Tech Support Forum - View Single Post

jimdd · 08-19-2008, 08:43 PM

ComboFix 08-08-18.05 - Jim 2008-08-19 20:46:56.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.95 [GMT -4:00]
Running from: C:\Documents and Settings\Jim\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Jim\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\995937
C:\WINDOWS\SYSTEM32\995937\995937.dll
C:\WINDOWS\SYSTEM32\ubpr01.exe
C:\WINDOWS\system32\zgyhw.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-18 21:10 . 2008-08-18 21:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-16 19:13 . 2008-08-16 19:13 276 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-08-16 19:07 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-16 19:06 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2008-08-10 17:46 . 2008-08-10 17:46 <DIR> d-------- C:\Deckard
2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-10 16:28 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll
2008-08-10 16:27 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-08-10 15:53 . 2008-08-10 15:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-10 15:52 . 2008-08-10 15:52 <DIR> d-------- C:\ie-spyad_zo
2008-08-10 14:11 . 2008-08-10 14:11 <DIR> d-------- C:\Program Files\Panda Security
2008-08-10 14:11 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-08-09 01:42 . 2008-08-18 20:35 <DIR> d-------- C:\Program Files\Applications

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 00:41 --------- d-----w C:\Documents and Settings\Jim\Application Data\HPAppData
2008-08-20 00:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\temp
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 14:57 3,592,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-04-20 03:04 518 ----a-w C:\Program Files\Shortcut to Internet Explorer.lnk
2005-09-22 22:37 81,216 ----a-w C:\Documents and Settings\Jim\Application Data\GDIPFONTCACHEV1.DAT
2005-03-01 17:16 81,216 ----a-w C:\Documents and Settings\Christopher\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-08-18_21.04.55.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-13 23:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
+ 2007-08-13 22:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
+ 2006-09-23 17:12:50 1,022,976 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
+ 2007-08-13 22:42:54 17,408 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\corpol.dll
- 2008-06-23 16:57:29 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
+ 2007-08-13 22:45:18 78,336 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieencode.dll
+ 2006-09-23 17:12:50 1,497,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
+ 2006-09-23 17:12:50 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
- 2008-06-23 16:57:29 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
- 2008-06-23 09:20:26 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
- 2008-08-19 00:53:20 52,968 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-08-19 01:01:16 52,968 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-08-19 00:53:20 380,680 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-08-19 01:01:16 380,680 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2003-10-06 15:16 49152]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 14:12 2061816]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 23:32 53248]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 09:52 218232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2008-04-13 20:12 78848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R0 PrtSeqRd;PrtSeqRd;C:\WINDOWS\system32\drivers\PrtSeqRd.sys [2001-05-15 17:48]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 14:52]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 20:50:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-19 20:54:53
ComboFix-quarantined-files.txt 2008-08-20 00:54:48
ComboFix2.txt 2008-08-19 01:05:36

Pre-Run: 14,111,641,600 bytes free
Post-Run: 14,100,910,080 bytes free

142 --- E O F --- 2008-08-19 23:32:46

Avira AntiVir Personal
Report file date: Tuesday, August 19, 2008 21:26

Scanning for 1563576 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: OFFICE

Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 8/12/2008 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 14:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 19:54:15
ANTIVIR2.VDF : 7.0.6.10 2587136 Bytes 8/14/2008 01:22:22
ANTIVIR3.VDF : 7.0.6.38 175104 Bytes 8/19/2008 01:22:24
Engineversion : 8.1.1.23
AEVDF.DLL : 8.1.0.5 102772 Bytes 7/9/2008 14:46:50
AESCRIPT.DLL : 8.1.0.68 315770 Bytes 8/20/2008 01:22:38
AESCN.DLL : 8.1.0.23 119156 Bytes 8/20/2008 01:22:37
AERDL.DLL : 8.1.0.20 418165 Bytes 7/9/2008 14:46:50
AEPACK.DLL : 8.1.2.1 364917 Bytes 8/20/2008 01:22:36
AEOFFICE.DLL : 8.1.0.22 192890 Bytes 8/20/2008 01:22:34
AEHEUR.DLL : 8.1.0.50 1388918 Bytes 8/20/2008 01:22:33
AEHELP.DLL : 8.1.0.15 115063 Bytes 7/9/2008 14:46:50
AEGEN.DLL : 8.1.0.36 315764 Bytes 8/20/2008 01:22:28
AEEMU.DLL : 8.1.0.7 430452 Bytes 8/20/2008 01:22:27
AECORE.DLL : 8.1.1.8 172406 Bytes 8/20/2008 01:22:25
AEBB.DLL : 8.1.0.1 53617 Bytes 4/24/2008 14:50:42
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 8/20/2008 01:22:24
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, August 19, 2008 21:26

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'hpswp_clipbook.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'hpotbx05.exe' - '1' Module(s) have been scanned
Scan process 'hpqste08.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'ISW.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '63' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Deckard\System Scanner\20080818210922\backup\DOCUME~1\Jim\LOCALS~1\Temp\abc1231xHT.exe
[DETECTION] Is the TR/Dldr.ConHook.BJ Trojan
[NOTE] The file was moved to '490e7376.qua'!
C:\Deckard\System Scanner\20080818210922\backup\DOCUME~1\Jim\LOCALS~1\Temp\wgve2.exe
[DETECTION] Is the TR/Fakealert.ZV.1 Trojan
[NOTE] The file was moved to '492173b1.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '49027443.qua'!
C:\Documents and Settings\Jim\Desktop\[4]-Submit_2008-08-19@20.46.zip
C:\Documents and Settings\Jim\Desktop\[4]-Submit_2008-08-19@20.46.zip
[0] Archive type: ZIP
--> zgyhw.dll
[DETECTION] Is the TR/Fakealert.ZV Trojan
[NOTE] The file was moved to '490874ad.qua'!
C:\Program Files\Applications\wcm.exe
[DETECTION] Is the TR/Dldr.Zlob.uun Trojan
[NOTE] The file was moved to '491876e9.qua'!
C:\QooBox\Quarantine\catchme2008-08-18_203922.29.zip
[0] Archive type: ZIP
--> 995937.dll
[DETECTION] Is the TR/BHO.Gen Trojan
[NOTE] The file was moved to '491f79b7.qua'!
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\995937\995937.dll.vir
[DETECTION] Is the TR/BHO.Gen Trojan
[NOTE] The file was moved to '48e079a8.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162033.dll
[DETECTION] Is the TR/Dldr.Zlob.uue Trojan
[NOTE] The file was moved to '48dc79f0.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162034.exe
[DETECTION] Is the TR/Dldr.Zlob.uun Trojan
[NOTE] The file was moved to '48dc79f3.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162035.exe
[DETECTION] Is the TR/Dldr.Zlob.uuk Trojan
[NOTE] The file was moved to '48dc79f5.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162070.dll
[DETECTION] Is the TR/Dldr.Zlob.uue Trojan
[NOTE] The file was moved to '48dc79fa.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162071.exe
[DETECTION] Is the TR/Dldr.Zlob.uun Trojan
[NOTE] The file was moved to '48dc79fc.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162072.exe
[DETECTION] Is the TR/Dldr.Zlob.uuk Trojan
[NOTE] The file was moved to '48dc79ff.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1716\A0165867.exe
[DETECTION] Is the TR/Dldr.Zlob.uun Trojan
[NOTE] The file was moved to '48dc7aa2.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1716\A0165868.dll
[DETECTION] Is the TR/Dldr.Zlob.uue Trojan
[NOTE] The file was moved to '48dc7aa4.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1716\A0165869.exe
[DETECTION] Is the TR/Dldr.Zlob.uuk Trojan
[NOTE] The file was moved to '48dc7aa6.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165905.exe
[DETECTION] Is the TR/Dldr.Zlob.uun Trojan
[NOTE] The file was moved to '48dc7aab.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165906.dll
[DETECTION] Is the TR/Dldr.Zlob.uue Trojan
[NOTE] The file was moved to '48dc7aad.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165907.exe
[DETECTION] Is the TR/Dldr.Zlob.uuk Trojan
[NOTE] The file was moved to '48dc7aaf.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165926.exe
[DETECTION] Is the TR/Dldr.Zlob.uun Trojan
[NOTE] The file was moved to '48dc7ab2.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165927.dll
[DETECTION] Is the TR/Dldr.Zlob.uue Trojan
[NOTE] The file was moved to '48dc7ab4.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165928.exe
[DETECTION] Is the TR/Dldr.Zlob.uuk Trojan
[NOTE] The file was moved to '48dc7ab6.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1718\A0165967.dll
[DETECTION] Is the TR/Dldr.Zlob.uue Trojan
[NOTE] The file was moved to '48dc7ad4.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1718\A0165968.exe
[DETECTION] Is the TR/Dldr.Zlob.uun Trojan
[NOTE] The file was moved to '48dc7ad6.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1718\A0165969.exe
[DETECTION] Is the TR/Dldr.Zlob.uuk Trojan
[NOTE] The file was moved to '48dc7ad8.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1719\A0166092.exe
[DETECTION] Is the TR/Dldr.Zlob.uuk Trojan
[NOTE] The file was moved to '48dc7ae0.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1720\A0166118.dll
[DETECTION] Is the TR/Dldr.Zlob.uue Trojan
[NOTE] The file was moved to '48dc7ae4.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1720\A0166119.exe
[DETECTION] Is the TR/Dldr.Zlob.uuk Trojan
[NOTE] The file was moved to '48dc7ae6.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1720\A0166123.exe
--> Object
[1] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Dldr.Zlob.uuk Trojan
--> Object
[DETECTION] Is the TR/Dldr.Zlob.uue Trojan
[NOTE] The file was moved to '48dc7ae8.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1720\A0166169.dll
[DETECTION] Is the TR/Drop.Zlob.IJ.2 Trojan
[NOTE] The file was moved to '48dc7aef.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1721\A0166194.dll
[DETECTION] Is the TR/BHO.Gen Trojan
[NOTE] The file was moved to '48dc7af3.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1721\A0167217.dll
[DETECTION] Is the TR/BHO.Gen Trojan
[NOTE] The file was moved to '48dc7af7.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1726\A0167519.dll
[DETECTION] Is the TR/BHO.Gen Trojan
[NOTE] The file was moved to '48dc7b12.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1727\A0167534.exe
[DETECTION] Is the TR/Dldr.ConHook.BJ Trojan
[NOTE] The file was moved to '48dc7b16.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1727\A0167535.exe
[DETECTION] Is the TR/Fakealert.ZV.1 Trojan
[NOTE] The file was moved to '48dc7b19.qua'!
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1727\A0167536.exe
[DETECTION] Is the TR/Dldr.Zlob.uun Trojan
[NOTE] The file was moved to '48dc7b1b.qua'!

End of the scan: Tuesday, August 19, 2008 22:18
Used time: 51:50 Minute(s)

The scan has been done completely.

4931 Scanning directories
220696 Files were scanned
37 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
0 files were deleted
0 files were repaired
36 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
220656 Files not concerned
5694 Archives were scanned
3 Warnings
36 Notes

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:26 PM, on 8/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPOTBX05.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\JIM\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JIM\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\prefs.js)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195659550187
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6346 bytes

The computer is running much better. I don't have the pop ups or warnings anymore. Is there a antivirus that you recommend or is the Antivir a good one? Thank you for your help. You have saved me. Let me know what else to do.

08-19-2008, 08:43 PM	#10 (permalink)
jimdd Registered User Join Date: Aug 2008 Posts: 12 OS: XP service pack 2	Re: Multiple pop ups and spyware problems ComboFix 08-08-18.05 - Jim 2008-08-19 20:46:56.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.95 [GMT -4:00] Running from: C:\Documents and Settings\Jim\Desktop\Combo-Fix.exe Command switches used :: C:\Documents and Settings\Jim\Desktop\CFscript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\SYSTEM32\995937 C:\WINDOWS\SYSTEM32\995937\995937.dll C:\WINDOWS\SYSTEM32\ubpr01.exe C:\WINDOWS\system32\zgyhw.dll . ((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 ))))))))))))))))))))))))))))))) . 2008-08-18 21:10 . 2008-08-18 21:10 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-16 19:13 . 2008-08-16 19:13 276 --a------ C:\WINDOWS\SYSTEM32\MRT.INI 2008-08-16 19:07 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll 2008-08-16 19:06 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll 2008-08-10 17:46 . 2008-08-10 17:46 <DIR> d-------- C:\Deckard 2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting 2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\en 2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\l2schemas 2008-08-10 16:28 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll 2008-08-10 16:27 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll 2008-08-10 15:53 . 2008-08-10 15:54 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-08-10 15:52 . 2008-08-10 15:52 <DIR> d-------- C:\ie-spyad_zo 2008-08-10 14:11 . 2008-08-10 14:11 <DIR> d-------- C:\Program Files\Panda Security 2008-08-10 14:11 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys 2008-08-09 01:42 . 2008-08-18 20:35 <DIR> d-------- C:\Program Files\Applications . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-20 00:41 --------- d-----w C:\Documents and Settings\Jim\Application Data\HPAppData 2008-08-20 00:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\temp 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll 2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll 2008-06-24 16:43 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll 2008-06-24 14:57 3,592,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll 2008-06-23 09:20 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe 2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe 2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe 2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll 2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll 2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll 2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys 2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys 2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys 2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys 2008-04-20 03:04 518 ----a-w C:\Program Files\Shortcut to Internet Explorer.lnk 2005-09-22 22:37 81,216 ----a-w C:\Documents and Settings\Jim\Application Data\GDIPFONTCACHEV1.DAT 2005-03-01 17:16 81,216 ----a-w C:\Documents and Settings\Christopher\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( snapshot@2008-08-18_21.04.55.90 ))))))))))))))))))))))))))))))))))))))))) . - 2007-08-13 23:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe + 2007-08-13 22:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe + 2006-09-23 17:12:50 1,022,976 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll + 2007-08-13 22:42:54 17,408 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\corpol.dll - 2008-06-23 16:57:29 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll + 2008-04-23 04:16:28 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll + 2007-08-13 22:45:18 78,336 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieencode.dll + 2006-09-23 17:12:50 1,497,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll + 2006-09-23 17:12:50 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll - 2008-06-23 16:57:29 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll + 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll - 2008-06-23 09:20:26 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe + 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe - 2008-08-19 00:53:20 52,968 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT + 2008-08-19 01:01:16 52,968 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT - 2008-08-19 00:53:20 380,680 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT + 2008-08-19 01:01:16 380,680 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2003-10-06 15:16 49152] "ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 14:12 2061816] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 23:32 53248] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152] "nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 09:52 218232] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2008-04-13 20:12 78848] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R0 PrtSeqRd;PrtSeqRd;C:\WINDOWS\system32\drivers\PrtSeqRd.sys [2001-05-15 17:48] S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 14:52] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc Newly Created Service - CATCHME . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-19 20:50:24 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-08-19 20:54:53 ComboFix-quarantined-files.txt 2008-08-20 00:54:48 ComboFix2.txt 2008-08-19 01:05:36 Pre-Run: 14,111,641,600 bytes free Post-Run: 14,100,910,080 bytes free 142 --- E O F --- 2008-08-19 23:32:46 Avira AntiVir Personal Report file date: Tuesday, August 19, 2008 21:26 Scanning for 1563576 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 3) [5.1.2600] Boot mode: Normally booted Username: SYSTEM Computer name: OFFICE Version information: BUILD.DAT : 8.1.0.331 16934 Bytes 8/12/2008 11:46:00 AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 14:57:53 AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40 LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19 LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34 ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 19:54:15 ANTIVIR2.VDF : 7.0.6.10 2587136 Bytes 8/14/2008 01:22:22 ANTIVIR3.VDF : 7.0.6.38 175104 Bytes 8/19/2008 01:22:24 Engineversion : 8.1.1.23 AEVDF.DLL : 8.1.0.5 102772 Bytes 7/9/2008 14:46:50 AESCRIPT.DLL : 8.1.0.68 315770 Bytes 8/20/2008 01:22:38 AESCN.DLL : 8.1.0.23 119156 Bytes 8/20/2008 01:22:37 AERDL.DLL : 8.1.0.20 418165 Bytes 7/9/2008 14:46:50 AEPACK.DLL : 8.1.2.1 364917 Bytes 8/20/2008 01:22:36 AEOFFICE.DLL : 8.1.0.22 192890 Bytes 8/20/2008 01:22:34 AEHEUR.DLL : 8.1.0.50 1388918 Bytes 8/20/2008 01:22:33 AEHELP.DLL : 8.1.0.15 115063 Bytes 7/9/2008 14:46:50 AEGEN.DLL : 8.1.0.36 315764 Bytes 8/20/2008 01:22:28 AEEMU.DLL : 8.1.0.7 430452 Bytes 8/20/2008 01:22:27 AECORE.DLL : 8.1.1.8 172406 Bytes 8/20/2008 01:22:25 AEBB.DLL : 8.1.0.1 53617 Bytes 4/24/2008 14:50:42 AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05 AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01 AVREP.DLL : 8.0.0.2 98344 Bytes 8/20/2008 01:22:24 AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40 AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23 AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49 SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02 SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40 NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10 RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07 RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: Intelligent file selection Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Start of the scan: Tuesday, August 19, 2008 21:26 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'hpswp_clipbook.exe' - '1' Module(s) have been scanned Scan process 'iexplore.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'hpotbx05.exe' - '1' Module(s) have been scanned Scan process 'hpqste08.exe' - '1' Module(s) have been scanned Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned Scan process 'ISW.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 32 processes with 32 modules were scanned Starting master boot sector scan: Master boot sector HD0 [INFO] No virus was found! Master boot sector HD1 [INFO] No virus was found! [WARNING] System error [21]: The device is not ready. Start scanning boot sectors: Boot sector 'C:\' [INFO] No virus was found! Starting to scan the registry. The registry was scanned ( '63' files ). Starting the file scan: Begin scan in 'C:\' C:\hiberfil.sys [WARNING] The file could not be opened! C:\pagefile.sys [WARNING] The file could not be opened! C:\Deckard\System Scanner\20080818210922\backup\DOCUME~1\Jim\LOCALS~1\Temp\abc1231xHT.exe [DETECTION] Is the TR/Dldr.ConHook.BJ Trojan [NOTE] The file was moved to '490e7376.qua'! C:\Deckard\System Scanner\20080818210922\backup\DOCUME~1\Jim\LOCALS~1\Temp\wgve2.exe [DETECTION] Is the TR/Fakealert.ZV.1 Trojan [NOTE] The file was moved to '492173b1.qua'! C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip [DETECTION] Contains suspicious code GEN/PwdZIP [NOTE] The detection was classified as suspicious. [NOTE] The file was moved to '49027443.qua'! C:\Documents and Settings\Jim\Desktop\[4]-Submit_2008-08-19@20.46.zip C:\Documents and Settings\Jim\Desktop\[4]-Submit_2008-08-19@20.46.zip [0] Archive type: ZIP --> zgyhw.dll [DETECTION] Is the TR/Fakealert.ZV Trojan [NOTE] The file was moved to '490874ad.qua'! C:\Program Files\Applications\wcm.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '491876e9.qua'! C:\QooBox\Quarantine\catchme2008-08-18_203922.29.zip [0] Archive type: ZIP --> 995937.dll [DETECTION] Is the TR/BHO.Gen Trojan [NOTE] The file was moved to '491f79b7.qua'! C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\995937\995937.dll.vir [DETECTION] Is the TR/BHO.Gen Trojan [NOTE] The file was moved to '48e079a8.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162033.dll [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc79f0.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162034.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '48dc79f3.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162035.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc79f5.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162070.dll [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc79fa.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162071.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '48dc79fc.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1714\A0162072.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc79ff.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1716\A0165867.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '48dc7aa2.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1716\A0165868.dll [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc7aa4.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1716\A0165869.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc7aa6.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165905.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '48dc7aab.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165906.dll [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc7aad.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165907.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc7aaf.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165926.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '48dc7ab2.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165927.dll [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc7ab4.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1717\A0165928.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc7ab6.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1718\A0165967.dll [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc7ad4.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1718\A0165968.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '48dc7ad6.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1718\A0165969.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc7ad8.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1719\A0166092.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc7ae0.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1720\A0166118.dll [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc7ae4.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1720\A0166119.exe [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan [NOTE] The file was moved to '48dc7ae6.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1720\A0166123.exe --> Object [1] Archive type: RSRC --> Object [DETECTION] Is the TR/Dldr.Zlob.uuk Trojan --> Object [DETECTION] Is the TR/Dldr.Zlob.uue Trojan [NOTE] The file was moved to '48dc7ae8.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1720\A0166169.dll [DETECTION] Is the TR/Drop.Zlob.IJ.2 Trojan [NOTE] The file was moved to '48dc7aef.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1721\A0166194.dll [DETECTION] Is the TR/BHO.Gen Trojan [NOTE] The file was moved to '48dc7af3.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1721\A0167217.dll [DETECTION] Is the TR/BHO.Gen Trojan [NOTE] The file was moved to '48dc7af7.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1726\A0167519.dll [DETECTION] Is the TR/BHO.Gen Trojan [NOTE] The file was moved to '48dc7b12.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1727\A0167534.exe [DETECTION] Is the TR/Dldr.ConHook.BJ Trojan [NOTE] The file was moved to '48dc7b16.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1727\A0167535.exe [DETECTION] Is the TR/Fakealert.ZV.1 Trojan [NOTE] The file was moved to '48dc7b19.qua'! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1727\A0167536.exe [DETECTION] Is the TR/Dldr.Zlob.uun Trojan [NOTE] The file was moved to '48dc7b1b.qua'! End of the scan: Tuesday, August 19, 2008 22:18 Used time: 51:50 Minute(s) The scan has been done completely. 4931 Scanning directories 220696 Files were scanned 37 viruses and/or unwanted programs were found 1 Files were classified as suspicious: 0 files were deleted 0 files were repaired 36 files were moved to quarantine 0 files were renamed 2 Files cannot be scanned 220656 Files not concerned 5694 Archives were scanned 3 Warnings 36 Notes Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:40:26 PM, on 8/19/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AT&T\Internet Security Wizard\ISW.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\HPOTBX05.EXE C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\JIM\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JIM\Application Data\Mozilla\Profiles\default\pq1xhrc9.slt\prefs.js) O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195659550187 O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6346 bytes The computer is running much better. I don't have the pop ups or warnings anymore. Is there a antivirus that you recommend or is the Antivir a good one? Thank you for your help. You have saved me. Let me know what else to do.