Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with XP Internet Security 2010 and Background Audio Ads


  • This topic is locked This topic is locked
53 replies to this topic

#1 astoria718

astoria718

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 14 March 2010 - 10:43 AM

Hi,
I've been fighting this for over a week now. First it was Internet Security 2010 and AntiMalware Defender. I was getting messages that I didn't have permission to edit the registry ("registry editor has been disabled by your administrator") and I couldn't start in safe mode (still can't). The regtool script is able to get me to registry editor again, but I have to run it every time I restart.

I ran Malwarebytes, Spybot S&D, Ad-Aware, Glary Utilities, Registry Mechanic, and CCleaner. I thought I had fixed it - for about a day. Then the background audio ads started. IE and acrotray were starting in the Task Manager, so I also uninstalled as much of Internet Explorer as I could through the Control Panel/Add-Remove Programs/Add-Remove Windows Components. I also removed all instances of iexplore.exe on my computer. Even then, IE windows would open with pop-up ads. And now XP Internet Security 2010 won't stop.

Gmer ran for 8 hours yesterday before freezing. I ran it again overnight. I almost lost the report again because there were so many XP Internet Security 2010 windows in front of gmer, and they kept freezing when I tried to close them to get back to gmer. But I think I have everything you ask for. (The DDS and Attach logs are from yesterday - should I run newer ones since gmer took so long?)

Thank you so much for your help!!
astoria718




DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Administrator at 13:05:36.71 on Sat 03/13/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1472 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Road Runner High Speed Online
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLL_en
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableRegistryTools = 1 (0x1)
Trusted Zone: trymedia.com
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://outlook.chambermusicsociety.org/tsweb/msrdp.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
AppInit_DLLs: app_dll.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\3zm6ebh2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\hp_administrator\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-23 64288]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-5-21 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-19 99376]
S0 azvil;azvil; [x]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080918.057\NAVENG.SYS [2008-9-19 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080918.057\NAVEX15.SYS [2008-9-19 873552]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-7-20 1245064]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-7-20 468768]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-1-25 149864]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-1-25 149864]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
S4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-1-25 149864]

=============== Created Last 30 ================

2010-03-13 18:05:37 4 ----a-w- c:\program files\492625.dat
2010-03-13 17:56:37 4 ----a-w- c:\program files\298031.dat
2010-03-13 17:00:01 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-13 16:58:56 94208 ----a-w- c:\windows\system32\app_dll.dll
2010-03-13 16:58:47 43008 ----a-w- c:\documents and settings\hp_administrator\rundll32.exe
2010-03-12 02:50:51 94208 ----a-w- c:\windows\system32\app_dll.dll.118343.old
2010-03-11 01:37:47 230 ----a-w- c:\windows\system32\spupdsvc.inf
2010-03-05 20:14:49 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2010-03-05 20:14:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 20:14:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 20:14:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 20:14:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-05 19:31:43 4 ----a-w- c:\program files\152109.dat
2010-03-05 18:36:10 4 ----a-w- c:\program files\538906.dat
2010-03-05 18:24:12 4 ----a-w- c:\program files\1181703.dat
2010-03-05 18:00:03 8 --sha-r- c:\documents and settings\hp_administrator\ntuser.pol
2010-03-05 17:58:53 0 d--h--w- c:\windows\system32\GroupPolicy
2010-03-05 17:51:11 4 ----a-w- c:\program files\3211968.dat
2010-03-05 17:22:47 4 ----a-w- c:\program files\1508203.dat
2010-03-05 17:22:44 4 ----a-w- c:\program files\1504953.dat
2010-03-05 17:22:44 4 ----a-w- c:\program files\1504734.dat
2010-03-05 17:22:44 4 ----a-w- c:\program files\1504703.dat
2010-03-05 17:22:43 4 ----a-w- c:\program files\1504078.dat
2010-03-05 17:22:43 4 ----a-w- c:\program files\1503859.dat
2010-03-05 17:22:42 4 ----a-w- c:\program files\1503531.dat
2010-03-05 17:22:42 4 ----a-w- c:\program files\1503468.dat
2010-03-05 17:01:18 43008 ----a-w- c:\documents and settings\hp_administrator\nwiz.exe
2010-03-05 17:01:18 43008 ----a-w- c:\documents and settings\hp_administrator\nwiz .exe
2010-03-05 17:01:11 43008 ----a-w- c:\documents and settings\hp_administrator\rthdcpl.exe
2010-03-05 17:01:11 43008 ----a-w- c:\documents and settings\hp_administrator\rthdcpl .exe
2010-03-05 17:01:00 43008 ----a-w- c:\documents and settings\hp_administrator\rundll32 .exe
2010-03-05 16:24:16 25214 --sha-w- c:\windows\system32\4eaa9a75-8a64-4313-ad5b-42d6a155ee63_24.ico
2010-03-05 16:23:09 296960 ----a-w- c:\windows\odbns.exe
2010-03-05 16:23:09 296960 ----a-w- c:\windows\odbns .exe
2010-03-05 16:23:08 353792 ----a-w- c:\windows\lsass .exe
2010-03-05 16:23:08 300032 ----a-w- c:\windows\svc .exe
2010-02-26 00:03:48 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-26 00:03:48 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-26 00:03:48 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-02-24 01:04:37 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-24 00:39:45 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-24 00:39:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-24 00:37:49 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-24 00:37:21 0 d-----w- c:\program files\Lavasoft

==================== Find3M ====================

2010-01-25 00:12:10 1411864 ----a-w- c:\windows\fonts\addlethorpe 1.otf
2010-01-24 22:26:58 39736 ----a-w- c:\windows\fonts\Duet.ttf
2010-01-24 22:25:49 46412 ----a-w- c:\windows\fonts\Duet-Regular.ttf
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-01-05 10:00:21 63488 ------w- c:\windows\system32\dllcache\icardie.dll
2010-01-05 10:00:21 380928 ------w- c:\windows\system32\dllcache\ieapfltr.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\dllcache\wininet.dll
2009-12-22 05:21:03 627712 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2009-12-22 05:21:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-12-22 05:21:00 3071488 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll

============= FINISH: 13:05:44.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:40 PM

Posted 17 March 2010 - 08:27 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 astoria718

astoria718
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 18 March 2010 - 07:15 AM

Thank you, Elle!
Things have not changed except that firefox may now be redirecting sometimes from google search results. Here are my new logs - I had to let gmer run over night again.
Thanks





DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 22:08:34.67 on Wed 03/17/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1495 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\av.exe
C:\Documents and Settings\HP_Administrator\rundll32.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Road Runner High Speed Online
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLL_en
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Shell=Explorer.exe rundll32.exe evuq.kjo ifxsojl
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableRegistryTools = 1 (0x1)
Trusted Zone: trymedia.com
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://outlook.chambermusicsociety.org/tsweb/msrdp.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
AppInit_DLLs: app_dll.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\3zm6ebh2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\hp_administrator\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-23 64288]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-5-21 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-19 99376]
S0 azvil;azvil; [x]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080918.057\NAVENG.SYS [2008-9-19 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080918.057\NAVEX15.SYS [2008-9-19 873552]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-7-20 1245064]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-7-20 468768]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-1-25 149864]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-1-25 149864]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
S4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-1-25 149864]

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-03-17 23:24:33 19968 ----a-w- c:\windows\system32\evuq.kjo
2010-03-14 19:11:57 0 d-----w- C:\AITEMP
2010-03-13 17:56:37 4 ----a-w- c:\program files\298031.dat
2010-03-13 17:00:01 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-13 16:58:56 94208 ----a-w- c:\windows\system32\app_dll.dll.7372578.old
2010-03-13 16:58:56 94208 ----a-w- c:\windows\system32\app_dll.dll.137281.old
2010-03-13 16:58:56 94208 ----a-w- c:\windows\system32\app_dll.dll.137078.old
2010-03-13 16:58:56 94208 ----a-w- c:\windows\system32\app_dll.dll.125656.old
2010-03-13 16:58:56 94208 ----a-w- c:\windows\system32\app_dll.dll
2010-03-13 16:58:47 43008 ----a-w- c:\documents and settings\hp_administrator\rundll32.exe.delme115
2010-03-13 16:58:47 43008 ----a-w- c:\documents and settings\hp_administrator\rundll32.exe
2010-03-12 02:50:51 94208 ----a-w- c:\windows\system32\app_dll.dll.118343.old
2010-03-11 01:37:47 230 ----a-w- c:\windows\system32\spupdsvc.inf
2010-03-05 20:14:49 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2010-03-05 20:14:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 20:14:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 20:14:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 20:14:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-05 19:31:43 4 ----a-w- c:\program files\152109.dat
2010-03-05 18:36:10 4 ----a-w- c:\program files\538906.dat
2010-03-05 18:24:12 4 ----a-w- c:\program files\1181703.dat
2010-03-05 18:00:03 8 --sha-r- c:\documents and settings\hp_administrator\ntuser.pol
2010-03-05 17:58:53 0 d--h--w- c:\windows\system32\GroupPolicy
2010-03-05 17:51:11 4 ----a-w- c:\program files\3211968.dat
2010-03-05 17:22:47 4 ----a-w- c:\program files\1508203.dat
2010-03-05 17:22:44 4 ----a-w- c:\program files\1504953.dat
2010-03-05 17:22:44 4 ----a-w- c:\program files\1504734.dat
2010-03-05 17:22:44 4 ----a-w- c:\program files\1504703.dat
2010-03-05 17:22:43 4 ----a-w- c:\program files\1504078.dat
2010-03-05 17:22:43 4 ----a-w- c:\program files\1503859.dat
2010-03-05 17:22:42 4 ----a-w- c:\program files\1503531.dat
2010-03-05 17:22:42 4 ----a-w- c:\program files\1503468.dat
2010-03-05 17:01:18 43008 ----a-w- c:\documents and settings\hp_administrator\nwiz.exe
2010-03-05 17:01:18 43008 ----a-w- c:\documents and settings\hp_administrator\nwiz .exe
2010-03-05 17:01:11 43008 ----a-w- c:\documents and settings\hp_administrator\rthdcpl.exe
2010-03-05 17:01:11 43008 ----a-w- c:\documents and settings\hp_administrator\rthdcpl .exe
2010-03-05 16:24:16 25214 --sha-w- c:\windows\system32\4eaa9a75-8a64-4313-ad5b-42d6a155ee63_24.ico
2010-03-05 16:23:09 296960 ----a-w- c:\windows\odbns.exe
2010-03-05 16:23:09 296960 ----a-w- c:\windows\odbns .exe
2010-03-05 16:23:08 353792 ----a-w- c:\windows\lsass .exe
2010-03-05 16:23:08 300032 ----a-w- c:\windows\svc .exe
2010-02-26 00:03:48 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-26 00:03:48 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-26 00:03:48 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-02-24 01:04:37 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-24 00:39:45 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-24 00:39:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-24 00:37:49 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-24 00:37:21 0 d-----w- c:\program files\Lavasoft

==================== Find3M ====================

2010-01-25 00:12:10 1411864 ----a-w- c:\windows\fonts\addlethorpe 1.otf
2010-01-24 22:26:58 39736 ----a-w- c:\windows\fonts\Duet.ttf
2010-01-24 22:25:49 46412 ----a-w- c:\windows\fonts\Duet-Regular.ttf
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-01-05 10:00:21 63488 ------w- c:\windows\system32\dllcache\icardie.dll
2010-01-05 10:00:21 380928 ------w- c:\windows\system32\dllcache\ieapfltr.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\dllcache\wininet.dll
2009-12-22 05:21:03 627712 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2009-12-22 05:21:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-12-22 05:21:00 3071488 ----a-w- c:\windows\system32\dllcache\mshtml.dll

============= FINISH: 22:08:58.12 ===============

Attached Files



#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:40 PM

Posted 19 March 2010 - 07:29 AM

Hello astoria718 ! welcome.gif

I am Blind Faith or Elle(it's easier to remember,I think) and I will help you with your malware related problems.
As you can see I am still a trainee and that means my work is revised by a coach.
Therefore, it will take a bit longer for me to reply.
So don't be impatient because I won't leave your case suspended in the air,waiting forever.

NOTE: Do not make any type of changes to your system during the cleaning process.The steps you are following are based on strict information from your system.So changes which I did not give instructions for are not recommended.

I will need some time to research the files on your system so please click the Options button at the top bar of this topic and Track this Topic, where you should choose email notifications to know when I replied.



During the cleaning process many files may be hidden so please unhide them by following the instructions listed here: How to show hidden files and folders.

Remember to check your topic for new replies.

Probably, it will take a couple of days until the next reply but after that everything will go faster.

Also please let me know if you still need help after you have read this.



Elle

Edited by Blind Faith, 19 March 2010 - 12:18 PM.

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 astoria718

astoria718
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 20 March 2010 - 03:35 PM

Thanks Elle, I'm desperate for the help! I unhid my files as requested. Firefox is now redirecting all of my google searches. That seems to be the biggest change. Also, should I be worried about using sites that require passwords, credit cards, or personal info? I haven't logged into my bank site or worked on my taxes, as I'm not sure how much info this malware is able to capture.

Thanks

#6 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:40 PM

Posted 20 March 2010 - 07:03 PM

Hi again smile.gif ,


Avoid logging in into your bank account while your system is infected because malware can "capture" everything you've got.


One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide on continuing the cleaning process:

Optional removal of Poker Gaming sites
I see you have a Poker site installed on your machine. These sites are know to be infected with Spyware and sometimes Adware. In your case Poker Superstars,Poker Superstars 2,PokerStars,PokerStars.net . I would suggest removing this from your machine. As stated above this is a optional removal and may be removed at your discretion. If you choose to do so, you can do so by following the directions below.

Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

  • Poker Superstars
  • Poker Superstars 2
  • PokerStars
  • PokerStars.net


Additional instructions can be found here if needed.


1. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
  • Here is an alternative link to download ComboFix, if the above one is not working for you:
2. Disable Your AntiVirus and AntiSpyware Programs
  • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
  • These programs may interfere with our fix. We will re-enable them when we are done.
3. Double click on ComboFix.exe that you just saved to your Desktop
  • Follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
4. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.

5. What I need in Your Next Reply:
  • ComboFix.txt
Elle

Edited by Blind Faith, 20 March 2010 - 07:03 PM.

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#7 astoria718

astoria718
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 21 March 2010 - 01:04 PM

Here is my combofix report. Thanks!




ComboFix 10-03-20.06 - HP_Administrator 03/21/2010 13:26:09.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1665 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Local Settings\Application Data\av.exe
c:\documents and settings\HP_Administrator\Local Settings\Application Data\MSASCui.exe
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\2ABj5aNM.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\7642NMX6.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\BpnBbmoMM.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\L1O7N.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\lnAJM0.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\mba5x84y.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\yb6Bn.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\YyPk55bl.jpg
c:\documents and settings\HP_Administrator\nwiz .exe
c:\documents and settings\HP_Administrator\rthdcpl .exe
c:\documents and settings\HP_Administrator\rthdcpl.exe
c:\documents and settings\HP_Administrator\rundll32.exe
c:\documents and settings\LocalService\Local Settings\Application Data\av.exe
c:\documents and settings\LocalService\Local Settings\Application Data\MSASCui.exe
c:\documents and settings\LocalService\Local Settings\Application Data\mtg.exe
c:\program files\Adobe\113828.old
c:\program files\Adobe\116859.old
c:\program files\Adobe\119171.old
c:\program files\Adobe\126859.old
c:\program files\Adobe\128812.old
c:\program files\Adobe\134343.old
c:\program files\Adobe\138703.old
c:\program files\Adobe\139171.old
c:\program files\Adobe\140984.old
c:\program files\Adobe\44143125.old
c:\program files\Adobe\4488625.old
c:\program files\Adobe\7377187.old
c:\program files\Adobe\acrotray .exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs .exe
c:\program files\Internet Explorer\wmpscfgs.exe
c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\lsass .exe
c:\windows\odbns .exe
c:\windows\odbns.exe
c:\windows\svc .exe
c:\windows\system32\app_dll.dll
c:\windows\system32\rundll32 .exe
E:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\iastor.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS


((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.

2010-03-21 17:18 . 2010-03-21 17:18 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-03-20 20:27 . 2010-03-20 20:27 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-03-16 22:48 . 2010-03-16 22:48 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-14 19:11 . 2010-03-20 21:08 -------- d-----w- C:\AITEMP
2010-03-14 05:07 . 2010-03-14 05:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-13 21:05 . 2010-03-13 21:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-03-13 17:56 . 2010-03-13 17:56 4 ----a-w- c:\program files\298031.dat
2010-03-13 17:00 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-05 20:14 . 2010-03-05 20:14 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-03-05 20:14 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 20:14 . 2010-03-06 04:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 20:14 . 2010-03-05 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-05 20:14 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 19:31 . 2010-03-05 19:31 4 ----a-w- c:\program files\152109.dat
2010-03-05 18:36 . 2010-03-05 18:36 4 ----a-w- c:\program files\538906.dat
2010-03-05 18:24 . 2010-03-05 18:24 4 ----a-w- c:\program files\1181703.dat
2010-03-05 17:58 . 2010-03-05 17:58 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-03-05 17:51 . 2010-03-05 17:51 4 ----a-w- c:\program files\3211968.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1508203.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1504953.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1504734.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1504703.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1504078.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1503859.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1503531.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1503468.dat
2010-03-05 17:01 . 2010-03-13 16:58 43008 ----a-w- c:\documents and settings\HP_Administrator\nwiz.exe
2010-02-26 00:03 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-26 00:03 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-25 04:46 . 2010-02-25 04:46 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-24 01:04 . 2010-02-24 00:39 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-24 00:39 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-24 00:39 . 2010-02-24 00:39 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-24 00:37 . 2010-02-24 00:37 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-24 00:37 . 2010-02-24 00:37 -------- d-----w- c:\program files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-21 17:42 . 2010-03-21 17:42 43008 ----a-w- c:\documents and settings\HP_Administrator\rundll32.exe
2010-03-21 17:16 . 2008-03-20 22:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-21 15:00 . 2006-07-21 00:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-21 05:10 . 2006-07-21 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-21 04:48 . 2006-07-20 23:49 -------- d-----w- c:\program files\HP Games
2010-03-20 17:47 . 2008-09-19 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-03-20 17:46 . 2006-07-20 23:52 114808 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-13 17:39 . 2006-12-23 23:02 -------- d-----w- c:\program files\OMS
2010-03-13 17:39 . 2006-07-20 23:44 -------- d-----w- c:\program files\HP
2010-03-11 01:01 . 2009-09-21 01:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-10 03:35 . 2006-07-20 23:48 -------- d-----w- c:\program files\HP DigitalMedia Archive
2010-03-10 03:34 . 2009-11-16 01:13 -------- d-----w- c:\program files\iTunes
2010-03-10 03:34 . 2007-09-16 19:11 -------- d-----w- c:\program files\QuickTime
2010-03-10 03:34 . 2007-07-04 16:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-06 06:25 . 2007-07-04 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-06 04:30 . 2009-06-18 04:10 -------- d-----w- c:\program files\Bonjour
2010-03-05 20:01 . 2006-11-04 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Quark
2010-02-24 00:37 . 2007-07-03 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-21 00:02 . 2008-10-21 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-04 15:53 . 2010-02-24 00:37 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-01-05 10:00 . 2009-09-12 00:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-09 21:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-09 21:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21 . 2004-08-09 21:00 667136 ----a-w- c:\windows\system32\wininet.dll
.
CODE
<pre>
c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray .exe
c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\versioncuecs2tray .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop  .exe
c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop .exe
c:\program files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\hpwqtbx .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\HP DigitalMedia Archive\dmascheduler .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\windows\CREATOR\remind_xp .exe
c:\windows\ehome\ehtray .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
c:\windows\SMINST\recguard .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [2010-03-21 43008]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2010-03-21 43008]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-7-20 27136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^4eaa9a75-8a64-4313-ad5b-42d6a155ee63_24.lnk]
backup=c:\windows\pss\4eaa9a75-8a64-4313-ad5b-42d6a155ee63_24.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CO2 Saver.lnk]
backup=c:\windows\pss\CO2 Saver.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^AutoBackup Launcher.lnk]
backup=c:\windows\pss\AutoBackup Launcher.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\quicktime\qttask .exe -atboottime [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StxTrayMenu

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2010-03-10 03:35 43008 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\versioncuecs2tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2010-03-10 03:35 43008 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_Reader]
2010-03-21 17:42 43008 ----a-w- c:\program files\Internet Explorer\wmpscfgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-03-10 03:35 43008 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\asr64_ldm.exe]
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\asr64_ldm.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2008-01-26 01:47 51048 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2010-03-10 03:35 43008 ----a-w- c:\program files\HP DigitalMedia Archive\dmascheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-10 03:34 43008 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2010-03-10 03:34 43008 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWQTOOLBOX]
2010-03-10 03:34 43008 ----a-w- c:\program files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\hpwqtbx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2010-03-10 03:34 43008 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-10 03:34 43008 ----a-w- c:\program files\iTunes\ituneshelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-31 18:35 7634944 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-31 18:35 1622016 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\odnex]
c:\windows\odbns.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
c:\program files\Norton AntiVirus\osCheck.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2010-03-12 04:33 43008 ----a-w- c:\windows\SMINST\recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2010-03-10 03:34 43008 ----a-w- c:\windows\CREATOR\remind_xp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-06-13 20:05 16239616 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2010-03-10 03:34 43008 ----a-w- c:\program files\Spybot - Search & Destroy\teatimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-03-10 03:34 43008 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-03-13 04:07 43008 ----a-w- c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
c:\program files\Support.com\bin\tgcmd.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uishf9wuifwuh387fh3wufinhjfdwefe]
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\pwmyqbf.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=3 (0x3)
"Ias"=2 (0x2)
"6to4"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=3 (0x3)
"LiveUpdate Notice"=2 (0x2)
"LiveUpdate"=3 (0x3)
"LightScribeService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"ehSched"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Adobe Version Cue CS2"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"MHN"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"Bonjour Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Symantec Core LC"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"medic"="c:\program files\MEDIC\bin\sprtcmd.exe" /P MEDIC

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"4eaa9a75-8a64-4313-ad5b-42d6a155ee63_24"="c:\windows\system32\rundll32.exe" "c:\windows\system32\4eaa9a75-8a64-4313-ad5b-42d6a155ee63_24.avi", start minimized
"ftutil2"=rundll32.exe ftutil2.dll,SetWriteCacheMode

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/23/2010 8:39 PM 64288]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/21/2007 10:41 PM 24652]
S0 azvil;azvil; [x]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [7/20/2006 7:40 PM 468768]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1229232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-21 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]

2010-03-21 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-21 17:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLL_en
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\3zm6ebh2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)
AddRemove-Antimalware Defender - c:\program files\Antimalware Defender\Antimalware Defender.dll
AddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 13:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1501173368-1349942782-1364847320-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1501173368-1349942782-1364847320-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{676C94C7-EAFD-3FE7-BE67-4E5390198905}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"pakkcepjmncgjcmliohflglijcjcpceg"=hex:6a,61,70,6c,6b,6f,6b,6d,64,62,6f,69,63,
6b,6a,6f,6e,70,66,61,00,00
"oamieggoecmlkbpeeljmmoflllciej"=hex:6a,61,67,66,68,70,6c,67,68,64,6b,69,69,70,
67,6b,68,6f,6f,68,00,00

[HKEY_USERS\S-1-5-21-1501173368-1349942782-1364847320-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CC52130C-FDD2-70CF-E922-C2B68E1E9348}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"paagmfbopkkadlnoohnggedidnlepgef"=hex:6a,61,66,67,67,6a,6f,6c,6e,6a,6f,62,64,
6d,66,61,69,67,62,6f,00,fb
"oakhbmcblbbmpccealbhljhanjnpoo"=hex:6a,61,66,67,67,6a,6f,6c,6e,6a,6f,62,64,6d,
66,61,69,67,62,6f,00,fb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3824)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\eHome\ehRecvr.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\system32\nvsvc32.exe
c:\program files\adobe\adobe acrobat 7.0\distillr\acrotray .exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
.
**************************************************************************
.
Completion time: 2010-03-21 13:50:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-21 17:50

Pre-Run: 159,190,532,096 bytes free
Post-Run: 159,702,777,856 bytes free

- - End Of File - - BAEBABB9477B1BD2544CD6C830B17AF8


#8 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:40 PM

Posted 23 March 2010 - 11:33 AM

Hi smile.gif ,


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray .exe
c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\versioncuecs2tray .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop  .exe
c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop .exe
c:\program files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\hpwqtbx .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\HP DigitalMedia Archive\dmascheduler .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\windows\CREATOR\remind_xp .exe
c:\windows\ehome\ehtray .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
c:\windows\SMINST\recguard .exe

Collect::
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\asr64_ldm.exe
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\odbns.exe
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\pwmyqbf.exe

ATJob::


RegNull::
[HKEY_USERS\S-1-5-21-1501173368-1349942782-1364847320-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CC52130C-FDD2-70CF-E922-C2B68E1E9348}*]
[HKEY_USERS\S-1-5-21-1501173368-1349942782-1364847320-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{676C94C7-EAFD-3FE7-BE67-4E5390198905}*]

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uishf9wuifwuh387fh3wufinhjfdwefe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\asr64_ldm.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_Reader]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe_Reader"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_Reader]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Also,please include new DDS logs.

Please also tell me how the PC is going after running Combofix again. smile.gif


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#9 astoria718

astoria718
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 23 March 2010 - 01:24 PM

Sorry, probably a dumb question - when I drag CFScript onto ComboFix, nothing happens, and no log appears in C:\

Do I drag it and then run ComboFix or will it run on its own?

And should I attach everything or paste any of it into a reply?

Thanks

#10 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:40 PM

Posted 23 March 2010 - 01:54 PM

Hi astoria,

You should drag the script onto the ComboFix icon and the application should run by itself.Try again.

No, don't attach, copy/paste everything here. If it doesn't work, please reply and tell me what happened.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#11 astoria718

astoria718
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 23 March 2010 - 02:10 PM

I followed your instructions again and nothing happens. ComboFix doesn't run.


#12 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:40 PM

Posted 23 March 2010 - 03:36 PM

Hi,

Be sure you have ComboFix.exe and CFScript.txt on your desktop named like indicated.

Go to Start->Run and copy paste the following in the Run box without "Code":


CODE
"%userprofile%\HP_Administrator\Desktop\ComboFix.exe" "%userprofile%\HP_Administrator\Desktop\CFScript.txt"



Tell me what happens and if the log is produced, please post it in your next reply.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#13 astoria718

astoria718
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 23 March 2010 - 05:25 PM

Okay, I got it to run. I had to delete HP_Adminstrator\ from both parts of your run command, but then ComboFix started. The first time, ComboFix restarted my computer and then froze during its process. Then I restarted, ran it again and it froze again. Finally I restarted and ran the command just as Windows started up and it finished. Here's the ComboFix log:


ComboFix 10-03-23.03 - HP_Administrator 03/23/2010 17:50:21.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1649 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))
.

2010-03-22 22:55 . 2010-03-23 19:09 201728 --sha-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\128822158.dll
2010-03-21 17:18 . 2010-03-21 17:18 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-03-20 20:27 . 2010-03-20 20:27 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-03-16 22:48 . 2010-03-16 22:48 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-14 19:11 . 2010-03-22 00:25 -------- d-----w- C:\AITEMP
2010-03-14 05:07 . 2010-03-14 05:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-13 21:05 . 2010-03-13 21:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-03-13 17:56 . 2010-03-13 17:56 4 ----a-w- c:\program files\298031.dat
2010-03-13 17:00 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-05 20:14 . 2010-03-05 20:14 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-03-05 20:14 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 20:14 . 2010-03-06 04:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 20:14 . 2010-03-05 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-05 20:14 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 19:31 . 2010-03-05 19:31 4 ----a-w- c:\program files\152109.dat
2010-03-05 18:36 . 2010-03-05 18:36 4 ----a-w- c:\program files\538906.dat
2010-03-05 18:24 . 2010-03-05 18:24 4 ----a-w- c:\program files\1181703.dat
2010-03-05 17:58 . 2010-03-05 17:58 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-03-05 17:51 . 2010-03-05 17:51 4 ----a-w- c:\program files\3211968.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1508203.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1504953.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1504734.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1504703.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1504078.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1503859.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1503531.dat
2010-03-05 17:22 . 2010-03-05 17:22 4 ----a-w- c:\program files\1503468.dat
2010-03-05 17:01 . 2010-03-13 16:58 43008 ----a-w- c:\documents and settings\HP_Administrator\nwiz.exe
2010-02-26 00:03 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-26 00:03 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-25 04:46 . 2010-02-25 04:46 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-24 01:04 . 2010-02-24 00:39 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-24 00:37 . 2010-02-24 00:37 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-24 00:37 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-24 00:37 . 2010-02-24 00:37 -------- d-----w- c:\program files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-23 21:10 . 2009-11-16 01:13 -------- d-----w- c:\program files\iTunes
2010-03-23 21:10 . 2006-07-20 23:48 -------- d-----w- c:\program files\HP DigitalMedia Archive
2010-03-23 16:04 . 2008-03-20 22:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-21 15:00 . 2006-07-21 00:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-21 05:10 . 2006-07-21 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-21 04:48 . 2006-07-20 23:49 -------- d-----w- c:\program files\HP Games
2010-03-20 17:47 . 2008-09-19 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-03-20 17:46 . 2006-07-20 23:52 114808 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-13 17:39 . 2006-12-23 23:02 -------- d-----w- c:\program files\OMS
2010-03-13 17:39 . 2006-07-20 23:44 -------- d-----w- c:\program files\HP
2010-03-11 01:01 . 2009-09-21 01:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-10 03:34 . 2007-09-16 19:11 -------- d-----w- c:\program files\QuickTime
2010-03-10 03:34 . 2007-07-04 16:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-06 06:25 . 2007-07-04 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-06 04:30 . 2009-06-18 04:10 -------- d-----w- c:\program files\Bonjour
2010-03-05 20:01 . 2006-11-04 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Quark
2010-02-24 00:37 . 2007-07-03 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-21 00:02 . 2008-10-21 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-04 15:53 . 2010-02-24 00:39 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-05 10:00 . 2009-09-12 00:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-09 21:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-09 21:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.
CODE
<pre>
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-7-20 27136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^4eaa9a75-8a64-4313-ad5b-42d6a155ee63_24.lnk]
backup=c:\windows\pss\4eaa9a75-8a64-4313-ad5b-42d6a155ee63_24.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CO2 Saver.lnk]
backup=c:\windows\pss\CO2 Saver.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^AutoBackup Launcher.lnk]
backup=c:\windows\pss\AutoBackup Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\quicktime\qttask .exe -atboottime [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 23:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\versioncuecs2tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-03-10 03:35 43008 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2008-01-26 01:47 51048 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2006-04-13 09:05 90112 ----a-w- c:\program files\HP DigitalMedia Archive\dmascheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
c:\program files\hewlett-packard\hp boot optimizer\hpbootop .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWQTOOLBOX]
2005-06-01 19:54 335872 ----a-w- c:\program files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\hpwqtbx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-07-06 14:15 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\ituneshelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-31 18:35 7634944 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-31 18:35 1622016 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\odnex]
c:\windows\odbns.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
c:\program files\Norton AntiVirus\osCheck.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-22 22:14 237568 ----a-w- c:\windows\SMINST\recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2004-12-14 02:23 663552 ----a-w- c:\windows\CREATOR\remind_xp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-06-13 20:05 16239616 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2010-03-10 03:34 43008 ----a-w- c:\program files\Spybot - Search & Destroy\teatimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-21 03:24 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-28 04:58 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
c:\program files\Support.com\bin\tgcmd.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=3 (0x3)
"Ias"=2 (0x2)
"6to4"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=3 (0x3)
"LiveUpdate Notice"=2 (0x2)
"LiveUpdate"=3 (0x3)
"LightScribeService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"ehSched"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Adobe Version Cue CS2"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"MHN"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"Bonjour Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Symantec Core LC"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"medic"="c:\program files\MEDIC\bin\sprtcmd.exe" /P MEDIC

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/23/2010 8:39 PM 64288]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/21/2007 10:41 PM 24652]
S0 azvil;azvil; [x]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [7/20/2006 7:40 PM 468768]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1229232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLL_en
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\3zm6ebh2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-23 17:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1501173368-1349942782-1364847320-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2392)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-23 18:02:55
ComboFix-quarantined-files.txt 2010-03-23 22:02

Pre-Run: 159,935,082,496 bytes free
Post-Run: 159,893,413,888 bytes free

- - End Of File - - A42EB14F8D6B7CC73229339F14EA2D27



#14 astoria718

astoria718
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 23 March 2010 - 05:27 PM

A new DDS.txt is below. Attach.txt is attached.


DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 18:25:56.31 on Tue 03/23/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1389 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\teatimer.exe
c:\program files\spybot - search & destroy\teatimer .exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLL_en
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [AdobeBridge]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
Trusted Zone: trymedia.com
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://outlook.chambermusicsociety.org/tsweb/msrdp.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\3zm6ebh2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\hp_administrator\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-23 64288]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-5-21 24652]
S0 azvil;azvil; [x]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-7-20 468768]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-7-20 1245064]

=============== Created Last 30 ================

2010-03-23 21:48:46 0 d-----w- C:\ComboFix
2010-03-21 17:20:31 98816 ----a-w- c:\windows\sed.exe
2010-03-21 17:20:31 77312 ----a-w- c:\windows\MBR.exe
2010-03-21 17:20:31 261632 ----a-w- c:\windows\PEV.exe
2010-03-21 17:20:31 161792 ----a-w- c:\windows\SWREG.exe
2010-03-17 23:24:33 19968 ----a-w- c:\windows\system32\evuq.kjo
2010-03-14 19:11:57 0 d-----w- C:\AITEMP
2010-03-13 17:56:37 4 ----a-w- c:\program files\298031.dat
2010-03-13 17:00:01 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-13 16:58:56 94208 ----a-w- c:\windows\system32\app_dll.dll.7372578.old
2010-03-13 16:58:56 94208 ----a-w- c:\windows\system32\app_dll.dll.44142031.old
2010-03-13 16:58:56 94208 ----a-w- c:\windows\system32\app_dll.dll.139578.old
2010-03-13 16:58:56 94208 ----a-w- c:\windows\system32\app_dll.dll.137281.old
2010-03-13 16:58:56 94208 ----a-w- c:\windows\system32\app_dll.dll.137078.old
2010-03-13 16:58:56 94208 ----a-w- c:\windows\system32\app_dll.dll.132953.old
2010-03-13 16:58:56 94208 ----a-w- c:\windows\system32\app_dll.dll.127484.old
2010-03-13 16:58:56 94208 ----a-w- c:\windows\system32\app_dll.dll.125656.old
2010-03-13 16:58:47 43008 ----a-w- c:\documents and settings\hp_administrator\rundll32.exe.delme115
2010-03-12 02:50:51 94208 ----a-w- c:\windows\system32\app_dll.dll.118343.old
2010-03-11 01:37:47 230 ----a-w- c:\windows\system32\spupdsvc.inf
2010-03-05 20:14:49 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2010-03-05 20:14:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 20:14:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 20:14:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 20:14:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-05 19:31:43 4 ----a-w- c:\program files\152109.dat
2010-03-05 18:36:10 4 ----a-w- c:\program files\538906.dat
2010-03-05 18:24:12 4 ----a-w- c:\program files\1181703.dat
2010-03-05 18:00:03 8 --sha-r- c:\documents and settings\hp_administrator\ntuser.pol
2010-03-05 17:58:53 0 d--h--w- c:\windows\system32\GroupPolicy
2010-03-05 17:51:11 4 ----a-w- c:\program files\3211968.dat
2010-03-05 17:22:47 4 ----a-w- c:\program files\1508203.dat
2010-03-05 17:22:44 4 ----a-w- c:\program files\1504953.dat
2010-03-05 17:22:44 4 ----a-w- c:\program files\1504734.dat
2010-03-05 17:22:44 4 ----a-w- c:\program files\1504703.dat
2010-03-05 17:22:43 4 ----a-w- c:\program files\1504078.dat
2010-03-05 17:22:43 4 ----a-w- c:\program files\1503859.dat
2010-03-05 17:22:42 4 ----a-w- c:\program files\1503531.dat
2010-03-05 17:22:42 4 ----a-w- c:\program files\1503468.dat
2010-03-05 17:01:18 43008 ----a-w- c:\documents and settings\hp_administrator\nwiz.exe
2010-03-05 16:24:16 25214 --sha-w- c:\windows\system32\4eaa9a75-8a64-4313-ad5b-42d6a155ee63_24.ico
2010-02-26 00:03:48 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-26 00:03:48 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-26 00:03:48 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-02-24 01:04:37 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-24 00:39:45 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-24 00:39:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-24 00:37:49 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-24 00:37:21 0 d-----w- c:\program files\Lavasoft

==================== Find3M ====================

2010-01-25 00:12:10 1411864 ----a-w- c:\windows\fonts\addlethorpe 1.otf
2010-01-24 22:26:58 39736 ----a-w- c:\windows\fonts\Duet.ttf
2010-01-24 22:25:49 46412 ----a-w- c:\windows\fonts\Duet-Regular.ttf
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-01-05 10:00:21 63488 ------w- c:\windows\system32\dllcache\icardie.dll
2010-01-05 10:00:21 380928 ------w- c:\windows\system32\dllcache\ieapfltr.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

============= FINISH: 18:26:04.82 ===============

Attached Files



#15 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:40 PM

Posted 25 March 2010 - 04:21 PM

Hi again,


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users