Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/rootkit.agent.odg removal


  • This topic is locked This topic is locked
19 replies to this topic

#1 lickitysplinter

lickitysplinter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:07:45 AM

Posted 21 July 2009 - 04:39 PM

Hi, I have been directed here from the "Am I infected forum" Hopefully someone can help. Here is a link to thread over there: my original thread

Also attached are the dds log and the attach log as requested, If anything else is needed just let me know, thanks to everyone!!!

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:45 PM

Posted 31 July 2009 - 04:47 PM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 lickitysplinter

lickitysplinter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:07:45 AM

Posted 31 July 2009 - 10:18 PM

Hi Syler, Thank you so much for helping me I really appreciate it! Here is what you asked for.



Malwarebytes' Anti-Malware 1.39
Database version: 2538
Windows 5.1.2600 Service Pack 3

7/31/2009 8:03:41 PM
mbam-log-2009-07-31 (20-03-41).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 180021
Time elapsed: 21 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (Trojan.TDSS) -> Quarantined and deleted successfully.



Logfile of random's system information tool 1.06 (written by random/random)
Run by HP_Administrator at 2009-07-31 20:12:40
Microsoft Windows XP Professional Service Pack 3
System drive C: has 166 GB (91%) free of 183 GB
Total RAM: 958 MB (43% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:42 PM, on 7/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\HP_Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\HP_Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\BT.exe
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KCSZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\KCSZ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

--
End of file - 9289 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\SmartDefrag.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2005-09-27 720896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-27 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2005-09-27 720896]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2004-08-10 59392]
"HPHUPD08"=c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe [2005-06-01 49152]
"HPBootOp"=C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe [2005-02-25 245760]
"LSBWatcher"=c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe [2005-05-10 253952]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPwuSchd2.exe [2005-05-12 49152]
"nmctxth"=C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [2008-12-12 642856]
"nmapp"=C:\Program Files\Pure Networks\Network Magic\nmapp.exe [2008-12-14 467240]
"HostManager"=C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe [2006-03-10 48280]
"AOLDialer"=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [2004-10-20 34904]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 1406024]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-05-14 2029640]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-27 148888]
"Cobian Backup 8 interface"=C:\Program Files\Cobian Backup 8\cbInterface.exe [2007-09-27 2425856]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2005-09-27 180269]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-06-23 1830128]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-06-07 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\Program Files\Common Files\AOL\1240190955\EE\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1240190955\EE\AOLServiceHost.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet:Enabled:Pure Networks Platform Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\iTunes\iTunes.exe"="%ProgramFiles%\iTunes\iTunes.exe:*:enabled:iTunes"
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-07-31 20:12:40 ----D---- C:\rsit
2009-07-21 13:36:16 ----D---- C:\Program Files\Runtime Software
2009-07-21 10:17:06 ----D---- C:\clean
2009-07-20 16:30:15 ----D---- C:\Program Files\Sophos
2009-07-20 14:14:09 ----D---- C:\Program Files\Trend Micro
2009-07-19 11:40:04 ----SHD---- C:\RECYCLER
2009-07-19 11:37:39 ----D---- C:\Program Files\Softwin
2009-07-19 10:04:57 ----D---- C:\MGtools
2009-07-19 09:39:18 ----A---- C:\ComboFix.txt
2009-07-19 08:56:03 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-19 08:05:03 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-07-19 00:28:29 ----A---- C:\MGtools.exe
2009-07-19 00:05:48 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-18 23:41:59 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\IObit
2009-07-18 23:41:57 ----D---- C:\Program Files\IObit
2009-07-18 23:22:59 ----D---- C:\Program Files\CCleaner
2009-07-18 21:59:17 ----D---- C:\WINDOWS\pss
2009-07-18 20:57:51 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2009-07-18 19:57:53 ----D---- C:\Program Files\Cobian Backup 8
2009-07-18 19:49:42 ----A---- C:\RootRepeal report 07-18-09 (19-49-42).txt
2009-07-18 19:49:23 ----A---- C:\RootRepeal report 07-18-09 (19-49-23).txt
2009-07-18 19:14:48 ----D---- C:\Program Files\7-Zip
2009-07-18 14:49:49 ----A---- C:\RootRepeal report 07-18-09 (14-49-49).txt
2009-07-18 08:18:38 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-07-18 07:52:42 ----D---- C:\WINDOWS\system32\appmgmt
2009-07-18 07:40:28 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2009-07-18 02:46:34 ----D---- C:\WINDOWS\system32\XPSViewer
2009-07-18 02:46:32 ----D---- C:\Program Files\MSBuild
2009-07-18 02:46:26 ----D---- C:\Program Files\Reference Assemblies
2009-07-18 02:45:58 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-07-18 02:45:58 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-07-18 02:45:58 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-07-18 02:45:57 ----D---- C:\c6a9598b6540b0f367fe4b2eeec2b0
2009-07-18 02:29:44 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2009-07-18 02:04:14 ----SHD---- C:\WINDOWS\ftpcache
2009-07-17 22:10:32 ----D---- C:\WINDOWS\temp
2009-07-17 21:37:32 ----A---- C:\lrvl.txt
2009-07-17 15:23:01 ----D---- C:\WINDOWS\Minidump
2009-07-17 09:53:23 ----A---- C:\WINDOWS\zip.exe
2009-07-17 09:53:23 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-07-17 09:53:23 ----A---- C:\WINDOWS\SWSC.exe
2009-07-17 09:53:23 ----A---- C:\WINDOWS\SWREG.exe
2009-07-17 09:53:23 ----A---- C:\WINDOWS\sed.exe
2009-07-17 09:53:23 ----A---- C:\WINDOWS\PEV.exe
2009-07-17 09:53:23 ----A---- C:\WINDOWS\NIRCMD.exe
2009-07-17 09:53:23 ----A---- C:\WINDOWS\grep.exe
2009-07-17 09:53:07 ----D---- C:\WINDOWS\ERDNT
2009-07-17 09:52:18 ----AD---- C:\Qoobox
2009-07-17 08:57:37 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2009-07-17 08:57:30 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-17 07:38:44 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-17 07:38:34 ----D---- C:\Program Files\SUPERAntiSpyware
2009-07-17 07:38:34 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-07-16 13:21:22 ----SHD---- C:\WINDOWS\CSC
2009-07-16 03:02:05 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-16 03:01:58 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-16 03:00:40 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$

======List of files/folders modified in the last 1 months======

2009-07-31 20:08:05 ----D---- C:\Program Files\Mozilla Firefox
2009-07-31 20:07:23 ----D---- C:\WINDOWS\Registration
2009-07-31 20:07:06 ----D---- C:\WINDOWS
2009-07-31 20:06:42 ----D---- C:\WINDOWS\system32\drivers
2009-07-31 20:06:42 ----D---- C:\Program Files
2009-07-31 04:00:30 ----D---- C:\WINDOWS\system32
2009-07-26 16:44:02 ----D---- C:\WINDOWS\Prefetch
2009-07-22 16:22:56 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-20 14:37:33 ----HD---- C:\WINDOWS\inf
2009-07-20 14:37:33 ----D---- C:\Program Files\MSN
2009-07-19 14:46:37 ----D---- C:\WINDOWS\security
2009-07-19 12:17:17 ----A---- C:\WINDOWS\win.ini
2009-07-19 09:36:06 ----N---- C:\WINDOWS\system.ini
2009-07-19 09:32:51 ----D---- C:\WINDOWS\AppPatch
2009-07-19 09:32:51 ----D---- C:\Program Files\Common Files
2009-07-19 08:07:02 ----SHD---- C:\WINDOWS\Installer
2009-07-19 00:08:27 ----ASH---- C:\boot.ini
2009-07-18 23:42:08 ----SD---- C:\WINDOWS\Tasks
2009-07-18 22:43:51 ----D---- C:\WINDOWS\Microsoft.NET
2009-07-18 21:53:41 ----D---- C:\Program Files\Java
2009-07-18 20:58:06 ----D---- C:\WINDOWS\system32\CatRoot
2009-07-18 20:57:59 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-07-18 08:26:54 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\HP
2009-07-18 07:52:42 ----D---- C:\Program Files\Hewlett-Packard
2009-07-18 07:42:12 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-07-18 02:50:23 ----RSD---- C:\WINDOWS\assembly
2009-07-18 02:49:49 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-07-18 02:49:22 ----D---- C:\WINDOWS\WinSxS
2009-07-18 02:46:30 ----RSD---- C:\WINDOWS\Fonts
2009-07-18 02:44:53 ----D---- C:\Program Files\Internet Explorer
2009-07-18 02:27:22 ----D---- C:\WINDOWS\SoftwareDistribution
2009-07-18 02:26:35 ----D---- C:\Program Files\Online Services
2009-07-18 02:26:30 ----D---- C:\WINDOWS\Media
2009-07-18 02:26:28 ----D---- C:\WINDOWS\Cursors
2009-07-18 02:26:16 ----D---- C:\WINDOWS\Help
2009-07-18 02:26:12 ----D---- C:\Program Files\Windows NT
2009-07-18 02:26:09 ----D---- C:\WINDOWS\addins
2009-07-18 02:23:25 ----HD---- C:\Program Files\InstallShield Installation Information
2009-07-18 02:20:42 ----D---- C:\Program Files\Common Files\InstallShield
2009-07-18 02:20:36 ----D---- C:\Program Files\muvee Technologies
2009-07-18 02:18:41 ----D---- C:\Python22
2009-07-18 01:57:58 ----D---- C:\WINDOWS\system32\inetsrv
2009-07-17 09:38:33 ----D---- C:\WINDOWS\Debug
2009-07-16 03:02:05 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-07 08:10:56 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-05-14 107256]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-05-14 94360]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-05-14 114472]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 pnarp;Pure Networks Device Discovery Driver; C:\WINDOWS\system32\DRIVERS\pnarp.sys [2008-12-12 23984]
R2 purendis;Pure Networks Wireless Driver; C:\WINDOWS\system32\DRIVERS\purendis.sys [2008-12-12 25264]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-04-20 2317696]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-06-07 1235968]
R3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2008-04-13 206976]
R3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
R3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-12-15 1038208]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2004-12-15 220928]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2008-06-10 31048]
R3 Ps2;PS2; C:\WINDOWS\system32\DRIVERS\PS2.sys [2005-07-04 26624]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2005-03-04 74496]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-12-15 703232]
S2 fntmvr;fntmvr; C:\WINDOWS\system32\drivers\tuap.sys []
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver; \??\E:\INSTAL~E\Core\BVRPMPR5.SYS []
S3 catchme;catchme; \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys []
S3 esihdrv;esihdrv; \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys []
S3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys []
S3 ltmodem5;LT Modem Driver; C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys [2004-08-04 606684]
S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\1D.tmp []
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S4 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2004-10-20 10328]
R2 AOL TopSpeedMonitor;AOL TopSpeed Monitor; C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [2004-10-15 100016]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-06-07 376832]
R2 CobBMService;Cobian Backup 8 service; C:\Program Files\Cobian Backup 8\cbService.exe [2007-09-27 499200]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2004-09-28 195584]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2004-08-10 102912]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-05-14 731840]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-04-27 152984]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-07-25 53248]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 nmservice;Pure Networks Platform Service; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [2008-12-12 642856]
R3 iPodService;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2005-05-05 327680]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 BT;BT; C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\BT.exe [2009-07-20 551808]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-05-14 20680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 KCSZ;KCSZ; C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\KCSZ.exe [2009-07-20 351104]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2009-07-31 20:12:44

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {F80239D8-7811-4D5E-B033-0D0BBFE32920}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop Elements 2.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.dll"
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
AOL Coach Version 2.0(Build:20041026.5 en)-->C:\Program Files\Common Files\AolCoach\en_en\AolCInUn.exe -lang=en_en -ext=UDP
AOL Connectivity Services-->"C:\Program Files\Common Files\AOL\ACS\AcsUninstall.exe" /c
AOL Uninstaller-->C:\Program Files\Common Files\AOL\uninstaller.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Barnyard Invasion from HP Media Center (remove only)-->"C:\Program Files\WildTangent\Apps\GameChannel\Games\049D60AF-B425-4F8A-BD66-9D8C1B519D59\Uninstall.exe"
Bounce Symphony from HP Media Center (remove only)-->"C:\Program Files\WildTangent\Apps\GameChannel\Games\5DAA9E44-1B31-41CD-88A8-228EDED6E36E\Uninstall.exe"
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Cobian Backup 8-->C:\Program Files\Cobian Backup 8\cbUninstall.exe
Crystal Maze from HP Media Center (remove only)-->"C:\Program Files\WildTangent\Apps\GameChannel\Games\3D61540E-C88C-4358-B6A1-DC26648F2A3D\Uninstall.exe"
Data Fax SoftModem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\HXFSETUP.EXE -U -IAsu200Ck.inf
Digby's Donuts from HP Media Center (remove only)-->"C:\Program Files\WildTangent\Apps\GameChannel\Games\A51671BD-9BE5-4944-AC62-A2A0B6FF5E54\Uninstall.exe"
DriveImage XML (Private Edition)-->"C:\Program Files\Runtime Software\DriveImage XML\Uninstall.exe" "C:\Program Files\Runtime Software\DriveImage XML\install.log" -u
Flip Words from HP Media Center (remove only)-->"C:\Program Files\WildTangent\Apps\GameChannel\Games\1280194E-E9D5-4253-95E7-40169E2A4848\Uninstall.exe"
GemMaster Mystic-->"C:\Program Files\GemMaster\uninstallgemmaster.exe"
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
HP Boot Optimizer-->MsiExec.exe /I{3BA95526-6AE0-4B87-A62D-17187EF565FC}
HP Deskjet Printer Preload-->MsiExec.exe /I{2C5D07FB-31A2-4F2D-9FDA-0B24ACD42BD0}
HP DigitalMedia Archive-->MsiExec.exe /I{F80239D8-7811-4D5E-B033-0D0BBFE32920}
HP Document Viewer 5.3-->C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Game Console and games-->C:\Program Files\WildTangent\Apps\hpuninstall.exe
HP Image Zone 5.3-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone for Media Center PC-->MsiExec.exe /X{8D0C57BC-4942-4960-BB6D-142456D6F233}
HP Imaging Device Functions 5.3-->C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Multimedia Keyboard Software-->C:\HP\KBD\KBD.EXE uninstalled
HP Photosmart 330,380,420,470,7800,8000,8200 Series-->C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\setup\hpzscr01.exe -d MsiRollbackUninstaller -datfile hphscr08.dat
HP Photosmart Cameras 5.0-->C:\Program Files\HP\Digital Imaging\{C83A12B9-B31B-461A-BBD4-CE9B988094F1}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP PSC & OfficeJet 5.3.B-->"C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP Solution Center & Imaging Support Tools 5.3-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Tunes-->MsiExec.exe /X{D54193B7-D2DF-4977-B546-86CA48DB214E}
Insaniquarium Deluxe from HP Media Center (remove only)-->"C:\Program Files\WildTangent\Apps\GameChannel\Games\A09026AE-8F16-4929-B4E6-1825535844DB\Uninstall.exe"
InterVideo WinDVD Player-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{523E6F2A-2D59-4D91-90E8-6C49931C9F50}
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Jewel Quest from HP Media Center (remove only)-->"C:\Program Files\WildTangent\Apps\GameChannel\Games\A73FAC36-8925-465D-8FA2-4DA98BD9B441\Uninstall.exe"
Mah Jong Quest from HP Media Center (remove only)-->"C:\Program Files\WildTangent\Apps\GameChannel\Games\538B9061-0C77-4FB2-903F-EC42A1FF5DD8\Uninstall.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Money 2005-->C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Disc 2-->MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Dancer LE-->MsiExec.exe /X{1A103D70-5C9B-4E1A-B306-5106C68F9914}
Microsoft Plus! Digital Media Edition Installer-->MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE-->MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Works-->MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (3.0.12)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
Network Magic-->C:\Documents and Settings\All Users\Application Data\Pure Networks\Setup\nmsetup.exe /uninstall
Polar Bowler from HP Media Center (remove only)-->"C:\Program Files\WildTangent\Apps\GameChannel\Games\1FFA88DF-0AC3-4D9E-9139-5FF98813C12C\Uninstall.exe"
Polar Golfer from HP Media Center (remove only)-->"C:\Program Files\WildTangent\Apps\GameChannel\Games\55275778-F7D9-4BA0-95F4-DEFD71ADDFD9\Uninstall.exe"
PS2-->C:\WINDOWS\system32\ps2.exe uninstall
Puzzle Express from HP Media Center (remove only)-->"C:\Program Files\WildTangent\Apps\GameChannel\Games\0814ADC6-5B36-4144-A8EA-439C36B1BB11\Uninstall.exe"
Quicken 2005-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2DBE41DD-2129-4C65-A3D3-5647236A60F3} anything
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Smart Defrag 1.20-->"C:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
Sonic Encoders-->MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic Express Labeler-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus-->MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio-->MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy-->MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data-->MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Swarm from HP Media Center (remove only)-->"C:\Program Files\WildTangent\Apps\GameChannel\Games\133F647D-B454-42BC-ADBE-387482A29B88\Uninstall.exe"
Tradewinds from HP Media Center (remove only)-->"C:\Program Files\WildTangent\Apps\GameChannel\Games\B3FF79F4-CDA8-4845-A7C0-9CE017719F36\Uninstall.exe"
Turbo Lister 2-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{69640730-B830-4C24-BB5C-222DA1260548}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB953356)-->"C:\WINDOWS\$NtUninstallKB953356$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)-->C:\WINDOWS\$NtUninstallMC05Upd1$\spuninst\spuninst.exe
Updates from HP (remove only)-->C:\WINDOWS\HPCPCUninstall-9972322\HPBWSetup.exe -appid 9972322 -uninstall
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WebEx Support Manager for Internet Explorer-->MsiExec.exe /I{C34FAEF3-4241-4C4E-9CFF-7BBD8BCEABE7}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10 Hotfix [See KB889858 for more information]-->C:\WINDOWS\$NtUninstallKB889858$\spuninst\spuninst.exe
Windows XP Media Center Edition 2005 KB888316-->C:\WINDOWS\$NtUninstallKB888316$\spuninst\spuninst.exe
Windows XP Media Center Edition 2005 KB895678-->C:\WINDOWS\$NtUninstallKB895678$\spuninst\spuninst.exe
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

=====HijackThis Backups=====

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-20]

======Security center information======

AV: ESET NOD32 Antivirus 4.0

======System event log======

Computer Name: YOUR-B27FB1C401
Event Code: 10005
Message: DCOM got error "%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Record Number: 4066
Source Name: DCOM
Time Written: 20090716132214.000000-420
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-B27FB1C401
Event Code: 7000
Message: The Automatic LiveUpdate Scheduler service failed to start due to the following error:
The system cannot find the path specified.


Record Number: 4038
Source Name: Service Control Manager
Time Written: 20090716131741.000000-420
Event Type: error
User:

Computer Name: YOUR-B27FB1C401
Event Code: 7000
Message: The Automatic LiveUpdate Scheduler service failed to start due to the following error:
The system cannot find the path specified.


Record Number: 4007
Source Name: Service Control Manager
Time Written: 20090716130839.000000-420
Event Type: error
User:

Computer Name: YOUR-B27FB1C401
Event Code: 1
Message: The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

Record Number: 4001
Source Name: sr
Time Written: 20090716125340.000000-420
Event Type: error
User:

Computer Name: YOUR-B27FB1C401
Event Code: 7000
Message: The Automatic LiveUpdate Scheduler service failed to start due to the following error:
The system cannot find the path specified.


Record Number: 3975
Source Name: Service Control Manager
Time Written: 20090716124949.000000-420
Event Type: error
User:

=====Application event log=====

Computer Name: YOUR-B27FB1C401
Event Code: 1002
Message: Hanging application firefox.exe, version 1.9.0.3399, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 767
Source Name: Application Hang
Time Written: 20090519055206.000000-420
Event Type: error
User:

Computer Name: YOUR-B27FB1C401
Event Code: 1002
Message: Hanging application firefox.exe, version 1.9.0.3399, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 766
Source Name: Application Hang
Time Written: 20090519055205.000000-420
Event Type: error
User:

Computer Name: YOUR-B27FB1C401
Event Code: 1001
Message: Fault bucket 1245527889.

Record Number: 708
Source Name: Application Hang
Time Written: 20090515211202.000000-420
Event Type: error
User:

Computer Name: YOUR-B27FB1C401
Event Code: 1002
Message: Hanging application firefox.exe, version 1.9.0.3399, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 707
Source Name: Application Hang
Time Written: 20090515211149.000000-420
Event Type: error
User:

Computer Name: YOUR-B27FB1C401
Event Code: 1000
Message: Faulting application tl.exe, version 7.2.100.27, faulting module attrhost.dll, version 7.2.100.27, fault address 0x00020639.

Record Number: 550
Source Name: Application Error
Time Written: 20090506161711.000000-420
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;c:\Python22;C:\Program Files\ATI Technologies\ATI Control Panel
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2f02
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=c:\Program Files\Common Files\Sonic Shared\Sonic Central\

-----------------EOF-----------------

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:45 PM

Posted 01 August 2009 - 06:10 AM

Hello lickitysplinter,


4) ComboFix from combofix.org (I really did not know what to do here with this one however)


First of all combofix.org is in no way related to combofix, and it should not be downloaded from there.

ComboFix should not be run unless requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Post the contents of C:\ComboFix.txt in your next reply.

unite.jpg


#5 lickitysplinter

lickitysplinter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:07:45 AM

Posted 01 August 2009 - 08:52 AM

Hi Syler,

Just so you know, before I came over here to Bleeping Computer for help I contacted ESET for help, they are the folks who's anti virus software Nod32, I paid for. The person who was "helping" me told me to run combofix and he is the one who gave me the link to combofix.org to get it. Once I did the few things he asked, he unceremoniously sent me over here to Bleeping Computer and gave up. I never would have run it had I not thought that some "expert" was helping me. Well anyway, I'm glad I now actually have that expert to help me - so thank you! Following is the file you requested, I did not rerun combofix I just copied and pasted the existing file. Thanks again!

ComboFix 09-07-19.01 - HP_Administrator 07/19/2009 9:28.5.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.608 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

2009-07-19 15:56 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 15:56 . 2009-07-19 15:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 15:56 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 15:08 . 2009-07-19 16:06 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-19 15:05 . 2009-07-19 15:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-19 07:28 . 2009-07-19 07:28 1343301 ----a-w- C:\MGtools.exe
2009-07-19 06:41 . 2009-07-19 06:41 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\IObit
2009-07-19 06:41 . 2009-07-19 06:41 -------- d-----w- c:\program files\IObit
2009-07-19 06:22 . 2009-07-19 06:23 -------- d-----w- c:\program files\CCleaner
2009-07-19 02:57 . 2009-07-19 02:58 -------- d-----w- c:\program files\Cobian Backup 8
2009-07-19 02:14 . 2009-07-19 02:14 -------- d-----w- c:\program files\7-Zip
2009-07-18 21:13 . 2009-07-18 21:13 0 ----a-w- c:\documents and settings\HP_Administrator\settings.dat
2009-07-18 15:18 . 2009-07-18 15:18 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-07-18 14:40 . 2009-07-18 14:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\NortonInstaller
2009-07-18 09:46 . 2009-07-18 09:46 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-18 09:46 . 2009-07-18 09:46 -------- d-----w- c:\program files\MSBuild
2009-07-18 09:46 . 2009-07-18 09:46 -------- d-----w- c:\program files\Reference Assemblies
2009-07-18 09:45 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-18 09:45 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-18 09:45 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-18 09:45 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-18 09:45 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-18 09:45 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-18 09:45 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-18 09:45 . 2009-07-18 09:46 -------- d-----w- C:\c6a9598b6540b0f367fe4b2eeec2b0
2009-07-18 09:04 . 2009-07-18 09:04 -------- d-sh--w- c:\windows\ftpcache
2009-07-17 19:02 . 2009-07-17 19:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-17 17:13 . 2009-07-17 17:14 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-17 17:13 . 2009-07-17 17:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-17 15:57 . 2009-07-17 15:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-07-17 15:57 . 2009-07-17 15:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-17 14:38 . 2009-07-17 14:38 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-17 14:38 . 2009-07-19 15:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-17 14:38 . 2009-07-19 15:06 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-07-16 22:27 . 2009-07-16 22:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-07-16 20:22 . 2009-07-16 20:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-15 14:46 . 2009-07-15 14:46 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\ESET
2009-06-19 22:19 . 2009-06-19 22:19 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HPQ
2009-06-19 21:14 . 2009-06-19 21:14 -------- d-----w- c:\program files\ESET
2009-06-19 21:14 . 2009-06-19 21:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 04:53 . 2005-09-27 23:47 -------- d-----w- c:\program files\Java
2009-07-18 15:26 . 2009-04-21 22:16 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HP
2009-07-18 14:52 . 2005-09-28 00:20 -------- d-----w- c:\program files\Hewlett-Packard
2009-07-18 14:42 . 2005-09-28 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-18 14:28 . 2009-04-20 01:54 82064 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-18 09:23 . 2005-09-27 23:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-18 09:20 . 2005-09-27 23:57 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-18 09:20 . 2005-09-28 00:28 -------- d-----w- c:\program files\muvee Technologies
2009-06-27 18:31 . 2009-05-19 12:38 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2009-06-19 22:09 . 2005-09-28 00:39 -------- d-----w- c:\program files\Easy Internet signup
2009-06-16 14:36 . 2004-08-10 19:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 19:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-10 19:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-14 22:49 . 2009-05-14 22:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 22:47 . 2009-05-14 22:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 22:41 . 2009-05-14 22:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-07 15:32 . 2004-08-10 19:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 12:44 . 2004-11-17 11:31 92191 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-30 12:43 . 2009-04-30 12:43 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-04-30 12:43 . 2009-04-30 12:43 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-04-30 12:43 . 2009-04-30 12:43 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-04-30 12:43 . 2009-04-30 12:43 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-04-30 12:43 . 2009-04-30 12:43 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-04-30 12:43 . 2009-04-30 12:43 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-04-30 12:43 . 2009-04-30 12:43 287310 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection.dll
2009-04-30 12:43 . 2009-04-30 12:43 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2009-04-29 04:56 . 2004-08-10 19:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 19:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-27 17:33 . 2009-04-27 17:34 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-27 17:33 . 2009-04-27 17:33 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-21 22:16 . 2009-04-13 12:08 139 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2009-04-21 10:15 . 2009-04-21 10:15 8673792 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\atscie.msi
2009-06-12 03:54 . 2009-04-21 00:04 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-07-18_17.03.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-19 16:27 . 2009-07-19 16:27 16384 c:\windows\temp\Perflib_Perfdata_694.dat
- 2005-09-27 23:53 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2005-09-27 23:53 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
- 2004-11-17 03:21 . 2009-07-18 15:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-11-17 03:21 . 2009-07-19 16:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-11-17 03:21 . 2009-07-18 15:29 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-11-17 03:21 . 2009-07-19 16:05 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-19 15:07 . 2009-07-19 15:07 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2009-07-17 14:38 . 2009-07-17 14:38 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-07-19 15:07 . 2009-07-19 15:07 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2009-07-17 14:38 . 2009-07-17 14:38 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-03-20 18:48 . 2009-03-20 18:48 183808 c:\windows\Installer\553738.msp
+ 2009-07-19 15:07 . 2009-07-19 15:07 1516544 c:\windows\Installer\1b91474.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-11 59392]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-12-14 467240]
"HostManager"="c:\program files\Common Files\AOL\1240190955\ee\AOLSoftware.exe" [2006-03-10 48280]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 34904]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-09-28 98304]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-28 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-27 148888]
"Cobian Backup 8 interface"="c:\program files\Cobian Backup 8\cbInterface.exe" [2007-09-27 2425856]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-4-20 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1240190955\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
S2 fntmvr;fntmvr;c:\windows\system32\drivers\tuap.sys --> c:\windows\system32\drivers\tuap.sys [?]
S3 esihdrv;esihdrv;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/search
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\docume~1\HP_ADM~1\APPLIC~1\Mozilla\Firefox\Profiles\r22vigkx.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-19 09:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
geyekrymrmpjen.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-19 9:39
ComboFix-quarantined-files.txt 2009-07-19 16:39
ComboFix2.txt 2009-07-18 19:46
ComboFix3.txt 2009-07-18 17:06
ComboFix4.txt 2009-07-18 05:10
ComboFix5.txt 2009-07-19 16:23

Pre-Run: 173,826,203,648 bytes free
Post-Run: 173,834,559,488 bytes free

224 --- E O F --- 2009-07-16 10:02

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:45 PM

Posted 01 August 2009 - 09:04 AM

Hi lickitysplinter,

I understand, and I don't blame you for running it, as you would have had no reason to suspect that this person did not
no what they were doing, unfortunately that seems like the case. I can see that it has been run 5 times so could you please
post this log in your next reply C:\Qoobox\ComboFix5.txt.



We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

unite.jpg


#7 lickitysplinter

lickitysplinter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:07:45 AM

Posted 01 August 2009 - 10:06 AM

Hi Syler,

Thanks for your quick response! Here are your latest requests:

ComboFix 09-07-14.08 - HP_Administrator 07/17/2009 15:01.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.487 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-06-17 to 2009-07-17 )))))))))))))))))))))))))))))))
.

2009-07-17 19:02 . 2009-07-17 19:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-17 17:13 . 2009-07-17 17:14 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-17 17:13 . 2009-07-17 17:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-17 16:35 . 2009-07-17 16:35 -------- d-----w- c:\program files\CCleaner
2009-07-17 15:57 . 2009-07-17 15:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-07-17 15:57 . 2009-07-17 15:57 -------- d-----w- c:\docume~1\HP_ADM~1\APPLIC~1\Malwarebytes
2009-07-17 15:57 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-17 15:57 . 2009-07-17 15:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 15:57 . 2009-07-17 15:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-17 15:57 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 14:39 . 2009-07-17 21:31 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-17 14:38 . 2009-07-17 14:38 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-17 14:38 . 2009-07-17 14:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-17 14:38 . 2009-07-17 14:38 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-07-17 14:38 . 2009-07-17 14:38 -------- d-----w- c:\docume~1\HP_ADM~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-17 14:37 . 2009-07-17 14:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-16 22:27 . 2009-07-16 22:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-07-16 20:22 . 2009-07-16 20:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-15 14:46 . 2009-07-15 14:46 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\ESET
2009-07-15 14:46 . 2009-07-15 14:46 -------- d-----w- c:\docume~1\HP_ADM~1\LOCALS~1\APPLIC~1\ESET
2009-06-19 22:19 . 2009-06-19 22:19 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HPQ
2009-06-19 22:19 . 2009-06-19 22:19 -------- d-----w- c:\docume~1\HP_ADM~1\APPLIC~1\HPQ
2009-06-19 21:14 . 2009-06-19 21:14 -------- d-----w- c:\program files\ESET
2009-06-19 21:14 . 2009-06-19 21:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 14:25 . 2005-09-27 23:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-16 19:30 . 2009-07-16 19:29 1063859 ----a-w- c:\windows\system32\rn.tmp
2009-06-27 18:31 . 2009-05-19 12:38 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2009-06-27 18:31 . 2009-05-19 12:38 -------- d-----w- c:\docume~1\HP_ADM~1\APPLIC~1\AdobeUM
2009-06-19 22:09 . 2005-09-28 00:39 -------- d-----w- c:\program files\Easy Internet signup
2009-06-19 20:54 . 2005-09-28 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-19 20:54 . 2005-09-28 00:44 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec
2009-06-19 20:33 . 2005-09-28 00:46 -------- d-----w- c:\program files\Norton Internet Security
2009-06-16 14:36 . 2004-08-10 19:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 19:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-10 19:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-14 22:49 . 2009-05-14 22:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 22:47 . 2009-05-14 22:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 22:41 . 2009-05-14 22:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-07 15:32 . 2004-08-10 19:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 20:34 . 2009-04-20 01:54 82064 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-30 20:34 . 2009-04-20 01:54 82064 ----a-w- c:\docume~1\HP_ADM~1\LOCALS~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2009-04-30 12:44 . 2004-11-17 11:31 92191 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-30 12:43 . 2009-04-30 12:43 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-04-30 12:43 . 2009-04-30 12:43 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-04-30 12:43 . 2009-04-30 12:43 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-04-30 12:43 . 2009-04-30 12:43 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-04-30 12:43 . 2009-04-30 12:43 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-04-30 12:43 . 2009-04-30 12:43 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-04-30 12:43 . 2009-04-30 12:43 287310 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection.dll
2009-04-30 12:43 . 2009-04-30 12:43 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2009-04-29 04:56 . 2004-08-10 19:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 19:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-27 17:33 . 2009-04-27 17:34 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-27 17:33 . 2009-04-27 17:33 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-21 22:16 . 2009-04-13 12:08 139 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2009-04-21 22:16 . 2009-04-13 12:08 139 ----a-w- c:\docume~1\HP_ADM~1\LOCALS~1\APPLIC~1\fusioncache.dat
2009-04-21 10:15 . 2009-04-21 10:15 8673792 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\atscie.msi
2009-04-20 01:28 . 2009-04-20 01:28 335 ----a-w- c:\windows\nsreg.dat
2009-06-12 03:54 . 2009-04-21 00:04 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-11 59392]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-28 180269]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-12-14 467240]
"HostManager"="c:\program files\Common Files\AOL\1240190955\ee\AOLSoftware.exe" [2006-03-10 48280]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 34904]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-27 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-09-28 98304]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-4-20 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1240190955\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 esihdrv;esihdrv;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/search
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\docume~1\HP_ADM~1\APPLIC~1\Mozilla\Firefox\Profiles\r22vigkx.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-17 15:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
geyekrymrmpjen.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-17 15:12
ComboFix-quarantined-files.txt 2009-07-17 22:11

Pre-Run: 171,562,156,032 bytes free
Post-Run: 173,709,524,992 bytes free

191 --- E O F --- 2009-07-16 10:02


GMER 1.0.15.15011 [yn31pqez.exe] - http://www.gmer.net
Rootkit scan 2009-08-01 07:58:31
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 857C3A60 ZwOpenProcess
SSDT 857C3E80 ZwOpenThread
SSDT 857C4460 ZwSuspendProcess
SSDT 857C4280 ZwSuspendThread
SSDT 857C3C90 ZwTerminateProcess
SSDT 857C40B0 ZwTerminateThread

Code 85C108C0 ZwEnumerateKey
Code 85C0FAC0 ZwFlushInstructionCache
Code 85C1F28E ZwSaveKey
Code 85C1C376 ZwSaveKeyEx
Code 85C1F406 IofCallDriver
Code 85C2077E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 85C1F40B
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 85C20783
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 85C0FAC4
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 85C108C4
PAGE ntkrnlpa.exe!ZwSaveKey 80625264 5 Bytes JMP 85C1F292
PAGE ntkrnlpa.exe!ZwSaveKeyEx 8062534A 5 Bytes JMP 85C1C37A
? system32\drivers\yzqgucmf.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[124] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003B000A
.text C:\WINDOWS\system32\winlogon.exe[580] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0062000A
.text C:\WINDOWS\system32\services.exe[628] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\Documents and Settings\HP_Administrator\Desktop\yn31pqez.exe[724] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\WINDOWS\system32\Ati2evxx.exe[808] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0096000A
.text ...
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1804] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\ehome\ehtray.exe[1840] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003D000A
.text C:\Program Files\HP\HP Software Update\HPwuSchd2.exe[1888] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003D000A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1940] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04AC000A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1960] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003D000A
.text C:\Program Files\Cobian Backup 8\cbInterface.exe[1992] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003D000A
.text ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [009A869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [009A85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [009A85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [009A869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [009A869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [009A85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [009A869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [009A85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [009A85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [009A869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [009A869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [009A85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [009A869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [009A85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [009A85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [009A869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [009A869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [009A85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [009A869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [009A85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [009A85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [009A869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [009A869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [009A85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!LoadLibraryA] [009A85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [009A869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [009A869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1376] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [009A85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CD869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [04CD85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [04CD85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CD869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CD869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [04CD85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CD869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] [04CD85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [04CD85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CD869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CD869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [04CD85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [04CD85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CD869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CD869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [04CD85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CD869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [04CD85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CD869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [04CD85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CD869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [04CD85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [04CD85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CD869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CD869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [04CD85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [04CD85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[1916] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CD869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [04CA85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CA869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CA869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [04CA85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [04CA85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CA869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CA869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [04CA85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CA869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [04CA85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CA869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [04CA85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CA869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [04CA85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CA869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [04CA85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CA869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [04CA85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [04CA85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CA869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CA869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [04CA85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [04CA85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CA869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CA869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [04CA85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CA869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [04CA85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [04CA85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[1924] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [04CA869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:320] 857C2790
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [124] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [580] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [628] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [640] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Documents and Settings\HP_Administrator\Desktop\yn31pqez.exe [724] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\Ati2evxx.exe [808] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [920] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [992] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [1012] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1120] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1308] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\Ati2evxx.exe [1332] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [1376] 0x00940000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [1388] 0x00390000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1408] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1444] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Cobian Backup 8\cbService.exe [1504] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe [1544] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1584] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehRecvr.exe [1752] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehSched.exe [1784] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [1804] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\ehome\ehtray.exe [1840] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\HP\HP Software Update\HPwuSchd2.exe [1888] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [1896] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe [1916] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [1924] 0x00AF0000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Microsoft IntelliPoint\ipoint.exe [1940] 0x003E0000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [1960] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jusched.exe [1976] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Cobian Backup 8\cbInterface.exe [1992] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [2012] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2024] 0x04C60000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [2060] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2136] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2404] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2476] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\iPod\bin\iPodService.exe [2524] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2632] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [2764] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\ALCXMNTR.EXE [2892] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [2952] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\wuauclt.exe [3040] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ c:\windows\system\hpsysdrv.exe [3160] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\HP\KBD\KBD.EXE [3408] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [3424] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\wbem\wmiprvse.exe [3632] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\dllhost.exe [3892] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\wscntfy.exe [3988] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehmsas.exe [4076] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\geyekrmpbapqqu.sys (*** hidden *** ) [SYSTEM] geyekrajiyblhb <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb@imagepath \systemroot\system32\drivers\geyekrmpbapqqu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrmpbapqqu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb\modules@geyekrcmd.dll \systemroot\system32\geyekrwnkcvxrm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb\modules@geyekrlog.dat \systemroot\system32\geyekrljywfvlo.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb\modules@geyekrwsp.dll \systemroot\system32\geyekrymrmpjen.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrajiyblhb\modules@geyekr.dat \systemroot\system32\geyekrqhyvbvdj.dat
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb@imagepath \systemroot\system32\drivers\geyekrmpbapqqu.sys
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb\main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrmpbapqqu.sys
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb\modules@geyekrcmd.dll \systemroot\system32\geyekrwnkcvxrm.dll
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb\modules@geyekrlog.dat \systemroot\system32\geyekrljywfvlo.dat
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb\modules@geyekrwsp.dll \systemroot\system32\geyekrymrmpjen.dll
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrajiyblhb\modules@geyekr.dat \systemroot\system32\geyekrqhyvbvdj.dat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BAECDAC2AD5D6D445BCFD7EE78BAC3C0\Usage@Unload 989926254

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\geyekrljywfvlo.dat 172711 bytes
File C:\WINDOWS\system32\geyekrqhyvbvdj.dat 91 bytes
File C:\WINDOWS\system32\geyekrwnkcvxrm.dll 40960 bytes
File C:\WINDOWS\system32\geyekrymrmpjen.dll 18432 bytes
File C:\WINDOWS\system32\drivers\geyekrmpbapqqu.sys 65536 bytes <-- ROOTKIT !!!
File C:\WINDOWS\temp\geyekrnavybitvey.tmp 91 bytes
File C:\WINDOWS\temp\geyekrptregfvqxo.tmp 91 bytes
File C:\WINDOWS\temp\geyekrxtapjxnixm.tmp 17408 bytes

---- EOF - GMER 1.0.15 ----

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:45 PM

Posted 01 August 2009 - 11:54 AM

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.

Delete any copy of Combofix you already have.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Edited by syler, 01 August 2009 - 11:55 AM.

unite.jpg


#9 lickitysplinter

lickitysplinter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:07:45 AM

Posted 01 August 2009 - 12:31 PM

Hi Syler,

I wish to continue. Here is the Combofix log as requested. And thank you once again!

ComboFix 09-07-31.04 - HP_Administrator 08/01/2009 10:10.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.605 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-08-01 03:12 . 2009-08-01 03:12 -------- d-----w- C:\rsit
2009-07-22 23:09 . 2009-07-22 23:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-07-21 20:36 . 2009-07-21 20:36 -------- d-----w- c:\program files\Runtime Software
2009-07-21 17:17 . 2009-07-21 19:10 -------- d-----w- C:\clean
2009-07-20 23:30 . 2009-07-21 00:12 -------- d-----w- c:\program files\Sophos
2009-07-20 21:14 . 2009-07-20 21:14 -------- d-----w- c:\program files\Trend Micro
2009-07-19 18:37 . 2009-07-19 18:40 -------- d-----w- c:\program files\Softwin
2009-07-19 17:35 . 2009-07-19 18:35 -------- d-----w- c:\documents and settings\HP_Administrator\Pavark
2009-07-19 17:28 . 2009-07-19 17:28 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-19 17:05 . 2009-07-19 17:06 103516 ----a-w- C:\MGlogs.zip
2009-07-19 17:04 . 2009-07-22 00:50 -------- d-----w- C:\MGtools
2009-07-19 15:56 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 15:56 . 2009-07-19 15:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 15:56 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 15:08 . 2009-08-01 17:21 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-19 15:05 . 2009-07-19 15:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-19 07:28 . 2009-07-19 07:28 1343301 ----a-w- C:\MGtools.exe
2009-07-19 06:41 . 2009-07-19 06:41 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\IObit
2009-07-19 06:41 . 2009-07-19 06:41 -------- d-----w- c:\program files\IObit
2009-07-19 06:22 . 2009-07-19 06:23 -------- d-----w- c:\program files\CCleaner
2009-07-19 02:57 . 2009-07-19 02:58 -------- d-----w- c:\program files\Cobian Backup 8
2009-07-19 02:14 . 2009-07-19 02:14 -------- d-----w- c:\program files\7-Zip
2009-07-18 21:13 . 2009-07-18 21:13 0 ----a-w- c:\documents and settings\HP_Administrator\settings.dat
2009-07-18 15:18 . 2009-07-18 15:18 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-07-18 14:40 . 2009-07-18 14:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\NortonInstaller
2009-07-18 09:46 . 2009-07-18 09:46 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-18 09:46 . 2009-07-18 09:46 -------- d-----w- c:\program files\MSBuild
2009-07-18 09:46 . 2009-07-18 09:46 -------- d-----w- c:\program files\Reference Assemblies
2009-07-18 09:45 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-18 09:45 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-18 09:45 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-18 09:45 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-18 09:45 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-18 09:45 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-18 09:45 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-18 09:45 . 2009-07-18 09:46 -------- d-----w- C:\c6a9598b6540b0f367fe4b2eeec2b0
2009-07-18 09:04 . 2009-07-18 09:04 -------- d-sh--w- c:\windows\ftpcache
2009-07-17 19:02 . 2009-07-17 19:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-17 17:13 . 2009-07-17 17:14 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-17 17:13 . 2009-07-17 17:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-17 15:57 . 2009-07-17 15:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-07-17 15:57 . 2009-07-17 15:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-17 14:38 . 2009-07-17 14:38 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-17 14:38 . 2009-07-19 15:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-17 14:38 . 2009-07-19 15:06 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-07-16 22:27 . 2009-07-16 22:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-07-16 20:22 . 2009-07-16 20:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-15 14:46 . 2009-07-15 14:46 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 04:53 . 2005-09-27 23:47 -------- d-----w- c:\program files\Java
2009-07-18 15:26 . 2009-04-21 22:16 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HP
2009-07-18 14:52 . 2005-09-28 00:20 -------- d-----w- c:\program files\Hewlett-Packard
2009-07-18 14:42 . 2005-09-28 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-18 14:28 . 2009-04-20 01:54 82064 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-18 09:23 . 2005-09-27 23:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-18 09:20 . 2005-09-27 23:57 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-18 09:20 . 2005-09-28 00:28 -------- d-----w- c:\program files\muvee Technologies
2009-06-27 18:31 . 2009-05-19 12:38 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2009-06-19 22:19 . 2009-06-19 22:19 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HPQ
2009-06-19 22:09 . 2005-09-28 00:39 -------- d-----w- c:\program files\Easy Internet signup
2009-06-19 21:14 . 2009-06-19 21:14 -------- d-----w- c:\program files\ESET
2009-06-19 21:14 . 2009-06-19 21:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ESET
2009-06-16 14:36 . 2004-08-10 19:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 19:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-10 19:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-14 22:49 . 2009-05-14 22:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 22:47 . 2009-05-14 22:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 22:41 . 2009-05-14 22:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-07 15:32 . 2004-08-10 19:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-23 18:56 . 2009-04-21 00:04 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-11 59392]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-12-14 467240]
"HostManager"="c:\program files\Common Files\AOL\1240190955\ee\AOLSoftware.exe" [2006-03-10 48280]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 34904]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-27 148888]
"Cobian Backup 8 interface"="c:\program files\Cobian Backup 8\cbInterface.exe" [2007-09-27 2425856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-28 180269]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-4-20 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1240190955\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S2 fntmvr;fntmvr;c:\windows\system32\drivers\tuap.sys --> c:\windows\system32\drivers\tuap.sys [?]
S3 esihdrv;esihdrv;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys [?]
S3 KCSZ;KCSZ;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\KCSZ.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\KCSZ.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1D.tmp --> c:\windows\system32\1D.tmp [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ATWPKT2
*Deregistered* - ATWPKT2
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/search
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mStart Page = about:blank
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\docume~1\HP_ADM~1\APPLIC~1\Mozilla\Firefox\Profiles\r22vigkx.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 10:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
geyekrymrmpjen.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3616)
geyekrymrmpjen.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll
c:\program files\Common Files\AOL\ACS\WLHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Cobian Backup 8\cbService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-08-01 10:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-01 17:26
ComboFix2.txt 2009-07-19 16:39
ComboFix3.txt 2009-07-18 19:46
ComboFix4.txt 2009-07-18 17:06
ComboFix5.txt 2009-08-01 17:05

Pre-Run: 173,808,930,816 bytes free
Post-Run: 173,812,834,304 bytes free

231 --- E O F --- 2009-07-16 10:02

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:45 PM

Posted 01 August 2009 - 01:01 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::
File::
C:\WINDOWS\system32\geyekrljywfvlo.dat
C:\WINDOWS\system32\geyekrqhyvbvdj.dat
C:\WINDOWS\system32\geyekrwnkcvxrm.dll
C:\WINDOWS\system32\geyekrymrmpjen.dll
C:\WINDOWS\system32\drivers\geyekrmpbapqqu.sys
C:\WINDOWS\temp\geyekrnavybitvey.tmp
C:\WINDOWS\temp\geyekrptregfvqxo.tmp
C:\WINDOWS\temp\geyekrxtapjxnixm.tmp
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
Driver::
geyekrajiyblhb

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#11 lickitysplinter

lickitysplinter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:07:45 AM

Posted 01 August 2009 - 01:50 PM

Hi Syler,

I think we are making some progress this last time the Nod32 window did not pop up showing the virus. I am so grateful you are helping me! Here is your requested log:

ComboFix 09-07-31.04 - HP_Administrator 08/01/2009 11:31.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.605 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\cfscript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FILE ::
"c:\windows\system32\drivers\geyekrmpbapqqu.sys"
"c:\windows\system32\geyekrljywfvlo.dat"
"c:\windows\system32\geyekrqhyvbvdj.dat"
"c:\windows\system32\geyekrwnkcvxrm.dll"
"c:\windows\system32\geyekrymrmpjen.dll"
"c:\windows\temp\geyekrnavybitvey.tmp"
"c:\windows\temp\geyekrptregfvqxo.tmp"
"c:\windows\temp\geyekrxtapjxnixm.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-08-01 03:12 . 2009-08-01 03:12 -------- d-----w- C:\rsit
2009-07-22 23:09 . 2009-07-22 23:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-07-21 20:36 . 2009-07-21 20:36 -------- d-----w- c:\program files\Runtime Software
2009-07-21 17:17 . 2009-07-21 19:10 -------- d-----w- C:\clean
2009-07-20 23:30 . 2009-07-21 00:12 -------- d-----w- c:\program files\Sophos
2009-07-20 21:14 . 2009-07-20 21:14 -------- d-----w- c:\program files\Trend Micro
2009-07-19 18:37 . 2009-07-19 18:40 -------- d-----w- c:\program files\Softwin
2009-07-19 17:35 . 2009-07-19 18:35 -------- d-----w- c:\documents and settings\HP_Administrator\Pavark
2009-07-19 17:28 . 2009-07-19 17:28 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-19 17:05 . 2009-07-19 17:06 103516 ----a-w- C:\MGlogs.zip
2009-07-19 17:04 . 2009-07-22 00:50 -------- d-----w- C:\MGtools
2009-07-19 15:56 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 15:56 . 2009-07-19 15:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 15:56 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 15:08 . 2009-08-01 18:42 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-19 15:05 . 2009-07-19 15:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-19 07:28 . 2009-07-19 07:28 1343301 ----a-w- C:\MGtools.exe
2009-07-19 06:41 . 2009-07-19 06:41 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\IObit
2009-07-19 06:41 . 2009-07-19 06:41 -------- d-----w- c:\program files\IObit
2009-07-19 06:22 . 2009-07-19 06:23 -------- d-----w- c:\program files\CCleaner
2009-07-19 02:57 . 2009-07-19 02:58 -------- d-----w- c:\program files\Cobian Backup 8
2009-07-19 02:14 . 2009-07-19 02:14 -------- d-----w- c:\program files\7-Zip
2009-07-18 21:13 . 2009-07-18 21:13 0 ----a-w- c:\documents and settings\HP_Administrator\settings.dat
2009-07-18 15:18 . 2009-07-18 15:18 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-07-18 14:40 . 2009-07-18 14:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\NortonInstaller
2009-07-18 09:46 . 2009-07-18 09:46 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-18 09:46 . 2009-07-18 09:46 -------- d-----w- c:\program files\MSBuild
2009-07-18 09:46 . 2009-07-18 09:46 -------- d-----w- c:\program files\Reference Assemblies
2009-07-18 09:45 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-18 09:45 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-18 09:45 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-18 09:45 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-18 09:45 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-18 09:45 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-18 09:45 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-18 09:45 . 2009-07-18 09:46 -------- d-----w- C:\c6a9598b6540b0f367fe4b2eeec2b0
2009-07-18 09:04 . 2009-07-18 09:04 -------- d-sh--w- c:\windows\ftpcache
2009-07-17 19:02 . 2009-07-17 19:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-17 17:13 . 2009-07-17 17:14 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-17 17:13 . 2009-07-17 17:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-17 15:57 . 2009-07-17 15:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-07-17 15:57 . 2009-07-17 15:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-17 14:38 . 2009-07-17 14:38 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-17 14:38 . 2009-07-19 15:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-17 14:38 . 2009-07-19 15:06 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-07-16 22:27 . 2009-07-16 22:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-07-16 20:22 . 2009-07-16 20:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-16 19:59 . 2009-08-01 17:31 91 ----a-w- c:\windows\system32\geyekrqhyvbvdj.dat
2009-07-16 19:39 . 2009-08-01 18:30 18432 ----a-w- c:\windows\system32\geyekrymrmpjen.dll
2009-07-16 19:39 . 2009-08-01 18:39 177444 ----a-w- c:\windows\system32\geyekrljywfvlo.dat
2009-07-16 19:39 . 2009-08-01 18:30 65536 ----a-w- c:\windows\system32\drivers\geyekrmpbapqqu.sys
2009-07-16 19:39 . 2009-08-01 18:30 40960 ----a-w- c:\windows\system32\geyekrwnkcvxrm.dll
2009-07-15 14:46 . 2009-07-15 14:46 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 04:53 . 2005-09-27 23:47 -------- d-----w- c:\program files\Java
2009-07-18 15:26 . 2009-04-21 22:16 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HP
2009-07-18 14:52 . 2005-09-28 00:20 -------- d-----w- c:\program files\Hewlett-Packard
2009-07-18 14:42 . 2005-09-28 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-18 14:28 . 2009-04-20 01:54 82064 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-18 09:23 . 2005-09-27 23:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-18 09:20 . 2005-09-27 23:57 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-18 09:20 . 2005-09-28 00:28 -------- d-----w- c:\program files\muvee Technologies
2009-06-27 18:31 . 2009-05-19 12:38 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2009-06-19 22:19 . 2009-06-19 22:19 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HPQ
2009-06-19 22:09 . 2005-09-28 00:39 -------- d-----w- c:\program files\Easy Internet signup
2009-06-19 21:14 . 2009-06-19 21:14 -------- d-----w- c:\program files\ESET
2009-06-19 21:14 . 2009-06-19 21:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ESET
2009-06-16 14:36 . 2004-08-10 19:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 19:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-10 19:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-14 22:49 . 2009-05-14 22:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 22:47 . 2009-05-14 22:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 22:41 . 2009-05-14 22:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-07 15:32 . 2004-08-10 19:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-23 18:56 . 2009-04-21 00:04 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-01_17.21.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-01 18:41 . 2009-08-01 18:41 16384 c:\windows\temp\Perflib_Perfdata_7cc.dat
- 2009-08-01 17:19 . 2009-08-01 17:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-01 17:30 . 2009-08-01 18:29 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-11-17 03:21 . 2009-08-01 18:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-11-17 03:21 . 2009-08-01 17:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-11-17 03:21 . 2009-08-01 18:29 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-11-17 03:21 . 2009-08-01 17:09 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-11 59392]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-12-14 467240]
"HostManager"="c:\program files\Common Files\AOL\1240190955\ee\AOLSoftware.exe" [2006-03-10 48280]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 34904]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-27 148888]
"Cobian Backup 8 interface"="c:\program files\Cobian Backup 8\cbInterface.exe" [2007-09-27 2425856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-28 180269]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-4-20 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1240190955\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S2 fntmvr;fntmvr;c:\windows\system32\drivers\tuap.sys --> c:\windows\system32\drivers\tuap.sys [?]
S3 esihdrv;esihdrv;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys [?]
S3 KCSZ;KCSZ;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\KCSZ.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\KCSZ.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1D.tmp --> c:\windows\system32\1D.tmp [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ATWPKT2
*Deregistered* - ATWPKT2
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/search
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mStart Page = about:blank
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\docume~1\HP_ADM~1\APPLIC~1\Mozilla\Firefox\Profiles\r22vigkx.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 11:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1D.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(208)
c:\program files\Common Files\AOL\ACS\WLHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Cobian Backup 8\cbService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-08-01 11:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-01 18:44
ComboFix2.txt 2009-08-01 17:26
ComboFix3.txt 2009-07-19 16:39
ComboFix4.txt 2009-07-18 19:46
ComboFix5.txt 2009-08-01 18:25

Pre-Run: 173,810,409,472 bytes free
Post-Run: 173,780,160,512 bytes free

252 --- E O F --- 2009-07-16 10:02

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:45 PM

Posted 01 August 2009 - 01:58 PM

Hi lickitysplinter,

Can you tell me when you run combofix the first time I asked you, did you delete the copy you had downloaded from combofix.org
and redownload it from one of the links I provided? I ask because I forget to tell you to delete your other copy, and I edited it in
afterwards so I wasn't sure if you may have missed that part. Please rerun Gmer to make sure the Rootkits gone and post back with
the new log.

Thanks
Syler

unite.jpg


#13 lickitysplinter

lickitysplinter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:07:45 AM

Posted 01 August 2009 - 02:52 PM

Hi Syler,

Yes I deleted the old combofix and reinstalled from your link. Here is the new gmer log as requested. Thank You!!!

GMER 1.0.15.15011 [yn31pqez.exe] - http://www.gmer.net
Rootkit scan 2009-08-01 12:44:23
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8578D630 ZwAssignProcessToJobObject
SSDT 8578CA60 ZwOpenProcess
SSDT 8578CE80 ZwOpenThread
SSDT 8578D460 ZwSuspendProcess
SSDT 8578D280 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF288EDF0]
SSDT 8578D0B0 ZwTerminateThread

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1924] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [1000869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [100085EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [100085EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [1000869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [1000869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [100085EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [1000869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] [100085EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [100085EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [1000869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [1000869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [100085EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [100085EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [1000869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [1000869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100085EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [1000869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [100085EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [1000869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [100085EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [1000869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [100085EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [100085EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe[328] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [1000869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [00AF85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00AF869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00AF869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [00AF85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [00AF85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00AF869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00AF869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [00AF85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00AF869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [00AF85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00AF869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [00AF85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00AF869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [00AF85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00AF869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [00AF85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00AF869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [00AF85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [00AF85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00AF869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00AF869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [00AF85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [00AF85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00AF869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00AF869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [00AF85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00AF869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [00AF85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [00AF85EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[364] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00AF869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [0099869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [009985EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [009985EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [0099869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [0099869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [009985EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [0099869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [009985EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [009985EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [0099869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [0099869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [009985EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [0099869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [009985EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [009985EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [0099869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [0099869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [009985EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [0099869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [009985EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [009985EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [0099869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!LoadLibraryA] [009985EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [0099869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [0099869C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1728] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [009985EE] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:324] 8578B790

---- EOF - GMER 1.0.15 ----

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:45 PM

Posted 01 August 2009 - 03:03 PM

Hi lickitysplinter

Looks like we got the rootkit :thumbup2: so we are nearly there. Let me no in your next reply how it's running and if you are having anymore problems.

Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Posted Image

Next

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Next

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Next

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Then please post back here with the following:
  • Kaspersky results
  • New DDS log
Thanks

unite.jpg


#15 lickitysplinter

lickitysplinter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:07:45 AM

Posted 01 August 2009 - 06:26 PM

Hi Syler,

Here are the last 2 items you asked for, I hope they are OK? Thanks again for everything - your great!!!


KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, August 1, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, August 01, 2009 22:28:33
Records in database: 2570997
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
G:\
H:\
I:\
J:\
Scan statistics
Files scanned 87682
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 01:54:04

File name Threat name Threats count
C:\Program Files\Online Services\AOL\United States\AOL90\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
The selected area was scanned.


DDS (Ver_09-06-26.01) - NTFSx86
Run by HP_Administrator at 16:25:18.40 on Sat 08/01/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.559 [GMT -7:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/search
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mStart Page = about:blank
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [HostManager] c:\program files\common files\aol\1240190955\ee\AOLSoftware.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Cobian Backup 8 interface] "c:\program files\cobian backup 8\cbInterface.exe" -service
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\r22vigkx.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S2 fntmvr;fntmvr;c:\windows\system32\drivers\tuap.sys --> c:\windows\system32\drivers\tuap.sys [?]
S3 esihdrv;esihdrv;\??\c:\docume~1\hp_adm~1\locals~1\temp\esihdrv.sys --> c:\docume~1\hp_adm~1\locals~1\temp\esihdrv.sys [?]
S3 KCSZ;KCSZ;c:\docume~1\hp_adm~1\locals~1\temp\kcsz.exe --> c:\docume~1\hp_adm~1\locals~1\temp\KCSZ.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1d.tmp --> c:\windows\system32\1D.tmp [?]

=============== Created Last 30 ================

2009-08-01 13:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-01 13:07 <DIR> --ds---- C:\ComboFix
2009-07-21 13:36 <DIR> --d----- c:\program files\Runtime Software
2009-07-21 10:17 <DIR> --d----- C:\clean
2009-07-20 16:30 <DIR> --d----- c:\program files\Sophos
2009-07-20 14:14 <DIR> --d----- c:\program files\Trend Micro
2009-07-19 11:37 <DIR> --d----- c:\program files\Softwin
2009-07-19 10:35 <DIR> --d----- c:\documents and settings\hp_administrator\Pavark
2009-07-19 10:28 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-07-19 10:05 103,516 a------- C:\MGlogs.zip
2009-07-19 10:04 <DIR> --d----- C:\MGtools
2009-07-19 08:56 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 08:56 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 08:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 08:05 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-19 00:28 1,343,301 a------- C:\MGtools.exe
2009-07-18 23:41 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\IObit
2009-07-18 23:41 <DIR> --d----- c:\program files\IObit
2009-07-18 23:22 <DIR> --d----- c:\program files\CCleaner
2009-07-18 21:59 <DIR> --d----- c:\windows\pss
2009-07-18 19:57 <DIR> --d----- c:\program files\Cobian Backup 8
2009-07-18 14:13 0 a------- c:\documents and settings\hp_administrator\settings.dat
2009-07-18 08:18 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-07-18 07:52 <DIR> --d----- c:\windows\system32\appmgmt
2009-07-18 07:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-07-18 07:31 42 a------- c:\windows\system32\AK083E209605E394C.lie
2009-07-18 03:08 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-07-18 02:46 <DIR> --d----- c:\windows\system32\XPSViewer
2009-07-18 02:45 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-07-18 02:45 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-18 02:45 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-18 02:45 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-07-18 02:45 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-18 02:45 117,760 -------- c:\windows\system32\prntvpt.dll
2009-07-18 02:45 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-18 02:45 <DIR> --d----- C:\c6a9598b6540b0f367fe4b2eeec2b0
2009-07-18 02:04 917,504 a------- c:\windows\system32\FLASH.OCX
2009-07-18 02:04 <DIR> --dsh--- c:\windows\ftpcache
2009-07-17 15:09 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-17 08:57 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-07-17 08:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-17 07:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-17 07:38 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-17 07:38 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\SUPERAntiSpyware.com
2009-07-16 12:59 91 a------- c:\windows\system32\geyekrqhyvbvdj.dat
2009-07-16 12:39 18,432 a------- c:\windows\system32\geyekrymrmpjen.dll
2009-07-16 12:39 177,444 a------- c:\windows\system32\geyekrljywfvlo.dat
2009-07-16 12:39 65,536 a------- c:\windows\system32\drivers\geyekrmpbapqqu.sys
2009-07-16 12:39 40,960 a------- c:\windows\system32\geyekrwnkcvxrm.dll
2009-07-12 12:53 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-12 12:53 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-08-01 13:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 08:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 08:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009041320090420\index.dat
2009-04-30 08:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009043020090501\index.dat

============= FINISH: 16:25:27.17 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users