After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.

Install an AntiSpyware Program
A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.
Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.
Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.
Tutorials on using these programs can be found below:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use a host file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Regards
Gary

unite.jpg


#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:43 PM

Posted 01 June 2009 - 07:14 AM

Since this issue appears resolved ... this Topic is closed. Glad I could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users