Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected; Google is wonky


  • This topic is locked This topic is locked
24 replies to this topic

#1 Fallen Angel0

Fallen Angel0

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 05 August 2009 - 08:25 PM

Hello,

I believe I am infected with something I accidentally installed from a popup. >_< I recall seeing a new icon on my desktop with a ".exe" and double clicking it to see what it was. The next second, my computer freezes for a moment and when it resumed working, the icon was no longer there. I then discovered that when I search on Google, the results page's font is peculiarly enlarged and upon clicking on a result, a new window opens up. The new window sometimes shows the message "Ooops, this link appears to be broken". But this happens only with some searches, others work fine. That is, the google result link will take me to the appropriate pages in the same window. Also, just a few minutes ago, my computer suddenly shut down by itself and I was logged off without warning.

Edit: Besides google links directing me to "broken link" pages, this also just happened with bleepingcomputer.com. After several attempts, I was able to access this site and view my topic. I'm not sure if this is a random occurrence or if only certain sites are problematic. >_< I am also unable to download/upload torrents using Vuze. I would greatly appreciate any help to my problem.

Please and thank you for your time!

Below is my dds log.


DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Administrator at 17:53:01.42 on 05/08/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.345 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ibntxsg.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\rsyncini.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TEMP\tempo-13328250.tmp
C:\WINDOWS\TEMP\tempo-13328406.tmp
C:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mediaminer.org/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\hp_administrator\tvgs.exe \s,c:\documents and settings\hp_administrator\iwljkb.exe \s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\docume~1\hp_adm~1\desktop\downlo~1\neopet~1\neopets\toolbar\Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\docume~1\hp_adm~1\desktop\downlo~1\neopet~1\neopets\toolbar\Toolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {2C688203-7EB3-4327-9995-1CB417BA23F9} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [<NO NAME>]
uRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [PCDrProfiler]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UnlockerAssistant] "c:\documents and settings\hp_administrator\desktop\unlocker\UnlockerAssistant.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ibntxsg] c:\windows\system32\ibntxsg.exe \u
mRun: [rgca8mj0et53] c:\windows\system32\qgcc8mj0et53.exe
mRunOnce: [tmp13235437] cmd /Q /C "c:\windows\tmp13235437.bat"
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\hp_administrator\start menu\programs\imvu\Run IMVU.lnk
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
LSP: c:\windows\system32\13226000.dll
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://sympatico.zone.msn.com/bingame/chnz/default/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
TCP: NameServer = 85.255.112.229,85.255.112.140
TCP: {9D8B8646-F360-470E-AB96-706FA3649ACD} = 85.255.112.229,85.255.112.140
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igfxcui - igfxdev.dll
SSODL: uaLeGtPP - {444E2A57-EEE4-80FD-426D-695E6BBD17FD} - c:\windows\system32\jepjil.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-3-4 185968]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-3-4 239216]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-3-4 161392]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2005-3-24 127088]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-2-4 53896]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20050620.007\NAVENG.Sys [2005-9-27 73760]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20050620.007\NavEx15.Sys [2005-9-27 632000]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-2-4 324232]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-3-4 83568]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-7-20 33176]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-2-17 198368]

=============== Created Last 30 ================

2009-08-05 17:33 13,312 a---h--- c:\documents and settings\hp_administrator\iwljkb.exe
2009-08-05 17:33 43,520 ----h--- c:\windows\system32\secupdat.dat
2009-08-05 17:32 245 a------- c:\windows\tmp13235437.bat
2009-08-05 17:32 139,264 ---shr-- c:\windows\system32\13226000.dll
2009-08-05 17:32 118,784 a------- c:\windows\system32\sgc98mj0et53.dll
2009-08-05 17:32 80,191 a------- c:\windows\system32\qgcc8mj0et53.exe
2009-08-05 17:32 55,296 a------- c:\windows\system32\ibntxsg.exe
2009-08-05 17:32 55,296 ----h--- c:\documents and settings\hp_administrator\tvgs.exe
2009-08-05 17:31 10 a------- c:\windows\system32\kr_done1
2009-08-05 16:47 87,608 a------- c:\docume~1\hp_adm~1\applic~1\inst.exe
2009-08-05 16:47 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-08-05 16:47 47,360 a------- c:\docume~1\hp_adm~1\applic~1\pcouffin.sys
2009-08-05 16:47 217,127 a------- c:\windows\system32\drv43260.dll
2009-08-05 16:47 208,935 a------- c:\windows\system32\drv33260.dll
2009-08-05 16:47 176,165 a------- c:\windows\system32\drv23260.dll
2009-08-05 16:47 102,439 a------- c:\windows\system32\sipr3260.dll
2009-08-05 16:47 65,602 a------- c:\windows\system32\cook3260.dll
2009-08-05 16:47 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
2009-08-05 16:47 626,688 a------- c:\windows\system32\vp7vfw.dll
2009-08-05 16:47 <DIR> --d----- c:\program files\VSO
2009-07-16 23:43 135,168 a------- c:\windows\system32\igfxres.dll
2009-07-16 15:38 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-07-16 08:55 <DIR> --d----- c:\program files\Perfect World Entertainment
2009-07-15 13:33 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\GetRightToGo
2009-07-13 23:07 248 a------- c:\windows\chromas.ini
2009-07-13 18:08 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-12 15:32 664 a------- c:\windows\system32\d3d9caps.dat
2009-07-11 18:18 552 a------- c:\windows\system32\d3d8caps.dat
2009-07-11 15:02 <DIR> --d----- c:\windows\options
2009-07-11 14:55 <DIR> --d-h--- C:\recycled

==================== Find3M ====================

2009-08-05 17:32 15,872 a------- c:\windows\system32\drivers\beep.sys
2009-07-18 09:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 09:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-13 18:08 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-26 09:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 09:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 09:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 09:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 09:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-23 17:17 7,032 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2009-04-13 20:58 34 a------- c:\documents and settings\hp_administrator\jagex_runescape_preferences.dat
2008-04-29 21:51 0 a------- c:\program files\temp01
2008-03-01 17:08 7,792,648 a------- c:\program files\Azureus 3.0.4.2.exe
2006-09-27 23:19 525,920 a------- c:\program files\CmdHerePowertoySetup.exe
2006-09-07 20:54 10,698,768 a------- c:\program files\sspsetup1_.exe
2006-05-18 23:29 4,789,792 a------- c:\program files\PIcasa.exe
2006-02-22 07:55 402,374,580 a------- c:\program files\SetupRubies095.exe
2006-02-19 19:04 4,038,400 a------- c:\program files\Shockwave_85_Installer_Full.exe
2006-02-16 02:47 72 a------- c:\program files\UnInst.log
2006-02-14 18:13 5,834,344 a------- c:\program files\winzip100.exe
2006-01-23 23:08 251 a------- c:\program files\wt3d.ini
2006-01-16 19:23 1,325,936 a------- c:\program files\DVDFabDecrypter29.exe
2006-01-03 01:49 563,696 a------- c:\program files\GoogleToolbarInstaller.exe
2005-12-31 15:37 11,477,288 a------- c:\program files\DivXPlay.exe
2005-12-29 18:39 8,771,600 a------- c:\program files\sspsetup1_1839229648.exe
2005-12-28 21:38 7,230,264 a------- c:\program files\Azureus_2.3.0.6_Win32.setup.exe
2005-12-28 21:17 2,897,821 a------- c:\program files\bsplayer137.826.exe
2005-12-28 19:24 9,352,392 a------- c:\program files\Install_MSN_Messenger.exe

============= FINISH: 17:53:52.67 ===============

Attached Files


Edited by Fallen Angel0, 06 August 2009 - 01:37 AM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 PM

Posted 06 August 2009 - 08:18 PM

Hello, .
Welcome to Bleeping Computer. My name is etavares and I will be helping you with your log.

Please give me a little time to go through your log. I'd also like to let you know that I am in training here at BC. At each stage of the process, my work will be checked by an expert coach. That means there may be a slight delay between my responses as they check it. Don't worry, we won't leave you.

Please note that I may have taken this log out of order. As a HJT trainee, I occasionally take logs out of order to further develop my skills. I have a balance of older logs (e.g. first come, first served) and fresh logs. If you are reading this and are still waiting, please be patient. Our volunteers are working as hard we as we can to help everyone.

Here's a few things to get started:
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean.
  • If at any point, you are not sure what I am asking for, please ask me and I can better communicate what I mean.
  • Please reply within 5 days of my last post or the thread will be closed. If you will be away or unable to reply, please let me know in advance so the thread is not closed. We have many folks waiting for help and it is not fair to keep an unresponsive thread open.
  • Please reply to this post so I know you are there.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 PM

Posted 07 August 2009 - 09:31 AM

Hello, Fallen Angel0.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall



We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.




Step 1

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case Azereus and Azereus Vuze). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. I recommend that you uninstall this program. That is optional, however. If you decide to not uninstall, please refrain from using it until I let you know your computer is clean.

I also strongly recommend you remove Neopets toolbar as well.

Also, here at Bleeping Computer, we do not recommend automatic registry cleaners. They can cause more issues and do not help your computer run faster, contrary to their claims. In your case, you have UniBlue Registry Booster 2 installed.

As a result, please strongly consider uninstalling any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.


Neopets
Azureus
Azureus Vuze


Be sure to reboot when done.


Step 2


Next, please update your antivirus definitions. It is very important to keep these up to date as malware is constantly evolving and an updated set of definitions is critical. We'll disable the antivirus in Step 3 while we run Combofix, but it's still a good idea to update now.


Please....
1. Open Norton Internet Security.
2. Under the computer pane, click "Run LiveUpdate" and let it update the definitions.



Step 3


Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.


Step 4


In your reply, please post:
  • Combofix Log
  • A new set of DDS logs


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 PM

Posted 10 August 2009 - 05:11 PM

Hi Fallen Angel0-

Do you still need help? Please respond within 2 days or the thread may be closed.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 Fallen Angel0

Fallen Angel0
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 12 August 2009 - 10:10 AM

Hello etavares,

Thank you for helping me (my apologies for the late reply! ^^;;). Prior to reading your post, I found it became increasingly more difficult to connect to the internet/load webpages. I became nervous about the type of infection and had disconnected my computer from the internet for a few days. In my blind panic, I did a system recovery (srry for making unsupervised changes >_< but I was really really worried about the infection and thought I had broke my computer for good) and things seem sort of better now: the internet works. I don't know if the trojan is still active or not and I hope I didn't worsen the situation :)

I would very much appreciate your help in ridding the trojan! I don't think I'll reformat yet ^^;; I don't have my stuffs backed up.

Also, should I still continue with the ComboFix? I was about to, but then realized I made unauthorized changes >_<. As well, I couldn't find Azureus nor Azureus Vuze in my control panel after the recovery.... But I know it's still installed because I can still download via Vuze at the moment. :thumbup2:

Please and thank you!
Posted below is my new dds. I'll also include the Attach.txt.


DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Administrator at 7:46:01.46 on 12/08/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.461 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\sm56hlpr.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Documents and Settings\HP_Administrator.YOUR-B27FB1C401\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mediaminer.org/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [PCDrProfiler]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249619380046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-3-4 185960]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-3-4 239264]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-3-4 177768]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2005-3-24 127088]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-2-4 53896]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20050620.007\NAVENG.Sys [2005-9-27 73760]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20050620.007\NavEx15.Sys [2005-9-27 632000]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-2-4 324232]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2005-3-4 83560]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-2-17 198368]

=============== Created Last 30 ================

2009-08-10 15:44 <DIR> --ds---- C:\ComboFix
2009-08-10 15:44 389,120 a------- c:\windows\system32\CF13346.exe
2009-08-08 23:32 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-08-08 23:32 25,856 a------- c:\windows\system32\dllcache\usbprint.sys
2009-08-08 23:32 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-08-08 23:32 15,104 a------- c:\windows\system32\dllcache\usbscan.sys
2009-08-08 23:32 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-08-08 23:32 32,128 a------- c:\windows\system32\dllcache\usbccgp.sys
2009-08-08 20:30 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-08 20:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-08 17:54 <DIR> --d----- c:\program files\Java SE Runtime Environment 6u14
2009-08-08 14:47 <DIR> --d----- c:\program files\Comodo FIrewall
2009-08-08 14:42 <DIR> --d----- c:\program files\SymNetDrv
2009-08-08 14:22 <DIR> --d----- c:\windows\system32\appmgmt
2009-08-08 03:04 <DIR> --d----- c:\windows\system32\Adobe
2009-08-07 19:47 27,784 a------- c:\windows\system32\drivers\point32.sys
2009-08-07 19:42 <DIR> --d----- c:\windows\system32\LogFiles
2009-08-07 19:30 <DIR> --d----- c:\program files\Microsoft Comfort Optical Mouse 3000 Intellipoint
2009-08-07 18:07 230 a------- c:\windows\system32\spupdsvc.inf
2009-08-07 16:43 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-07 16:43 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-08-07 16:43 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-08-07 16:43 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-08-07 16:43 268,288 -------- c:\windows\system32\dllcache\iertutil.dll
2009-08-07 16:43 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-08-07 16:43 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-08-07 16:43 380,928 -------- c:\windows\system32\dllcache\ieapfltr.dll
2009-08-07 16:43 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2009-08-07 14:35 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-08-07 14:35 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-08-07 14:35 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-08-07 14:35 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-08-07 14:35 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-08-07 14:35 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-08-07 14:35 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-08-07 14:35 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-08-07 14:35 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-08-07 14:35 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-07 14:35 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-07 14:35 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-07 14:34 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-08-07 14:34 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-08-07 14:34 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-08-07 14:29 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-08-07 14:28 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-08-07 14:12 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-08-07 14:12 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-07 14:08 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-08-07 14:08 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-08-07 01:55 138,496 -------- c:\windows\system32\dllcache\afd.sys
2009-08-07 01:38 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-08-07 01:19 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-08-07 00:33 940,794 a------- c:\windows\system32\LoopyMusic.wav
2009-08-07 00:33 146,650 a------- c:\windows\system32\BuzzingBee.wav
2009-08-07 00:28 3,069,440 a------- c:\windows\system32\dllcache\mshtml.dll
2009-08-07 00:28 666,624 a------- c:\windows\system32\dllcache\wininet.dll
2009-08-07 00:28 620,032 a------- c:\windows\system32\dllcache\urlmon.dll
2009-08-07 00:28 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-08-07 00:28 78,336 -------- c:\windows\system32\dllcache\ieencode.dll
2009-08-06 23:28 <DIR> --d----- c:\windows\system32\scripting
2009-08-06 23:28 <DIR> --d----- c:\windows\system32\en
2009-08-06 23:28 <DIR> --d----- c:\windows\system32\bits
2009-08-06 23:02 276,992 -------- c:\windows\system32\wmphoto.dll
2009-08-06 23:02 69,120 -------- c:\windows\system32\wlanapi.dll
2009-08-06 23:02 712,704 -------- c:\windows\system32\windowscodecs.dll
2009-08-06 23:02 346,112 -------- c:\windows\system32\windowscodecsext.dll
2009-08-06 23:00 397,312 -------- c:\windows\system32\mmcex.dll
2009-08-06 22:59 15,423 -------- c:\windows\system32\drivers\ch7xxnt5.dll
2009-08-06 22:41 <DIR> --d----- c:\windows\system32\PreInstall
2009-08-06 22:29 <DIR> --d----- c:\program files\MSXML 6.0
2009-08-06 21:36 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\Malwarebytes
2009-08-06 21:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-06 21:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-06 21:33 36,734 a------- c:\windows\system32\OggDSuninst.exe
2009-08-06 21:32 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-08-06 21:32 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-08-06 21:32 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-08-06 21:32 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-08-06 21:32 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-08-06 21:28 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\Neopets Toolbar
2009-08-06 19:32 <DIR> --dshr-- C:\cmdcons
2009-08-06 19:32 <DIR> --d----- c:\windows\setupupd
2009-08-06 19:26 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\Azureus
2009-08-06 19:22 1,859 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_ED906AA-ABA a1224n_YC_0Pavi_QCNH544_E54NAsyMPC2_48_IGoldfish3_SASUSTeK Computer INC._V1.xx_B3.26_T050930_WXP2_L409_M1016_J200_7Intel_8Pentium 4_93.06_#051228_N10EC8139_Z10573052_G80862582.MRK
2009-08-06 19:19 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\Intuit
2009-08-06 19:19 <DIR> --d----- c:\documents and settings\hp_administrator.your-b27fb1c401\WINDOWS
2009-08-06 19:19 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\Symantec
2009-08-06 19:19 <DIR> --d----- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401
2009-08-06 02:41 <DIR> --dshr-- c:\windows\system32\dllcache
2009-08-06 01:53 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 16:47 <DIR> --d----- c:\program files\VSO
2009-07-16 15:38 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-07-16 08:55 <DIR> --d----- c:\program files\Perfect World Entertainment
2009-07-13 23:07 248 a------- c:\windows\chromas.ini

==================== Find3M ====================

2009-08-08 23:37 112,942 a------- c:\windows\hpoins07.dat
2009-08-06 23:32 92,191 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-06 23:31 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2009-08-06 23:31 287,310 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection.dll
2009-08-06 23:31 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2009-08-06 23:31 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2009-08-06 23:31 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2009-08-06 23:31 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2009-08-06 23:31 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2009-08-06 23:31 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2009-06-29 09:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-26 09:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2008-04-29 21:51 0 a------- c:\program files\temp01
2008-03-01 17:08 7,792,648 a------- c:\program files\Azureus 3.0.4.2.exe
2006-09-27 23:19 525,920 a------- c:\program files\CmdHerePowertoySetup.exe
2006-09-07 20:54 10,698,768 a------- c:\program files\sspsetup1_.exe
2006-05-18 23:29 4,789,792 a------- c:\program files\PIcasa.exe
2006-02-22 07:55 402,374,580 a------- c:\program files\SetupRubies095.exe
2006-02-19 19:04 4,038,400 a------- c:\program files\Shockwave_85_Installer_Full.exe
2006-02-16 02:47 72 a------- c:\program files\UnInst.log
2006-02-14 18:13 5,834,344 a------- c:\program files\winzip100.exe
2006-01-23 23:08 251 a------- c:\program files\wt3d.ini
2006-01-16 19:23 1,325,936 a------- c:\program files\DVDFabDecrypter29.exe
2006-01-03 01:49 563,696 a------- c:\program files\GoogleToolbarInstaller.exe
2005-12-31 15:37 11,477,288 a------- c:\program files\DivXPlay.exe
2005-12-29 18:39 8,771,600 a------- c:\program files\sspsetup1_1839229648.exe
2005-12-28 21:38 7,230,264 a------- c:\program files\Azureus_2.3.0.6_Win32.setup.exe
2005-12-28 21:17 2,897,821 a------- c:\program files\bsplayer137.826.exe
2005-12-28 19:24 9,352,392 a------- c:\program files\Install_MSN_Messenger.exe

============= FINISH: 7:47:13.00 ===============

Attached Files



#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 PM

Posted 12 August 2009 - 08:15 PM

Hello, Fallen Angel0.

Thanks for letting me know what happened, you did the right thing by telling me and stopping. At this point, I'd like to scan with MBAM and with an online antivirus scan to see where we are. System Restore restores the registry and some files, but not all. I'd like to make sure there is not anything still hiding.


Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Step 2

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Step 3

We also need to update your antivirus definitions. Malware is constantly evoloving and only updated antivirus definitions will keep you protected. This link goes to Norton to update your A/V:
http://service1.symantec.com/SUPPORT/share...lg=en&ct=us

To set up Norton to automatically download the latest information, please download the manual here.
ftp://ftp.symantec.com/public/english_us_...als/NAV2005.pdf

Page 25 and 26 of the manual also show you how to update from within Norton A/V. Norton AV 2005 releases updates weekly to deal with emerging threats. I will counsel you that their newer products release it daily and provide better protection. Several free options also update much more frequently.



Step 4

Your Adobe Reader is out of date. I strongly recommend you update to Adobe Reader 9.1.3. This provides several security updates and new features.

First, I recommend you remove Adobe Reader 7.0.


Please consider uninstalling any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.

Adobe Reader 7.0


Be sure to reboot when done.


Next, please consider downloading Adober Reader 9 from here:
http://get.adobe.com/reader/

Then install per their instructions.

As soon as it is installed, Launch Adobe Reader, then select Help then Check for Updates and let it install any updates it finds.



Step 5

In your reply, please post:
  • the MBAM log
  • the Kapersky online scan log
  • A fresh DDS log


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 Fallen Angel0

Fallen Angel0
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 14 August 2009 - 04:16 AM

Hi etavares,

Here are the reports. ^__^

Thank you for helping me.

MBAM Log

Malwarebytes' Anti-Malware 1.40
Database version: 2615
Windows 5.1.2600 Service Pack 3

13/08/2009 9:33:53 AM
mbam-log-2009-08-13 (09-33-53).txt

Scan type: Quick Scan
Objects scanned: 132618
Time elapsed: 20 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\tempo-13328250.tmp (Trojan.PWS) -> Quarantined and deleted successfully.


********************************************************************************
********************************************************************************

Kaspersky Report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, August 13, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, August 13, 2009 20:49:52
Records in database: 2621911
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Objects scanned: 203396
Threats found: 9
Infected objects found: 9
Suspicious objects found: 0
Scan duration: 04:36:17


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27004D7E.exe Infected: Trojan-Downloader.Win32.Small.on 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\73EF50A2.htm Infected: Exploit.JS.CVE-2006-1359.c 1
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\tmp192.tmp Infected: Trojan.Win32.Patched.hb 1
C:\Documents and Settings\HP_Administrator\tvgs.exe Infected: Trojan.Win32.Agent.ctif 1
C:\Program Files\Online Services\AOL\United States\AOL90\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\temp\canDc1109.exe Infected: Trojan-Downloader.Win32.Small.buy 1
C:\temp\canDc1109.exe Infected: Trojan-Downloader.Win32.Small.ijp 1
C:\temp\canDc1109.exe Infected: not-a-virus:AdWare.Win32.TTC.d 1
C:\temp\canDc1109.exe Infected: not-a-virus:AdWare.Win32.Rabio.g 1

Selected area has been scanned.



********************************************************************************
********************************************************************************

DDS Log


DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Administrator at 2:10:30.92 on 14/08/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.689 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\sm56hlpr.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator.YOUR-B27FB1C401\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mediaminer.org/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [PCDrProfiler]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249619380046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-3-4 185704]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-3-4 239264]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-3-4 177512]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2005-3-24 127088]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-2-4 53896]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20050620.007\NAVENG.Sys [2005-9-27 73760]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20050620.007\NavEx15.Sys [2005-9-27 632000]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-2-4 324232]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2005-3-4 83304]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-2-17 198368]

=============== Created Last 30 ================

2009-08-13 09:39 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-12 23:44 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\HPQ
2009-08-12 13:59 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-12 12:34 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-10 15:44 <DIR> --ds---- C:\ComboFix
2009-08-10 15:44 389,120 a------- c:\windows\system32\CF13346.exe
2009-08-08 23:32 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-08-08 23:32 25,856 a------- c:\windows\system32\dllcache\usbprint.sys
2009-08-08 23:32 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-08-08 23:32 15,104 a------- c:\windows\system32\dllcache\usbscan.sys
2009-08-08 23:32 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-08-08 23:32 32,128 a------- c:\windows\system32\dllcache\usbccgp.sys
2009-08-08 20:30 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-08 20:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-08 17:54 <DIR> --d----- c:\program files\Java SE Runtime Environment 6u14
2009-08-08 14:47 <DIR> --d----- c:\program files\Comodo FIrewall
2009-08-08 14:42 <DIR> --d----- c:\program files\SymNetDrv
2009-08-08 14:22 <DIR> --d----- c:\windows\system32\appmgmt
2009-08-08 03:04 <DIR> --d----- c:\windows\system32\Adobe
2009-08-07 19:47 27,784 a------- c:\windows\system32\drivers\point32.sys
2009-08-07 19:42 <DIR> --d----- c:\windows\system32\LogFiles
2009-08-07 19:30 <DIR> --d----- c:\program files\Microsoft Comfort Optical Mouse 3000 Intellipoint
2009-08-07 16:43 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-07 16:43 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-08-07 16:43 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-08-07 16:43 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-08-07 16:43 268,288 -------- c:\windows\system32\dllcache\iertutil.dll
2009-08-07 16:43 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-08-07 16:43 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-08-07 16:43 380,928 -------- c:\windows\system32\dllcache\ieapfltr.dll
2009-08-07 16:43 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2009-08-07 14:35 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-08-07 14:35 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-08-07 14:35 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-08-07 14:35 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-08-07 14:35 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-08-07 14:35 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-08-07 14:35 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-08-07 14:35 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-08-07 14:35 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-08-07 14:35 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-07 14:35 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-07 14:35 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-07 14:34 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-08-07 14:34 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-08-07 14:34 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-08-07 14:29 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-08-07 14:28 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-08-07 14:12 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-08-07 14:12 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-07 14:08 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-08-07 14:08 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-08-07 01:55 138,496 -------- c:\windows\system32\dllcache\afd.sys
2009-08-07 01:38 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-08-07 01:19 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-08-07 00:33 940,794 a------- c:\windows\system32\LoopyMusic.wav
2009-08-07 00:33 146,650 a------- c:\windows\system32\BuzzingBee.wav
2009-08-07 00:28 3,069,440 a------- c:\windows\system32\dllcache\mshtml.dll
2009-08-07 00:28 666,624 a------- c:\windows\system32\dllcache\wininet.dll
2009-08-07 00:28 620,032 a------- c:\windows\system32\dllcache\urlmon.dll
2009-08-07 00:28 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-08-07 00:28 78,336 -------- c:\windows\system32\dllcache\ieencode.dll
2009-08-06 23:28 <DIR> --d----- c:\windows\system32\scripting
2009-08-06 23:28 <DIR> --d----- c:\windows\system32\en
2009-08-06 23:28 <DIR> --d----- c:\windows\system32\bits
2009-08-06 23:02 276,992 -------- c:\windows\system32\wmphoto.dll
2009-08-06 23:02 69,120 -------- c:\windows\system32\wlanapi.dll
2009-08-06 23:02 712,704 -------- c:\windows\system32\windowscodecs.dll
2009-08-06 23:02 346,112 -------- c:\windows\system32\windowscodecsext.dll
2009-08-06 23:00 397,312 -------- c:\windows\system32\mmcex.dll
2009-08-06 22:59 15,423 -------- c:\windows\system32\drivers\ch7xxnt5.dll
2009-08-06 22:41 <DIR> --d----- c:\windows\system32\PreInstall
2009-08-06 22:29 <DIR> --d----- c:\program files\MSXML 6.0
2009-08-06 21:36 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\Malwarebytes
2009-08-06 21:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-06 21:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-06 21:33 36,734 a------- c:\windows\system32\OggDSuninst.exe
2009-08-06 21:32 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-08-06 21:32 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-08-06 21:32 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-08-06 21:32 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-08-06 21:32 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-08-06 21:28 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\Neopets Toolbar
2009-08-06 19:32 <DIR> --dshr-- C:\cmdcons
2009-08-06 19:32 <DIR> --d----- c:\windows\setupupd
2009-08-06 19:26 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\Azureus
2009-08-06 19:22 1,859 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_ED906AA-ABA a1224n_YC_0Pavi_QCNH544_E54NAsyMPC2_48_IGoldfish3_SASUSTeK Computer INC._V1.xx_B3.26_T050930_WXP2_L409_M1016_J200_7Intel_8Pentium 4_93.06_#051228_N10EC8139_Z10573052_G80862582.MRK
2009-08-06 19:19 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\Intuit
2009-08-06 19:19 <DIR> --d----- c:\documents and settings\hp_administrator.your-b27fb1c401\WINDOWS
2009-08-06 19:19 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\Symantec
2009-08-06 19:19 <DIR> --d----- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401
2009-08-06 02:41 <DIR> --dshr-- c:\windows\system32\dllcache
2009-08-06 01:53 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 16:47 <DIR> --d----- c:\program files\VSO
2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-17 12:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-16 15:38 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-07-16 08:55 <DIR> --d----- c:\program files\Perfect World Entertainment

==================== Find3M ====================

2009-08-08 23:37 112,942 a------- c:\windows\hpoins07.dat
2009-08-06 23:32 92,191 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-06 23:31 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2009-08-06 23:31 287,310 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection.dll
2009-08-06 23:31 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2009-08-06 23:31 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2009-08-06 23:31 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2009-08-06 23:31 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2009-08-06 23:31 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2009-08-06 23:31 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-06-29 09:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-26 09:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 05:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 05:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 05:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 07:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 07:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-09 23:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-09 23:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2008-04-29 21:51 0 a------- c:\program files\temp01
2008-03-01 17:08 7,792,648 a------- c:\program files\Azureus 3.0.4.2.exe
2006-09-27 23:19 525,920 a------- c:\program files\CmdHerePowertoySetup.exe
2006-09-07 20:54 10,698,768 a------- c:\program files\sspsetup1_.exe
2006-05-18 23:29 4,789,792 a------- c:\program files\PIcasa.exe
2006-02-22 07:55 402,374,580 a------- c:\program files\SetupRubies095.exe
2006-02-19 19:04 4,038,400 a------- c:\program files\Shockwave_85_Installer_Full.exe
2006-02-16 02:47 72 a------- c:\program files\UnInst.log
2006-02-14 18:13 5,834,344 a------- c:\program files\winzip100.exe
2006-01-23 23:08 251 a------- c:\program files\wt3d.ini
2006-01-16 19:23 1,325,936 a------- c:\program files\DVDFabDecrypter29.exe
2006-01-03 01:49 563,696 a------- c:\program files\GoogleToolbarInstaller.exe
2005-12-31 15:37 11,477,288 a------- c:\program files\DivXPlay.exe
2005-12-29 18:39 8,771,600 a------- c:\program files\sspsetup1_1839229648.exe
2005-12-28 21:38 7,230,264 a------- c:\program files\Azureus_2.3.0.6_Win32.setup.exe
2005-12-28 21:17 2,897,821 a------- c:\program files\bsplayer137.826.exe
2005-12-28 19:24 9,352,392 a------- c:\program files\Install_MSN_Messenger.exe

============= FINISH: 2:11:19.28 ===============

Edited by Fallen Angel0, 14 August 2009 - 04:17 AM.


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 PM

Posted 15 August 2009 - 06:12 AM

Hello, Fallen Angel0.

Ok, there is still some malware on the machine after the system restore. This is not unexpected, but I wanted to be sure before we ran Combofix.

Step 1

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.



Step 2

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


Step 3

In your reply, please post:
  • the Combofix log at C:\combofix.txt
  • the Root Repeal log
  • A fresh DDS log


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 Fallen Angel0

Fallen Angel0
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 17 August 2009 - 09:21 PM

Hi etavares,

I can't seem to disable my Norton Internet Security. ^^; I was following the instructions on http://service1.symantec.com/SUPPORT/nip.n...003071515220236, but on "Step 2: Turn on or turn off Norton Internet Security", when I click "Status & Settings", nothing shows up. I also tried right clicking the icon and disabling it from the System Tray, but according to ComboFix, Norton is still enabled. I think maybe it has to do with the "Internet Explorer Script Error" I get when I open up Norton Internet Security.... Should/could I uninstall it and then proceed with your instructions? ^^;

Thank you for your time and help!

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 PM

Posted 19 August 2009 - 05:47 PM

Hello, Fallen Angel0.

Sorry for the delay.

Please print this before starting the fix! You'll want to have this handy.

I'd like to get some more information while we proceed..

When you click "Status & Settings", you said nothing shows up. Does Norton have a blank screen, or are the buttons greyed out?

With the Internet Explorer Script error (that seems to be a common problem with Norton), what else does it tell you? Does it also report a "Line", "Char", "Error", "Code" and "URL"? If so, please put that in your next post. Is it immediately after opening Norton, or at some point when you're clicking in it?

Please do the following:

Step 1

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".



Step 2

Please remove all older versions of ComboFix you currently have.
Download a new version of ComboFix from any of the links below and save it to your Desktop.
Now please run ComboFix using these instructions:
  • Close all applications and windows (including this one) so that you have nothing open and are at your Desktop.
  • Go to Start -> Run...
  • Copy the entire contents inside the CODE box below (do NOT copy the word "CODE" from the CODE box!), and paste them into the empty "Open:" box provided:
"%userprofile%\Desktop\ComboFix.exe" /killall
  • Click OK and follow the on-screen prompts. When you click Yes at the prompt to allow ComboFix to download and install the Microsoft Windows Recovery Console, you will get the following prompt: "You do not appear to be connected to the internet. Kindly connect before clicking 'OK'". At that point, do NOT click OK yet, but instead, please do this:
    • Go to Start -> Control Panel -> Network and Internet Connections -> Network Connections
    • Right-click your default connection, usually Local Area Connection or Dial-up Connection (if you are using dial-up), and left-click Repair
    • Once done, click Close and exit the Network Connections window.
  • Now click OK in order to let ComboFix download the Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • When the RC is successfully installed, click Yes to continue scanning for malware.
  • When finished, ComboFix shall produce a log for you (located at C:\ComboFix.txt). Post the entire contents of that report in your next reply for further review, and so we may continue cleansing the system.


Step 3

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


Step 4

In your reply, please post:
  • Combofix log (C:\combofix.txt)
  • RootRepeal log
  • Answers to my questions before step 1
  • A fresh DDS log


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 Fallen Angel0

Fallen Angel0
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 20 August 2009 - 08:07 PM

Hi etavares,

I've included screenshots of the Norton "Status & Settings" window. ^^; It's kinda hard to describe with words. I don't think the buttons are grayed out? If I click "Yes" to continue running the scripts I am still able to navigate to other parts of Norton (ie User Accounts, Statistics, etc...) - only the "Status & Settings" page refuses to load.

The Internet Script Error window pops up as soon as I open Norton (it always opens to the "Status & Settings" page).
Line: 257
Char: 9
Error: Automation server can't create object
Code: 0
URL: res://nisplug.dll/10036


I am also unsure of how to remove my old ComboFix. ^^; I just deleted it off my desktop. However, I never received the prompt to allow ComboFix to download/install Microsoft Windows Recovery Console. As well, I didn't get the prompt: "You do not appear to be connected to the internet. Kindly connect before clicking 'OK'". I didn't dare to continue after that.

My apologies. I think I must've botched up somewhere.... :thumbup2:

Please and thank you for your much appreciated guidance! ^__^

Attached Files


Edited by Fallen Angel0, 20 August 2009 - 08:10 PM.


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 PM

Posted 23 August 2009 - 06:09 AM

Hi Fallen Angel0-

Please print this before starting the fix!

Sorry for the delay.

Based on that terror, it looks like your installation of Norton is corrupted. We'll have to fix that once we do a few more things.

If you already have the recovery console installed, then Combofix will not prompt you to install it. It also will not require an internet connection. Sorry for not making that more clear, but thanks for asking.

Step 1

First, please locate and delete your current copy of Combofix. You can just delete it off your desktop for now, although when you're clean, we'll uninstall it a different way later.

Please download and save to your desktop from one of these two links:
Download ComboFix (ComboFix.exe) - #1
Download ComboFix (ComboFix.exe) - #2

Now please run ComboFix using these instructions:
  • Close all applications and windows (including this one) so that you have nothing open and are at your Desktop.
  • Go to Start -> Run...
  • Copy the entire contents inside the CODE box below (do NOT copy the word "CODE" from the CODE box!), and paste them into the empty "Open:" box provided:
"%userprofile%\Desktop\ComboFix.exe" /killall
  • Click OK and follow the on-screen prompts.
  • When finished, ComboFix shall produce a log for you (located at C:\ComboFix.txt). Post the entire contents of that report in your next reply for further review, and so we may continue cleansing the system.


Step 2

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


Step 3

In your reply, please post:
  • Combofix log (C:\combofix.txt)
  • RootRepeal log
  • A fresh DDS log


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 Fallen Angel0

Fallen Angel0
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 24 August 2009 - 05:13 PM

Hiya etavares,

Here's the combofix log. I'll have the others posted as soon as possible.

As always, thank you for your time! ^__^



ComboFix 09-08-24.05 - HP_Administrator 24/08/2009 14:44.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.680 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Desktop\ComboFix.exe
Command switches used :: /killall
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Application Data\inst.exe
c:\recycler\S-1-5-21-1811075586-154597650-3245540415-1008
c:\recycler\S-1-5-21-2556186397-2626807359-883424049-1008
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\isgTi19
c:\temp\isgTi19\lPig.log
c:\windows\Installer\1072d9.msi
c:\windows\Installer\10947a.msi
c:\windows\Installer\10c1a0b.msp
c:\windows\Installer\10c1a1f.msp
c:\windows\Installer\113b56f.msp
c:\windows\Installer\113b583.msp
c:\windows\Installer\12a18a2.msp
c:\windows\Installer\12a18a9.msi
c:\windows\Installer\12b1e5.msi
c:\windows\Installer\12b1f1.msi
c:\windows\Installer\12b1f7.msi
c:\windows\Installer\12b1fd.msi
c:\windows\Installer\12b4b7.msi
c:\windows\Installer\13890eb.msp
c:\windows\Installer\138e70a.msp
c:\windows\Installer\138e71f.msp
c:\windows\Installer\138e733.msp
c:\windows\Installer\13c66bf.msp
c:\windows\Installer\146cef1.msp
c:\windows\Installer\146cef9.msp
c:\windows\Installer\146cf2a.msp
c:\windows\Installer\146cf3c.msp
c:\windows\Installer\146cf4e.msp
c:\windows\Installer\146cf55.msp
c:\windows\Installer\1500abb.msp
c:\windows\Installer\160cd58.msi
c:\windows\Installer\160cd6c.msp
c:\windows\Installer\160cd81.msp
c:\windows\Installer\1662acf.msp
c:\windows\Installer\1662ae6.msp
c:\windows\Installer\1662afb.msp
c:\windows\Installer\1662b10.msp
c:\windows\Installer\166626.msi
c:\windows\Installer\16cea59.msp
c:\windows\Installer\16cf18c.msi
c:\windows\Installer\188bd74.msp
c:\windows\Installer\188bd8e.msp
c:\windows\Installer\194d24a.msp
c:\windows\Installer\1a0700b.msp
c:\windows\Installer\1a07020.msp
c:\windows\Installer\1a07035.msp
c:\windows\Installer\1aa03c.msi
c:\windows\Installer\1b14f33.msp
c:\windows\Installer\1b14f48.msp
c:\windows\Installer\1b14f61.msp
c:\windows\Installer\1b14f78.msp
c:\windows\Installer\1c0f8d7.msp
c:\windows\Installer\1c1a3f0.msi
c:\windows\Installer\1c627ce.msp
c:\windows\Installer\1c627e3.msp
c:\windows\Installer\1c627f8.msp
c:\windows\Installer\1cafc3.msi
c:\windows\Installer\1dd44f.msi
c:\windows\Installer\1e0b3f3.msp
c:\windows\Installer\1e0b409.msp
c:\windows\Installer\1e0b41e.msp
c:\windows\Installer\1e6e8a2.msp
c:\windows\Installer\1f5794.msi
c:\windows\Installer\203a9.msi
c:\windows\Installer\203af.msi
c:\windows\Installer\203b5.msi
c:\windows\Installer\203bb.msi
c:\windows\Installer\203c1.msi
c:\windows\Installer\20926b3.msi
c:\windows\Installer\2252d2.msi
c:\windows\Installer\2252db.msi
c:\windows\Installer\2252e3.msi
c:\windows\Installer\2252ec.msi
c:\windows\Installer\2252f4.msi
c:\windows\Installer\225300.msi
c:\windows\Installer\225308.msi
c:\windows\Installer\225315.msi
c:\windows\Installer\225327.msi
c:\windows\Installer\225330.msi
c:\windows\Installer\225338.msi
c:\windows\Installer\225340.msi
c:\windows\Installer\225348.msi
c:\windows\Installer\22534f.msi
c:\windows\Installer\225357.msi
c:\windows\Installer\2259dd.msi
c:\windows\Installer\22afd19.msp
c:\windows\Installer\22e1255.msi
c:\windows\Installer\2346021.msi
c:\windows\Installer\24877fb.msp
c:\windows\Installer\2487810.msp
c:\windows\Installer\2487825.msp
c:\windows\Installer\248783c.msp
c:\windows\Installer\2487852.msp
c:\windows\Installer\2487868.msp
c:\windows\Installer\2652a0e.msi
c:\windows\Installer\26e6b3.msp
c:\windows\Installer\273789c.msi
c:\windows\Installer\27378a7.msi
c:\windows\Installer\27d78.msi
c:\windows\Installer\27f6081.msi
c:\windows\Installer\2e0f1c9.msi
c:\windows\Installer\2f4e3bf.msp
c:\windows\Installer\2f6bf.msi
c:\windows\Installer\2f6c5.msi
c:\windows\Installer\2f6cc.msi
c:\windows\Installer\2f6d2.msi
c:\windows\Installer\2f6d8.msi
c:\windows\Installer\2f6e5.msi
c:\windows\Installer\2f705.msi
c:\windows\Installer\2f70b.msi
c:\windows\Installer\2f716.msi
c:\windows\Installer\2f71d.msi
c:\windows\Installer\2f723.msi
c:\windows\Installer\312e48.msi
c:\windows\Installer\312e54.msi
c:\windows\Installer\312e5a.msi
c:\windows\Installer\31442b0.msp
c:\windows\Installer\31442d5.msp
c:\windows\Installer\31442eb.msp
c:\windows\Installer\3144300.msp
c:\windows\Installer\317bbc.msi
c:\windows\Installer\333ae48.msp
c:\windows\Installer\33c4444.msp
c:\windows\Installer\33c4459.msp
c:\windows\Installer\39eca2.msi
c:\windows\Installer\3d533c.msi
c:\windows\Installer\415f8.msi
c:\windows\Installer\420d9a.msi
c:\windows\Installer\44592.msi
c:\windows\Installer\49d8dc.msp
c:\windows\Installer\49d8f1.msp
c:\windows\Installer\49d906.msp
c:\windows\Installer\49d91c.msp
c:\windows\Installer\49d931.msp
c:\windows\Installer\49d947.msp
c:\windows\Installer\49d95c.msp
c:\windows\Installer\49d971.msp
c:\windows\Installer\49d987.msp
c:\windows\Installer\4e7e51.msi
c:\windows\Installer\4e7e65.msp
c:\windows\Installer\4e7e80.msp
c:\windows\Installer\514d2e.msi
c:\windows\Installer\57819.msp
c:\windows\Installer\5a6f90.msi
c:\windows\Installer\5ddb1.msi
c:\windows\Installer\5ddb4.msi
c:\windows\Installer\5f3b03.msi
c:\windows\Installer\5f3b09.msi
c:\windows\Installer\5f3b0f.msi
c:\windows\Installer\5f3b16.msi
c:\windows\Installer\5f3b1c.msi
c:\windows\Installer\5f3b26.msi
c:\windows\Installer\5f3b2c.msi
c:\windows\Installer\5f3b38.msi
c:\windows\Installer\5f3b49.msi
c:\windows\Installer\5f3b51.msi
c:\windows\Installer\5f3b57.msi
c:\windows\Installer\5f3b5d.msi
c:\windows\Installer\5f3b63.msi
c:\windows\Installer\5f3b69.msi
c:\windows\Installer\5f3b6f.msi
c:\windows\Installer\5f41df.msi
c:\windows\Installer\62514.msi
c:\windows\Installer\6b638.msi
c:\windows\Installer\73f5d.msi
c:\windows\Installer\7497a.msi
c:\windows\Installer\74cd93.msi
c:\windows\Installer\74cdac.msp
c:\windows\Installer\803ddb.msi
c:\windows\Installer\8b09d4.msi
c:\windows\Installer\8bdd0.msi
c:\windows\Installer\8bdd7.msi
c:\windows\Installer\8fd7cf.msp
c:\windows\Installer\8fd7e3.msp
c:\windows\Installer\8fd7fc.msp
c:\windows\Installer\8fd813.msp
c:\windows\Installer\ac0d6.msi
c:\windows\Installer\b7efb.msi
c:\windows\Installer\b7f0e.msp
c:\windows\Installer\b9050.msi
c:\windows\Installer\bf1d07.msi
c:\windows\Installer\bf7c27.msp
c:\windows\Installer\bf7c3c.msp
c:\windows\Installer\bf7c52.msp
c:\windows\Installer\bf7c67.msp
c:\windows\Installer\bf7c7c.msp
c:\windows\Installer\dbeaec.msp
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))
.

2009-08-24 00:56 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-08-24 00:56 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-08-24 00:56 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-08-24 00:56 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-08-24 00:56 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-08-24 00:56 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2009-08-21 00:06 . 2009-08-21 00:06 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Local Settings\Application Data\IsolatedStorage
2009-08-21 00:05 . 2009-08-21 00:05 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Local Settings\Application Data\HP
2009-08-15 05:57 . 2005-01-04 09:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-08-13 16:39 . 2009-08-13 16:39 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-13 16:11 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-13 15:59 . 2009-08-13 16:00 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-13 06:44 . 2009-08-13 06:44 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Application Data\HPQ
2009-08-12 20:59 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 16:20 . 2009-08-11 16:20 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Application Data\AdobeUM
2009-08-09 06:32 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-08-09 06:32 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2009-08-09 06:32 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-08-09 06:32 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-08-09 06:32 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-08-09 06:32 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-08-09 04:02 . 2009-08-09 04:02 152576 ----a-w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-09 03:59 . 2009-08-09 06:37 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Application Data\HP
2009-08-09 03:37 . 2009-08-09 03:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\Symantec
2009-08-09 03:30 . 2009-07-25 12:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-09 00:54 . 2009-08-09 00:57 -------- d-----w- c:\program files\Java SE Runtime Environment 6u14
2009-08-08 21:47 . 2009-08-08 22:48 -------- d-----w- c:\program files\Comodo FIrewall
2009-08-08 21:42 . 2009-08-08 21:42 -------- d-----w- c:\program files\SymNetDrv
2009-08-08 10:04 . 2009-08-08 10:07 -------- d-----w- c:\windows\system32\Adobe
2009-08-08 02:47 . 2009-01-08 00:57 27784 ----a-w- c:\windows\system32\drivers\point32.sys
2009-08-08 02:42 . 2009-08-08 02:42 -------- d-----w- c:\windows\system32\LogFiles
2009-08-08 02:30 . 2009-08-08 02:46 -------- d-----w- c:\program files\Microsoft Comfort Optical Mouse 3000 Intellipoint
2009-08-07 23:43 . 2009-06-29 16:12 52224 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-07 23:43 . 2009-07-19 13:32 6067200 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-08-07 23:43 . 2009-06-29 16:12 459264 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-07 23:43 . 2009-06-29 16:12 268288 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-08-07 23:43 . 2009-06-29 11:07 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-07 23:43 . 2009-06-29 16:12 63488 ------w- c:\windows\system32\dllcache\icardie.dll
2009-08-07 23:43 . 2009-06-29 16:12 380928 ------w- c:\windows\system32\dllcache\ieapfltr.dll
2009-08-07 23:43 . 2009-06-29 08:33 2452872 ------w- c:\windows\system32\dllcache\ieapfltr.dat
2009-08-07 21:35 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-08-07 21:35 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-08-07 21:35 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-08-07 21:35 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-08-07 21:35 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-08-07 21:35 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-08-07 21:35 . 2009-02-09 12:10 729088 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-08-07 21:35 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-08-07 21:35 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-08-07 21:35 . 2009-02-06 11:08 2189056 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-07 21:35 . 2009-02-06 11:06 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-07 21:35 . 2009-02-06 10:32 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-07 21:34 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-08-07 21:34 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-08-07 21:29 . 2008-09-04 17:15 1106944 ------w- c:\windows\system32\dllcache\msxml3.dll
2009-08-07 21:28 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-08-07 21:12 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-08-07 21:12 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-07 21:08 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-08-07 21:08 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-08-07 08:55 . 2008-08-14 10:04 138496 ------w- c:\windows\system32\dllcache\afd.sys
2009-08-07 08:38 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-08-07 08:19 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-08-07 07:28 . 2009-07-18 16:05 3069440 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-08-07 07:28 . 2009-07-18 16:05 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-08-07 07:28 . 2009-06-29 16:12 78336 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-08-07 07:28 . 2009-06-26 16:50 666624 ----a-w- c:\windows\system32\dllcache\wininet.dll
2009-08-07 07:28 . 2009-06-26 16:50 620032 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2009-08-07 06:28 . 2009-08-07 06:28 -------- d-----w- c:\windows\system32\scripting
2009-08-07 06:28 . 2009-08-07 06:28 -------- d-----w- c:\windows\system32\en
2009-08-07 06:28 . 2009-08-07 06:28 -------- d-----w- c:\windows\system32\bits
2009-08-07 06:02 . 2008-04-14 00:12 276992 ------w- c:\windows\system32\wmphoto.dll
2009-08-07 06:02 . 2008-04-14 00:12 69120 ------w- c:\windows\system32\wlanapi.dll
2009-08-07 06:02 . 2008-04-14 00:12 712704 ------w- c:\windows\system32\windowscodecs.dll
2009-08-07 06:02 . 2008-04-14 00:12 346112 ------w- c:\windows\system32\windowscodecsext.dll
2009-08-07 06:00 . 2008-04-14 00:12 33792 ------w- c:\windows\system32\mmcperf.exe
2009-08-07 05:59 . 2008-04-14 00:11 15423 ------w- c:\windows\system32\drivers\ch7xxnt5.dll
2009-08-07 05:30 . 2009-08-08 02:47 -------- dc----w- c:\windows\system32\DRVSTORE
2009-08-07 05:29 . 2009-08-07 05:29 -------- d-----w- c:\program files\MSXML 6.0
2009-08-07 04:36 . 2009-08-07 04:36 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Application Data\Malwarebytes
2009-08-07 04:36 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-07 04:36 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-07 04:33 . 2009-08-07 04:33 36734 ----a-w- c:\windows\system32\OggDSuninst.exe
2009-08-07 04:32 . 2008-10-16 21:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 04:28 . 2009-08-07 04:28 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Application Data\Neopets Toolbar
2009-08-07 03:34 . 2009-08-07 03:34 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Local Settings\Application Data\Microsoft Help
2009-08-07 03:28 . 2009-08-14 00:40 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Local Settings\Application Data\Adobe
2009-08-07 02:26 . 2009-08-09 06:37 102160 ----a-w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-07 02:26 . 2009-08-15 02:48 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Application Data\Azureus
2009-08-07 02:23 . 2009-08-07 02:23 7406 ----a-r- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Application Data\Microsoft\Installer\{BE9FEFBA-F2F8-468B-A108-4356F73A3E9C}\_63cb6bfc.exe
2009-08-07 02:23 . 2009-08-07 02:23 1078 ----a-r- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Application Data\Microsoft\Installer\{BE9FEFBA-F2F8-468B-A108-4356F73A3E9C}\_6e5d1ad4.exe
2009-08-07 02:17 . 2005-09-28 04:41 -------- d-----w- c:\windows\system32\config\systemprofile\WINDOWS
2009-08-06 09:41 . 2009-08-24 00:56 -------- d-sh--r- c:\windows\system32\dllcache
2009-08-06 08:53 . 2009-08-07 04:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-06 00:32 . 2009-08-06 00:32 55296 ---h--w- c:\documents and settings\HP_Administrator\tvgs.exe
2009-08-05 23:47 . 2009-08-06 09:26 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Vso
2009-08-05 23:47 . 2009-08-06 09:26 47360 ----a-w- c:\documents and settings\HP_Administrator\Application Data\pcouffin.sys
2009-08-05 23:47 . 2009-08-06 09:27 -------- d-----w- c:\program files\VSO
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-24 22:01 . 2005-09-28 05:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-21 00:05 . 2009-08-07 02:19 155 ----a-w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Local Settings\Application Data\fusioncache.dat
2009-08-13 16:36 . 2008-07-21 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-13 16:36 . 2008-07-21 02:31 -------- d-----w- c:\program files\NOS
2009-08-09 06:37 . 2005-09-28 04:20 112942 ----a-w- c:\windows\hpoins07.dat
2009-08-09 06:07 . 2007-09-22 06:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-09 04:05 . 2005-09-28 03:54 -------- d-----w- c:\program files\Java
2009-08-09 03:56 . 2005-09-28 05:02 -------- d-----w- c:\program files\Norton Internet Security
2009-08-08 21:43 . 2005-09-28 05:00 -------- d-----w- c:\program files\Symantec
2009-08-08 02:47 . 2009-07-05 21:21 -------- d-----w- c:\program files\Microsoft IntelliPoint
2009-08-08 02:30 . 2008-02-29 10:11 -------- d-----w- c:\program files\XviD
2009-08-08 02:26 . 2005-09-28 04:54 -------- d-----w- c:\program files\Easy Internet signup
2009-08-07 08:43 . 2005-12-29 04:39 -------- d-----w- c:\program files\Azureus
2009-08-07 06:32 . 2004-11-17 11:31 92191 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-07 06:31 . 2009-08-07 06:31 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-08-07 06:31 . 2009-08-07 06:31 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-08-07 06:31 . 2009-08-07 06:31 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-08-07 06:31 . 2009-08-07 06:31 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-08-07 06:31 . 2009-08-07 06:31 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-08-07 06:31 . 2009-08-07 06:31 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-08-07 06:31 . 2009-08-07 06:31 287310 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection.dll
2009-08-07 06:31 . 2009-08-07 06:31 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2009-08-07 04:07 . 2009-08-07 02:19 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401\Application Data\Symantec
2009-08-07 03:44 . 2005-09-28 04:37 -------- d-----w- c:\program files\Microsoft Works
2009-08-07 03:17 . 2005-09-28 04:44 -------- d-----w- c:\program files\Quicken
2009-08-07 02:22 . 2009-08-07 02:22 1859 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_ED906AA-ABA a1224n_YC_0Pavi_QCNH544_E54NAsyMPC2_48_IGoldfish3_SASUSTeK Computer INC._V1.xx_B3.26_T050930_WXP2_L409_M1016_J200_7Intel_8Pentium 4_93.06_#051228_N10EC8139_Z10573052_G80862582.MRK
2009-08-06 08:45 . 2005-12-29 04:42 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Azureus
2009-08-05 09:01 . 2004-08-10 19:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-10 19:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 22:54 . 2005-12-29 00:02 118120 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-16 22:38 . 2009-07-16 22:38 -------- d-----w- c:\program files\SystemRequirementsLab
2009-07-16 19:45 . 2009-07-15 20:33 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\GetRightToGo
2009-07-16 15:55 . 2009-07-16 15:55 -------- d-----w- c:\program files\Perfect World Entertainment
2009-07-13 17:08 . 2004-08-11 02:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 03:38 . 2009-07-13 03:38 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-29 16:12 . 2004-08-10 19:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 19:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-26 16:50 . 2004-08-10 19:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2004-08-10 19:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 19:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-10 19:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-11 02:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2004-08-10 19:00 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-10 19:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-10 19:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-10 19:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-04-30 04:51 . 2008-04-30 04:51 0 ----a-w- c:\program files\temp01
2008-03-02 00:08 . 2008-03-02 00:08 7792648 ----a-w- c:\program files\Azureus 3.0.4.2.exe
2006-09-28 06:19 . 2006-09-28 06:18 525920 ----a-w- c:\program files\CmdHerePowertoySetup.exe
2006-09-08 03:54 . 2006-09-08 03:54 10698768 ----a-w- c:\program files\sspsetup1_.exe
2006-05-19 06:29 . 2006-05-19 06:29 4789792 ----a-w- c:\program files\PIcasa.exe
2006-02-22 14:55 . 2006-02-22 14:54 402374580 ----a-w- c:\program files\SetupRubies095.exe
2006-02-20 02:04 . 2006-02-20 02:04 4038400 ----a-w- c:\program files\Shockwave_85_Installer_Full.exe
2006-02-16 09:47 . 2006-02-16 09:47 72 ----a-w- c:\program files\UnInst.log
2006-02-15 01:13 . 2006-02-15 01:12 5834344 ----a-w- c:\program files\winzip100.exe
2006-01-24 06:08 . 2006-01-24 06:08 251 ----a-w- c:\program files\wt3d.ini
2006-01-17 02:23 . 2006-01-17 02:22 1325936 ----a-w- c:\program files\DVDFabDecrypter29.exe
2006-01-03 08:49 . 2006-01-03 08:47 563696 ----a-w- c:\program files\GoogleToolbarInstaller.exe
2005-12-31 22:37 . 2005-12-31 22:25 11477288 ----a-w- c:\program files\DivXPlay.exe
2005-12-30 01:39 . 2005-12-30 01:39 8771600 ----a-w- c:\program files\sspsetup1_1839229648.exe
2005-12-29 04:38 . 2005-12-29 04:38 7230264 ----a-w- c:\program files\Azureus_2.3.0.6_Win32.setup.exe
2005-12-29 04:17 . 2005-12-29 04:17 2897821 ----a-w- c:\program files\bsplayer137.826.exe
2005-12-29 02:24 . 2005-12-29 02:24 9352392 ----a-w- c:\program files\Install_MSN_Messenger.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-11 59392]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-08 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-08 114688]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 49512]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2005-03-30 22656]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-08 1468296]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-08-08 100056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-01-24 544768]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-9-27 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-08-07 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-05-24 23:46]

2009-08-22 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job
- c:\progra~1\NORTON~1\Navw32.exe [2005-09-24 19:13]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mediaminer.org/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 15:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3548)
c:\docume~1\HP_ADM~1.YOU\LOCALS~1\Temp\IadHide5.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Norton Internet Security\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-08-24 15:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-24 22:08

Pre-Run: 4,566,392,832 bytes free
Post-Run: 5,548,060,672 bytes free

511 --- E O F --- 2009-08-13 09:15

#14 Fallen Angel0

Fallen Angel0
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 24 August 2009 - 05:45 PM

And here's the RootRepeal and DDS logs.



RootRepeal Report


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/24 15:15
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xF7A10000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF7688000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA86C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B58000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF7B64000 Size: 6464 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8E0E000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x86a10490

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x8685a190

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x86834550

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x867a2128

==EOF==


*************************************************************************
*************************************************************************


DDS Log


DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Administrator at 15:42:33.67 on 24/08/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.535 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\sm56hlpr.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Java\jre6\bin\jusched.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\HP_Administrator.YOUR-B27FB1C401\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mediaminer.org/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249619380046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-3-4 185704]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-3-4 239264]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-3-4 177512]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2005-3-24 127088]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-2-4 53896]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20050620.007\NAVENG.Sys [2005-9-27 73760]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20050620.007\NavEx15.Sys [2005-9-27 632000]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-2-4 324232]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2005-3-4 83304]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-2-17 198368]

=============== Created Last 30 ================

2009-08-24 15:07 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-08-23 17:56 21,504 a------- c:\windows\system32\hidserv.dll
2009-08-23 17:56 21,504 a------- c:\windows\system32\dllcache\hidserv.dll
2009-08-23 17:56 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-08-23 17:56 14,592 a------- c:\windows\system32\dllcache\kbdhid.sys
2009-08-23 17:56 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-08-23 17:56 10,368 a------- c:\windows\system32\dllcache\hidusb.sys
2009-08-20 17:20 229,376 a------- c:\windows\PEV.exe
2009-08-20 17:20 161,792 a------- c:\windows\SWREG.exe
2009-08-20 17:20 98,816 a------- c:\windows\sed.exe
2009-08-14 22:57 5,174 a------- c:\windows\system32\nppt9x.vxd
2009-08-14 22:57 4,682 a------- c:\windows\system32\npptNT2.sys
2009-08-13 09:39 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-12 23:44 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\HPQ
2009-08-12 13:59 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-12 12:34 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-08 23:32 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-08-08 23:32 25,856 a------- c:\windows\system32\dllcache\usbprint.sys
2009-08-08 23:32 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-08-08 23:32 15,104 a------- c:\windows\system32\dllcache\usbscan.sys
2009-08-08 23:32 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-08-08 23:32 32,128 a------- c:\windows\system32\dllcache\usbccgp.sys
2009-08-08 20:30 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-08 20:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-08 17:54 <DIR> --d----- c:\program files\Java SE Runtime Environment 6u14
2009-08-08 14:47 <DIR> --d----- c:\program files\Comodo FIrewall
2009-08-08 14:42 <DIR> --d----- c:\program files\SymNetDrv
2009-08-08 14:22 <DIR> --d----- c:\windows\system32\appmgmt
2009-08-08 03:04 <DIR> --d----- c:\windows\system32\Adobe
2009-08-07 19:47 27,784 a------- c:\windows\system32\drivers\point32.sys
2009-08-07 19:42 <DIR> --d----- c:\windows\system32\LogFiles
2009-08-07 19:30 <DIR> --d----- c:\program files\Microsoft Comfort Optical Mouse 3000 Intellipoint
2009-08-07 16:43 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-07 16:43 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-08-07 16:43 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-08-07 16:43 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-08-07 16:43 268,288 -------- c:\windows\system32\dllcache\iertutil.dll
2009-08-07 16:43 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-08-07 16:43 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-08-07 16:43 380,928 -------- c:\windows\system32\dllcache\ieapfltr.dll
2009-08-07 16:43 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2009-08-07 14:35 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-08-07 14:35 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-08-07 14:35 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-08-07 14:35 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-08-07 14:35 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-08-07 14:35 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-08-07 14:35 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-08-07 14:35 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-08-07 14:35 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-08-07 14:35 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-07 14:35 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-07 14:35 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-07 14:34 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-08-07 14:34 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-08-07 14:34 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-08-07 14:29 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-08-07 14:28 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-08-07 14:12 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-08-07 14:12 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-07 14:08 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-08-07 14:08 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-08-07 01:55 138,496 -------- c:\windows\system32\dllcache\afd.sys
2009-08-07 01:38 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-08-07 01:19 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-08-07 00:33 940,794 a------- c:\windows\system32\LoopyMusic.wav
2009-08-07 00:33 146,650 a------- c:\windows\system32\BuzzingBee.wav
2009-08-07 00:28 3,069,440 a------- c:\windows\system32\dllcache\mshtml.dll
2009-08-07 00:28 666,624 a------- c:\windows\system32\dllcache\wininet.dll
2009-08-07 00:28 620,032 a------- c:\windows\system32\dllcache\urlmon.dll
2009-08-07 00:28 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-08-07 00:28 78,336 -------- c:\windows\system32\dllcache\ieencode.dll
2009-08-06 23:28 <DIR> --d----- c:\windows\system32\scripting
2009-08-06 23:28 <DIR> --d----- c:\windows\system32\en
2009-08-06 23:28 <DIR> --d----- c:\windows\system32\bits
2009-08-06 23:02 276,992 -------- c:\windows\system32\wmphoto.dll
2009-08-06 23:02 69,120 -------- c:\windows\system32\wlanapi.dll
2009-08-06 23:02 712,704 -------- c:\windows\system32\windowscodecs.dll
2009-08-06 23:02 346,112 -------- c:\windows\system32\windowscodecsext.dll
2009-08-06 23:00 397,312 -------- c:\windows\system32\mmcex.dll
2009-08-06 22:59 15,423 -------- c:\windows\system32\drivers\ch7xxnt5.dll
2009-08-06 22:41 <DIR> --d----- c:\windows\system32\PreInstall
2009-08-06 22:29 <DIR> --d----- c:\program files\MSXML 6.0
2009-08-06 21:36 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\Malwarebytes
2009-08-06 21:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-06 21:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-06 21:33 36,734 a------- c:\windows\system32\OggDSuninst.exe
2009-08-06 21:32 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-08-06 21:32 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-08-06 21:32 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-08-06 21:32 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-08-06 21:32 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-08-06 21:28 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\Neopets Toolbar
2009-08-06 19:32 <DIR> --dshr-- C:\cmdcons
2009-08-06 19:32 <DIR> --d----- c:\windows\setupupd
2009-08-06 19:26 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\Azureus
2009-08-06 19:22 1,859 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_ED906AA-ABA a1224n_YC_0Pavi_QCNH544_E54NAsyMPC2_48_IGoldfish3_SASUSTeK Computer INC._V1.xx_B3.26_T050930_WXP2_L409_M1016_J200_7Intel_8Pentium 4_93.06_#051228_N10EC8139_Z10573052_G80862582.MRK
2009-08-06 19:19 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\Intuit
2009-08-06 19:19 <DIR> --d----- c:\documents and settings\hp_administrator.your-b27fb1c401\WINDOWS
2009-08-06 19:19 <DIR> --d----- c:\docume~1\hp_adm~1.you\applic~1\Symantec
2009-08-06 19:19 <DIR> --d----- c:\documents and settings\HP_Administrator.YOUR-B27FB1C401
2009-08-06 02:41 <DIR> --dshr-- c:\windows\system32\dllcache
2009-08-06 01:53 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 16:47 <DIR> --d----- c:\program files\VSO
2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-08 23:37 112,942 a------- c:\windows\hpoins07.dat
2009-08-06 23:32 92,191 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-06 23:31 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2009-08-06 23:31 287,310 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection.dll
2009-08-06 23:31 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2009-08-06 23:31 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2009-08-06 23:31 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2009-08-06 23:31 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2009-08-06 23:31 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2009-08-06 23:31 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-18 09:05 3,069,440 a------- c:\windows\system32\dllcache\cache\mshtml.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 12:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-06-29 09:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-26 09:50 666,624 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-06-26 09:50 666,624 -------- c:\windows\system32\wininet.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 05:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 05:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 05:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 07:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 07:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-09 23:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-09 23:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2008-04-29 21:51 0 a------- c:\program files\temp01
2008-03-01 17:08 7,792,648 a------- c:\program files\Azureus 3.0.4.2.exe
2006-09-27 23:19 525,920 a------- c:\program files\CmdHerePowertoySetup.exe
2006-09-07 20:54 10,698,768 a------- c:\program files\sspsetup1_.exe
2006-05-18 23:29 4,789,792 a------- c:\program files\PIcasa.exe
2006-02-22 07:55 402,374,580 a------- c:\program files\SetupRubies095.exe
2006-02-19 19:04 4,038,400 a------- c:\program files\Shockwave_85_Installer_Full.exe
2006-02-16 02:47 72 a------- c:\program files\UnInst.log
2006-02-14 18:13 5,834,344 a------- c:\program files\winzip100.exe
2006-01-23 23:08 251 a------- c:\program files\wt3d.ini
2006-01-16 19:23 1,325,936 a------- c:\program files\DVDFabDecrypter29.exe
2006-01-03 01:49 563,696 a------- c:\program files\GoogleToolbarInstaller.exe
2005-12-31 15:37 11,477,288 a------- c:\program files\DivXPlay.exe
2005-12-29 18:39 8,771,600 a------- c:\program files\sspsetup1_1839229648.exe
2005-12-28 21:38 7,230,264 a------- c:\program files\Azureus_2.3.0.6_Win32.setup.exe
2005-12-28 21:17 2,897,821 a------- c:\program files\bsplayer137.826.exe
2005-12-28 19:24 9,352,392 a------- c:\program files\Install_MSN_Messenger.exe

============= FINISH: 15:42:50.42 ===============

Edited by Fallen Angel0, 24 August 2009 - 05:47 PM.


#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 PM

Posted 25 August 2009 - 03:44 PM

Hello, Fallen Angel0.
It's looking a lot better...how's it running now? Please stay with me until I literally give you the "All Clear" as we still have a lot of work to do.



Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

http://www.bleepingcomputer.com/forums/t/247162/infected;-google-is-wonky/

Collect::
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\tmp192.tmp
C:\Documents and Settings\HP_Administrator\tvgs.exe
C:\temp\canDc1109.exe
c:\program files\temp01

DDS::
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Step 2

Your A/V definitions are out of date. Do you have an active subscription? If yes, please update. If no, I can recommend some great free firewalls and antivirus software. It is really important to keep the definitions up to date. Most antivirus programs update at least daily, if not more frequently. Unfortunately, Norton Antivirus 2005 only updates weekly as it is older and not as actively supported. I strongly urge you to purchase a new version, or let me know and I can provide free software.

If you are not sure how to update, please see this link:
http://service1.symantec.com/SUPPORT/nav.n...lg=en&ct=us




Step 3

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".



Step 4

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


Step 5

Please reply back with the following:
  • C:\combofix.txt
  • C:\qoobox\Add-Remove Programs.txt
  • ESET scan results


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users