Tech Support Forum - View Single Post - IE Popups, system slow, Symantec Fails to Detect Cause

azscottd · 12-02-2008, 08:33 PM

OK - hope I understood correctly. Pasting contents of each log file in-line. PC is running much better. No popups.

ComboFix 08-12-01.03 - HP_Administrator 2008-12-02 17:08:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.353 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\windows\system32\dllcache\OLD24.tmp
c:\windows\system32\dllcache\OLD29.tmp
c:\windows\system32\dllcache\OLD2C.tmp
c:\windows\system32\dllcache\OLD31.tmp
c:\windows\system32\dllcache\OLD36.tmp
c:\windows\system32\dllcache\OLD39.tmp
c:\windows\system32\dllcache\OLDD.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\HostRegistry.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\URLCache.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1434666005.mtj&p2=0&p3=09617960135281075687336414889749&p4=0
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\URLCache.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\URLCache.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1432539806.mtj&p2=0&p3=09617960135281075687336414889749&p4=0
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\URLCache.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Ads Blocker\AdsAlert.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\cdinstx.exe
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\cdinstx.log
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\cdmyidd.dll
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\database.db
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Download\wsliveup.dat.03
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Includes\Loading.htm
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Includes\NoItems Index.htm
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Includes\Password Cookie.htm
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Includes\Passwords Index.htm
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Includes\Privacy Index.htm
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Password Alert\PasswordAlert.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\charset.html
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\cookie.html
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\defaultCharset.html
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\form.html
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\frame.html
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\gray.htm
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\green.htm
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\host.html
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bg.jpg
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bg_button.jpg
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bg_top.jpg
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_go.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_go_down.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_go_over.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_grey.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_red - Copy.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_red.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_red_down.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_red_over.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\caution.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\frame.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\logo.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\logo.jpg
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\logo_orange.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\topbar.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\topbar_orange.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\warning.gif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\popup.html
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\port.html
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\protocol.html
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\red.htm
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\referrer.html
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\scamalert.htm
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\scamalert.htm1
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\script.html
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\security.html
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\style.css
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\yellow.htm
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\ssstbar.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\sssTbarcfg.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\sssTbarSettings.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\sssTbarUpdateHost.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\sssTbarV2.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\st.ico
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\stbarpat.dat.03
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\stbarversion.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\UserGuide\cybdefstbar.set
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\UserGuide\stbarchk.ini
c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\wsliveup.dat.03
c:\program files\Viewpoint
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr_03000F11.dll
c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305001C.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\windows\system32\dllcache\OLD24.tmp
c:\windows\system32\dllcache\OLD29.tmp
c:\windows\system32\dllcache\OLD2C.tmp
c:\windows\system32\dllcache\OLD31.tmp
c:\windows\system32\dllcache\OLD36.tmp
c:\windows\system32\dllcache\OLD39.tmp
c:\windows\system32\dllcache\OLDD.tmp

.
((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-12-02 16:00 . 2008-12-02 16:00 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 15:55 . 2008-12-02 15:55 <DIR> d-------- c:\windows\LastGood
2008-12-01 23:16 . 2008-12-01 23:18 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-01 22:41 . 2008-12-01 22:41 250 --a------ c:\windows\gmer.ini
2008-12-01 21:38 . 2001-08-17 14:56 66,048 --a------ c:\windows\system32\dllcache\s3legacy.dll
2008-12-01 21:38 . 2004-08-09 14:00 7,168 --a------ c:\windows\system32\dllcache\OLD49.tmp
2008-12-01 21:37 . 2008-08-14 03:09 2,145,280 --a------ c:\windows\system32\dllcache\OLD3F.tmp
2008-12-01 18:25 . 2008-12-01 18:25 <DIR> d-------- c:\program files\Panda Security
2008-12-01 18:25 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-01 03:25 . 2008-12-01 03:25 <DIR> d-------- c:\program files\Lavasoft
2008-12-01 03:25 . 2008-12-01 03:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-01 02:53 . 2008-12-01 02:53 <DIR> d-------- C:\Autoruns
2008-12-01 02:49 . 2008-12-01 02:49 <DIR> d--h----- c:\windows\PIF
2008-12-01 02:23 . 2008-12-01 02:23 75 --a------ c:\windows\st_affiliate.ini
2008-12-01 01:55 . 2008-12-01 01:55 <DIR> d-------- C:\ProcessExplorerNt
2008-11-30 22:01 . 2008-12-01 01:57 <DIR> d-------- c:\documents and settings\HP_Administrator\.housecall6.6
2008-11-30 20:26 . 2008-12-01 22:02 <DIR> d-------- c:\program files\a-squared Free
2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-30 20:05 . 2008-11-30 20:05 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-30 19:05 . 2008-11-30 19:05 <DIR> d-------- c:\program files\CCleaner
2008-11-27 09:20 . 2008-11-27 09:20 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-27 09:20 . 2008-11-27 09:20 1,409 --a------ c:\windows\QTFont.for
2008-11-26 23:04 . 2008-11-26 23:04 84,310 --a------ c:\windows\system32\euqugsjryckwl.dll-uninst.exe
2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\system32\scripting
2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\system32\en
2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\system32\bits
2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\l2schemas
2008-11-13 15:53 . 2008-11-13 15:53 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-13 15:46 . 2001-08-17 12:11 96,640 --a------ c:\windows\system32\drivers\b57xp32.sys
2008-11-13 15:46 . 2001-08-17 12:11 96,640 --a------ c:\windows\system32\dllcache\b57xp32.sys
2008-11-11 13:31 . 2008-10-24 04:21 455,296 --a------ c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 23:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\OpenOffice.org2
2008-12-02 23:10 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-01 10:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 09:44 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-01 04:52 --------- d-----w c:\program files\PC-Doctor 5 for Windows
2008-12-01 03:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 02:56 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Lavasoft
2008-11-20 21:50 5,880 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2008-11-15 18:01 --------- d-----w c:\program files\LimeWire
2008-11-15 18:01 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\LimeWire
2008-11-15 04:24 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-13 22:59 61,440 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2008-11-13 22:59 45,056 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2008-11-13 22:59 44,032 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2008-11-13 22:59 40,960 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2008-11-13 22:59 341,048 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2008-11-13 22:59 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2008-11-13 22:59 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2008-11-13 22:59 217,088 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
2008-11-13 22:59 163,840 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\dllcache\msxml3.dll
2006-09-11 03:13 774,144 ----a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-02_15.56.19.62 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-08-25 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 81920]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-16 180269]
"nwiz"="nwiz.exe" [2006-01-24 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 176128]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2005-07-28 14:28 50776 c:\program files\America Online 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 17:42 79448 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2004-10-20 06:40 34904 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2005-10-04 12:42 48752 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
--a------ 2005-11-11 14:11 1064960 c:\program files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
--a------ 2005-11-11 14:10 61440 c:\program files\DISC\DISCUpdateMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
--a------ 2005-11-01 03:01 90112 c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 14:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2004-11-03 14:03 125528 c:\program files\Common Files\AOL\1186788585\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-12 00:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2005-11-09 10:29 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 16:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 17:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-01-24 11:15 7311360 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]
--a------ 2005-10-31 12:47 53248 c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-08-10 16:30 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2005-07-22 16:14 237568 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2004-12-13 20:23 663552 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-10-12 03:10 49263 c:\program files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-16 15:55 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-02-16 22:24 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--a------ 2005-08-02 17:19 77312 c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-01-24 11:15 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-01-23 03:53 15969280 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1186788585\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-01 28544]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2005-11-15 169200]

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
Toolbar-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 17:10:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-02 17:11:07
ComboFix-quarantined-files.txt 2008-12-03 00:10:42
ComboFix2.txt 2008-12-02 22:56:47

Pre-Run: 168,289,591,296 bytes free
Post-Run: 168,253,620,224 bytes free

340 --- E O F --- 2008-11-15 04:50:10

From virustotal:

Additional information
File size: 84310 bytes
MD5...: 1532a88c79ecaa85d4fa7795d432f07b
SHA1..: fe0f5ec8473b746a97feaecdbb54d7eaa648f169
SHA256: 731141446ccc9cda32d0cc007196651936575abe51a24d81740a6e4865eb610b
SHA512: cee5d6fc089ded158dbe0cb73167f95c15d3d7e7dc9ef20c472b79fc453b5f2c
53be84c504801bb3a0409fbb3ea735af34f4b926f337ea8dd8bf53772a9a4d56
ssdeep: 1536:GRvLphwAO2PH1srwmJIe2BalMTns3p1yc+v6MwiVoqvGv:GlpOI2wmJIWp1
y/vXwuo7
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x403228
timedatestamp.....: 0x48efcdbf (Fri Oct 10 21:48:47 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5ac0 0x5c00 6.48 7f9f3d20cb836b74a551c2b25f308d2f
.rdata 0x7000 0x1190 0x1200 5.18 db16645055619c0cc73276ff5c3adb75
.data 0x9000 0x3997d8 0x400 4.71 831527cd097dfd3ec0ab4666ab81e7d3
.ndata 0x3a3000 0xa000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x3ad000 0x4170 0x4200 6.41 59c6fbf5e62caf2da599c468d70951c7

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, December 2, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 02, 2008 20:35:17
Records in database: 1432531
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 94292
Threat name: 4
Infected objects: 5
Suspicious objects: 2
Duration of the scan: 01:51:48

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00EC0000\48FC158C.VBN Infected: Trojan-Downloader.Win32.Agent.dte 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00EC0001\48FC160E.VBN Infected: Trojan-Downloader.Win32.Agent.dte 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ED40000\4FF7C859.VBN Infected: Trojan.Win32.Agent.aqyt 1
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\msansspc.dll.bac_a01840 Infected: Trojan.Win32.Monder.zzr 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Program Files\Real\RealArcade\Setup\setup_rac.exe Infected: Trojan-Downloader.Win32.Agent.dte 1

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:26 PM, on 12/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://C:\Program Files\PH Train & Assess IT\plugin\cab\awswaxf.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/actives.../as2stubie.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 10495 bytes

12-02-2008, 08:33 PM	#5 (permalink)
azscottd Registered User Join Date: Dec 2008 Posts: 6 OS: XP SP3	Re: IE Popups, system slow, Symantec Fails to Detect Cause OK - hope I understood correctly. Pasting contents of each log file in-line. PC is running much better. No popups. ComboFix 08-12-01.03 - HP_Administrator 2008-12-02 17:08:50.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.353 [GMT -7:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFscript.txt * Created a new restore point FILE :: c:\windows\system32\dllcache\OLD24.tmp c:\windows\system32\dllcache\OLD29.tmp c:\windows\system32\dllcache\OLD2C.tmp c:\windows\system32\dllcache\OLD31.tmp c:\windows\system32\dllcache\OLD36.tmp c:\windows\system32\dllcache\OLD39.tmp c:\windows\system32\dllcache\OLDD.tmp . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Viewpoint c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\DownLoadHist.ini c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\HostRegistry.ini c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\MetaStreamID.ini c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\URLCache.ini c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1434666005.mtj&p2=0&p3=09617960135281075687336414889749&p4=0 c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\URLCache.ini c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\URLCache.ini c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1432539806.mtj&p2=0&p3=09617960135281075687336414889749&p4=0 c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\URLCache.ini c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Ads Blocker\AdsAlert.ini c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\cdinstx.exe c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\cdinstx.log c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\cdmyidd.dll c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\database.db c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Download\wsliveup.dat.03 c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Includes\Loading.htm c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Includes\NoItems Index.htm c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Includes\Password Cookie.htm c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Includes\Passwords Index.htm c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Includes\Privacy Index.htm c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Password Alert\PasswordAlert.ini c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\charset.html c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\cookie.html c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\defaultCharset.html c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\form.html c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\frame.html c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\gray.htm c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\green.htm c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\host.html c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bg.jpg c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bg_button.jpg c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bg_top.jpg c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_go.gif c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_go_down.gif c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_go_over.gif c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_grey.gif c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_red - Copy.gif c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_red.gif c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_red_down.gif c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_red_over.gif c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\caution.gif c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\frame.gif c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\logo.gif c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\logo.jpg c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\logo_orange.gif c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\topbar.gif c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\topbar_orange.gif c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\images\warning.gif c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\popup.html c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\port.html c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\protocol.html c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\red.htm c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\referrer.html c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\scamalert.htm c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\scamalert.htm1 c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\script.html c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\security.html c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\style.css c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\Scam Alert\yellow.htm c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\ssstbar.ini c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\sssTbarcfg.ini c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\sssTbarSettings.ini c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\sssTbarUpdateHost.ini c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\sssTbarV2.ini c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\st.ico c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\stbarpat.dat.03 c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\stbarversion.ini c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\UserGuide\cybdefstbar.set c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\UserGuide\stbarchk.ini c:\documents and settings\HP_Administrator\Local Settings\Application Data\CyberDefender\wsliveup.dat.03 c:\program files\Viewpoint c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr_03000F11.dll c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305001C.dll c:\program files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll c:\program files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll c:\program files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll c:\program files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll c:\program files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll c:\program files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll c:\program files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll c:\program files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll c:\program files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe c:\windows\system32\dllcache\OLD24.tmp c:\windows\system32\dllcache\OLD29.tmp c:\windows\system32\dllcache\OLD2C.tmp c:\windows\system32\dllcache\OLD31.tmp c:\windows\system32\dllcache\OLD36.tmp c:\windows\system32\dllcache\OLD39.tmp c:\windows\system32\dllcache\OLDD.tmp . ((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 ))))))))))))))))))))))))))))))) . 2008-12-02 16:00 . 2008-12-02 16:00 <DIR> d-------- c:\program files\Trend Micro 2008-12-02 15:55 . 2008-12-02 15:55 <DIR> d-------- c:\windows\LastGood 2008-12-01 23:16 . 2008-12-01 23:18 <DIR> d-------- c:\program files\SpywareBlaster 2008-12-01 22:41 . 2008-12-01 22:41 250 --a------ c:\windows\gmer.ini 2008-12-01 21:38 . 2001-08-17 14:56 66,048 --a------ c:\windows\system32\dllcache\s3legacy.dll 2008-12-01 21:38 . 2004-08-09 14:00 7,168 --a------ c:\windows\system32\dllcache\OLD49.tmp 2008-12-01 21:37 . 2008-08-14 03:09 2,145,280 --a------ c:\windows\system32\dllcache\OLD3F.tmp 2008-12-01 18:25 . 2008-12-01 18:25 <DIR> d-------- c:\program files\Panda Security 2008-12-01 18:25 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys 2008-12-01 03:25 . 2008-12-01 03:25 <DIR> d-------- c:\program files\Lavasoft 2008-12-01 03:25 . 2008-12-01 03:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-12-01 02:53 . 2008-12-01 02:53 <DIR> d-------- C:\Autoruns 2008-12-01 02:49 . 2008-12-01 02:49 <DIR> d--h----- c:\windows\PIF 2008-12-01 02:23 . 2008-12-01 02:23 75 --a------ c:\windows\st_affiliate.ini 2008-12-01 01:55 . 2008-12-01 01:55 <DIR> d-------- C:\ProcessExplorerNt 2008-11-30 22:01 . 2008-12-01 01:57 <DIR> d-------- c:\documents and settings\HP_Administrator\.housecall6.6 2008-11-30 20:26 . 2008-12-01 22:02 <DIR> d-------- c:\program files\a-squared Free 2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy) 2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy) 2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2008-11-30 20:05 . 2008-11-30 20:05 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-11-30 19:05 . 2008-11-30 19:05 <DIR> d-------- c:\program files\CCleaner 2008-11-27 09:20 . 2008-11-27 09:20 54,156 --ah----- c:\windows\QTFont.qfn 2008-11-27 09:20 . 2008-11-27 09:20 1,409 --a------ c:\windows\QTFont.for 2008-11-26 23:04 . 2008-11-26 23:04 84,310 --a------ c:\windows\system32\euqugsjryckwl.dll-uninst.exe 2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\system32\scripting 2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\system32\en 2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\system32\bits 2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\l2schemas 2008-11-13 15:53 . 2008-11-13 15:53 <DIR> d-------- c:\windows\ServicePackFiles 2008-11-13 15:46 . 2001-08-17 12:11 96,640 --a------ c:\windows\system32\drivers\b57xp32.sys 2008-11-13 15:46 . 2001-08-17 12:11 96,640 --a------ c:\windows\system32\dllcache\b57xp32.sys 2008-11-11 13:31 . 2008-10-24 04:21 455,296 --a------ c:\windows\system32\dllcache\mrxsmb.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-02 23:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\OpenOffice.org2 2008-12-02 23:10 --------- d-----w c:\program files\Symantec AntiVirus 2008-12-01 10:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-01 09:44 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-12-01 04:52 --------- d-----w c:\program files\PC-Doctor 5 for Windows 2008-12-01 03:04 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-01 02:56 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Lavasoft 2008-11-20 21:50 5,880 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat 2008-11-15 18:01 --------- d-----w c:\program files\LimeWire 2008-11-15 18:01 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\LimeWire 2008-11-15 04:24 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-11-13 22:59 61,440 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll 2008-11-13 22:59 45,056 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe 2008-11-13 22:59 44,032 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe 2008-11-13 22:59 40,960 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll 2008-11-13 22:59 341,048 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll 2008-11-13 22:59 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll 2008-11-13 22:59 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll 2008-11-13 22:59 217,088 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll 2008-11-13 22:59 163,840 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll 2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\dllcache\win32k.sys 2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll 2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\dllcache\msxml6.dll 2008-09-08 10:41 333,824 ----a-w c:\windows\system32\dllcache\srv.sys 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\dllcache\msxml3.dll 2006-09-11 03:13 774,144 ----a-w c:\program files\RngInterstitial.dll . ((((((((((((((((((((((((((((( snapshot@2008-12-02_15.56.19.62 ))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-08-25 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 81920] "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-16 180269] "nwiz"="nwiz.exe" [2006-01-24 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 176128] KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegedit"= 0 (0x0) [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start] --a------ 2005-07-28 14:28 50776 c:\program files\America Online 9.0\aol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection] --a------ 2004-10-18 17:42 79448 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] -ra------ 2004-10-20 06:40 34904 c:\program files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] --a------ 2005-10-04 12:42 48752 c:\program files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 17:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover] --a------ 2005-11-11 14:11 1064960 c:\program files\DISC\DISCover.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager] --a------ 2005-11-11 14:10 61440 c:\program files\DISC\DISCUpdateMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler] --a------ 2005-11-01 03:01 90112 c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] --a------ 2005-08-05 14:56 64512 c:\windows\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] --a------ 2004-11-03 14:03 125528 c:\program files\Common Files\AOL\1186788585\EE\AOLHostManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2005-05-12 00:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp] --a------ 2005-11-09 10:29 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08] --a------ 2005-06-01 16:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2008-04-13 17:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2006-01-24 11:15 7311360 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler] --a------ 2005-10-31 12:47 53248 c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-08-10 16:30 98304 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] --a------ 2005-07-22 16:14 237568 c:\windows\SMINST\Recguard.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] --a------ 2004-12-13 20:23 663552 c:\windows\CREATOR\Remind_XP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2006-10-12 03:10 49263 c:\program files\Java\jre1.5.0_09\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-06-16 15:55 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2006-02-16 22:24 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP] --a------ 2005-08-02 17:19 77312 c:\windows\arpwrmsg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2006-01-24 11:15 1519616 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] --a------ 2006-01-23 03:53 15969280 c:\windows\RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\DISC\\DISCover.exe"= "c:\\Program Files\\DISC\\DiscStreamHub.exe"= "c:\\Program Files\\DISC\\myFTP.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "c:\\Program Files\\America Online 9.0\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"= "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"= "c:\\Program Files\\Common Files\\AOL\\1186788585\\EE\\AOLServiceHost.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"= "c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"= "c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-01 28544] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376] S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2005-11-15 169200] Newly Created Service - CATCHME . - - - - ORPHANS REMOVED - - - - URLSearchHooks-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file) Toolbar-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file) ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-02 17:10:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-12-02 17:11:07 ComboFix-quarantined-files.txt 2008-12-03 00:10:42 ComboFix2.txt 2008-12-02 22:56:47 Pre-Run: 168,289,591,296 bytes free Post-Run: 168,253,620,224 bytes free 340 --- E O F --- 2008-11-15 04:50:10 From virustotal: Additional information File size: 84310 bytes MD5...: 1532a88c79ecaa85d4fa7795d432f07b SHA1..: fe0f5ec8473b746a97feaecdbb54d7eaa648f169 SHA256: 731141446ccc9cda32d0cc007196651936575abe51a24d81740a6e4865eb610b SHA512: cee5d6fc089ded158dbe0cb73167f95c15d3d7e7dc9ef20c472b79fc453b5f2c 53be84c504801bb3a0409fbb3ea735af34f4b926f337ea8dd8bf53772a9a4d56 ssdeep: 1536:GRvLphwAO2PH1srwmJIe2BalMTns3p1yc+v6MwiVoqvGv:GlpOI2wmJIWp1 y/vXwuo7 PEiD..: - TrID..: File type identification Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x403228 timedatestamp.....: 0x48efcdbf (Fri Oct 10 21:48:47 2008) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x5ac0 0x5c00 6.48 7f9f3d20cb836b74a551c2b25f308d2f .rdata 0x7000 0x1190 0x1200 5.18 db16645055619c0cc73276ff5c3adb75 .data 0x9000 0x3997d8 0x400 4.71 831527cd097dfd3ec0ab4666ab81e7d3 .ndata 0x3a3000 0xa000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .rsrc 0x3ad000 0x4170 0x4200 6.41 59c6fbf5e62caf2da599c468d70951c7 ( 8 imports ) > KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA > USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow > GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject > SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation > ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA > COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create > ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance > VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA ( 0 exports ) -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Tuesday, December 2, 2008 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Tuesday, December 02, 2008 20:35:17 Records in database: 1432531 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan statistics: Files scanned: 94292 Threat name: 4 Infected objects: 5 Suspicious objects: 2 Duration of the scan: 01:51:48 File name / Threat name / Threats count C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00EC0000\48FC158C.VBN Infected: Trojan-Downloader.Win32.Agent.dte 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00EC0001\48FC160E.VBN Infected: Trojan-Downloader.Win32.Agent.dte 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ED40000\4FF7C859.VBN Infected: Trojan.Win32.Agent.aqyt 1 C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\msansspc.dll.bac_a01840 Infected: Trojan.Win32.Monder.zzr 1 C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2 C:\Program Files\Real\RealArcade\Setup\setup_rac.exe Infected: Trojan-Downloader.Win32.Agent.dte 1 The selected area was scanned. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:28:26 PM, on 12/2/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\a-squared Free\a2service.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINDOWS\arservice.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - AutorunsDisabled - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O15 - Trusted Zone: http://*.trymedia.com (HKLM) O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://C:\Program Files\PH Train & Assess IT\plugin\cab\awswaxf.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/actives.../as2stubie.cab O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O24 - Desktop Component AutorunsDisabled: (no name) - (no file) -- End of file - 10495 bytes