Tech Support Forum - View Single Post - IE Popups, system slow, Symantec Fails to Detect Cause

azscottd · 12-03-2008, 07:07 AM

ComboFix 08-12-01.03 - HP_Administrator 2008-12-03 6:36:07.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.83 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\program files\Real\RealArcade\Setup\setup_rac.exe
c:\windows\system32\dllcache\OLD3F.tmp
c:\windows\system32\dllcache\OLD49.tmp
c:\windows\system32\euqugsjryckwl.dll-uninst.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Application Data\LimeWire
c:\documents and settings\HP_Administrator\Application Data\LimeWire\414splashfree.png
c:\documents and settings\HP_Administrator\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\HP_Administrator\Application Data\LimeWire\createtimes.cache
c:\documents and settings\HP_Administrator\Application Data\LimeWire\downloads.dat
c:\documents and settings\HP_Administrator\Application Data\LimeWire\fileurns.bak
c:\documents and settings\HP_Administrator\Application Data\LimeWire\fileurns.cache
c:\documents and settings\HP_Administrator\Application Data\LimeWire\filters.props
c:\documents and settings\HP_Administrator\Application Data\LimeWire\gnutella.net
c:\documents and settings\HP_Administrator\Application Data\LimeWire\installation.props
c:\documents and settings\HP_Administrator\Application Data\LimeWire\library.dat
c:\documents and settings\HP_Administrator\Application Data\LimeWire\limewire.props
c:\documents and settings\HP_Administrator\Application Data\LimeWire\mojito.props
c:\documents and settings\HP_Administrator\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\HP_Administrator\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\HP_Administrator\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\HP_Administrator\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\HP_Administrator\Application Data\LimeWire\questions.props
c:\documents and settings\HP_Administrator\Application Data\LimeWire\responses.cache
c:\documents and settings\HP_Administrator\Application Data\LimeWire\simpp.xml
c:\documents and settings\HP_Administrator\Application Data\LimeWire\spam.dat
c:\documents and settings\HP_Administrator\Application Data\LimeWire\tables.props
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\logo.png
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\notsearching.png
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\searching.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\splash.png
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\splashpro.png
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\ttrees.cache
c:\documents and settings\HP_Administrator\Application Data\LimeWire\ttroot.cache
c:\documents and settings\HP_Administrator\Application Data\LimeWire\version.xml
c:\documents and settings\HP_Administrator\Application Data\LimeWire\versions.props
c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\data\delete_me
c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\misc\application.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\misc\audio.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\misc\document.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\misc\image.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\misc\video.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\schemas\application.xsd
c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\schemas\audio.xsd
c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\schemas\document.xsd
c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\schemas\image.xsd
c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\schemas\video.xsd
c:\program files\Real\RealArcade\Setup\setup_rac.exe
c:\windows\system32\dllcache\OLD3F.tmp
c:\windows\system32\dllcache\OLD49.tmp
c:\windows\system32\euqugsjryckwl.dll-uninst.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-12-03 03:00 . 2008-12-03 03:00 <DIR> d-------- c:\windows\LastGood
2008-12-02 17:24 . 2008-12-02 17:23 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-02 17:24 . 2008-12-02 17:23 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-02 16:00 . 2008-12-02 16:00 <DIR> d-------- c:\program files\Trend Micro
2008-12-01 23:16 . 2008-12-01 23:18 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-01 22:41 . 2008-12-01 22:41 250 --a------ c:\windows\gmer.ini
2008-12-01 21:38 . 2001-08-17 14:56 66,048 --a------ c:\windows\system32\dllcache\s3legacy.dll
2008-12-01 18:25 . 2008-12-01 18:25 <DIR> d-------- c:\program files\Panda Security
2008-12-01 18:25 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-01 03:25 . 2008-12-01 03:25 <DIR> d-------- c:\program files\Lavasoft
2008-12-01 03:25 . 2008-12-01 03:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-01 02:53 . 2008-12-01 02:53 <DIR> d-------- C:\Autoruns
2008-12-01 02:49 . 2008-12-01 02:49 <DIR> d--h----- c:\windows\PIF
2008-12-01 02:23 . 2008-12-01 02:23 75 --a------ c:\windows\st_affiliate.ini
2008-12-01 01:55 . 2008-12-01 01:55 <DIR> d-------- C:\ProcessExplorerNt
2008-11-30 22:01 . 2008-12-01 01:57 <DIR> d-------- c:\documents and settings\HP_Administrator\.housecall6.6
2008-11-30 20:26 . 2008-12-01 22:02 <DIR> d-------- c:\program files\a-squared Free
2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-30 20:05 . 2008-11-30 20:05 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-30 19:05 . 2008-11-30 19:05 <DIR> d-------- c:\program files\CCleaner
2008-11-27 09:20 . 2008-11-27 09:20 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-27 09:20 . 2008-11-27 09:20 1,409 --a------ c:\windows\QTFont.for
2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\system32\scripting
2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\system32\en
2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\system32\bits
2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\l2schemas
2008-11-13 15:53 . 2008-11-13 15:53 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-13 15:46 . 2001-08-17 12:11 96,640 --a------ c:\windows\system32\drivers\b57xp32.sys
2008-11-13 15:46 . 2001-08-17 12:11 96,640 --a------ c:\windows\system32\dllcache\b57xp32.sys
2008-11-11 13:31 . 2008-10-24 04:21 455,296 --a------ c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 03:34 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-03 00:23 --------- d-----w c:\program files\Java
2008-12-02 23:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\OpenOffice.org2
2008-12-01 10:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 09:44 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-01 04:52 --------- d-----w c:\program files\PC-Doctor 5 for Windows
2008-12-01 03:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 02:56 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Lavasoft
2008-11-20 21:50 5,880 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2008-11-15 18:01 --------- d-----w c:\program files\LimeWire
2008-11-15 04:24 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-13 22:59 61,440 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2008-11-13 22:59 45,056 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2008-11-13 22:59 44,032 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2008-11-13 22:59 40,960 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2008-11-13 22:59 341,048 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2008-11-13 22:59 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2008-11-13 22:59 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2008-11-13 22:59 217,088 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
2008-11-13 22:59 163,840 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\dllcache\msxml3.dll
2006-09-11 03:13 774,144 ----a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-02_15.56.19.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-10-12 08:35:14 49,248 ----a-w c:\windows\system32\java.exe
+ 2008-12-03 00:23:53 144,792 ----a-w c:\windows\system32\java.exe
- 2006-10-12 08:35:24 53,346 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-03 00:23:53 144,792 ----a-w c:\windows\system32\javaw.exe
- 2006-10-12 10:10:56 127,078 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-03 00:23:53 148,888 ----a-w c:\windows\system32\javaws.exe
- 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-12-03 00:24:12 16,384 ----atw c:\windows\temp\Perflib_Perfdata_510.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-08-25 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 81920]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-16 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]
"nwiz"="nwiz.exe" [2006-01-24 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 176128]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2005-07-28 14:28 50776 c:\program files\America Online 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 17:42 79448 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2004-10-20 06:40 34904 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2005-10-04 12:42 48752 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
--a------ 2005-11-11 14:11 1064960 c:\program files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
--a------ 2005-11-11 14:10 61440 c:\program files\DISC\DISCUpdateMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
--a------ 2005-11-01 03:01 90112 c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 14:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2004-11-03 14:03 125528 c:\program files\Common Files\AOL\1186788585\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-12 00:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2005-11-09 10:29 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 16:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 17:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-01-24 11:15 7311360 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]
--a------ 2005-10-31 12:47 53248 c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-08-10 16:30 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2005-07-22 16:14 237568 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2004-12-13 20:23 663552 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-16 15:55 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-02-16 22:24 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--a------ 2005-08-02 17:19 77312 c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-01-24 11:15 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-01-23 03:53 15969280 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1186788585\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-01 28544]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2005-11-15 169200]

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
Toolbar-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 06:39:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-03 6:40:13
ComboFix-quarantined-files.txt 2008-12-03 13:39:37
ComboFix2.txt 2008-12-03 00:11:10
ComboFix3.txt 2008-12-02 22:56:47

Pre-Run: 168,073,379,840 bytes free
Post-Run: 168,085,417,984 bytes free

314 --- E O F --- 2008-12-03 10:00:58

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7

12 AM, on 12/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://C:\Program Files\PH Train & Assess IT\plugin\cab\awswaxf.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/actives.../as2stubie.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 10428 bytes

12-03-2008, 07:07 AM	#11 (permalink)
azscottd Registered User Join Date: Dec 2008 Posts: 6 OS: XP SP3	Re: IE Popups, system slow, Symantec Fails to Detect Cause ComboFix 08-12-01.03 - HP_Administrator 2008-12-03 6:36:07.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.83 [GMT -7:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFscript.txt * Created a new restore point FILE :: c:\program files\Real\RealArcade\Setup\setup_rac.exe c:\windows\system32\dllcache\OLD3F.tmp c:\windows\system32\dllcache\OLD49.tmp c:\windows\system32\euqugsjryckwl.dll-uninst.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\HP_Administrator\Application Data\LimeWire c:\documents and settings\HP_Administrator\Application Data\LimeWire\414splashfree.png c:\documents and settings\HP_Administrator\Application Data\LimeWire\certificate\limewire.keystore c:\documents and settings\HP_Administrator\Application Data\LimeWire\createtimes.cache c:\documents and settings\HP_Administrator\Application Data\LimeWire\downloads.dat c:\documents and settings\HP_Administrator\Application Data\LimeWire\fileurns.bak c:\documents and settings\HP_Administrator\Application Data\LimeWire\fileurns.cache c:\documents and settings\HP_Administrator\Application Data\LimeWire\filters.props c:\documents and settings\HP_Administrator\Application Data\LimeWire\gnutella.net c:\documents and settings\HP_Administrator\Application Data\LimeWire\installation.props c:\documents and settings\HP_Administrator\Application Data\LimeWire\library.dat c:\documents and settings\HP_Administrator\Application Data\LimeWire\limewire.props c:\documents and settings\HP_Administrator\Application Data\LimeWire\mojito.props c:\documents and settings\HP_Administrator\Application Data\LimeWire\promotion\promodb.backup c:\documents and settings\HP_Administrator\Application Data\LimeWire\promotion\promodb.data c:\documents and settings\HP_Administrator\Application Data\LimeWire\promotion\promodb.properties c:\documents and settings\HP_Administrator\Application Data\LimeWire\promotion\promodb.script c:\documents and settings\HP_Administrator\Application Data\LimeWire\questions.props c:\documents and settings\HP_Administrator\Application Data\LimeWire\responses.cache c:\documents and settings\HP_Administrator\Application Data\LimeWire\simpp.xml c:\documents and settings\HP_Administrator\Application Data\LimeWire\spam.dat c:\documents and settings\HP_Administrator\Application Data\LimeWire\tables.props c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme.lwtp c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\01_star.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\02_star.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\03_star.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\04_star.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\05_star.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\chat.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\forward_dn.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\forward_up.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\kill.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\kill_on.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\logo.png c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\notsearching.png c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\pause_dn.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\pause_up.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\play_dn.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\play_up.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\question.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\rewind_up.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\searching.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\splash.png c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\splashpro.png c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\stop_dn.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\stop_up.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\theme.txt c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\version.txt c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\warning.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\ttrees.cache c:\documents and settings\HP_Administrator\Application Data\LimeWire\ttroot.cache c:\documents and settings\HP_Administrator\Application Data\LimeWire\version.xml c:\documents and settings\HP_Administrator\Application Data\LimeWire\versions.props c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\data\audio.sxml2 c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\data\delete_me c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\misc\application.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\misc\audio.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\misc\document.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\misc\image.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\misc\video.gif c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\schemas\application.xsd c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\schemas\audio.xsd c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\schemas\document.xsd c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\schemas\image.xsd c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\schemas\video.xsd c:\program files\Real\RealArcade\Setup\setup_rac.exe c:\windows\system32\dllcache\OLD3F.tmp c:\windows\system32\dllcache\OLD49.tmp c:\windows\system32\euqugsjryckwl.dll-uninst.exe . ((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 ))))))))))))))))))))))))))))))) . 2008-12-03 03:00 . 2008-12-03 03:00 <DIR> d-------- c:\windows\LastGood 2008-12-02 17:24 . 2008-12-02 17:23 410,984 --a------ c:\windows\system32\deploytk.dll 2008-12-02 17:24 . 2008-12-02 17:23 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-12-02 16:00 . 2008-12-02 16:00 <DIR> d-------- c:\program files\Trend Micro 2008-12-01 23:16 . 2008-12-01 23:18 <DIR> d-------- c:\program files\SpywareBlaster 2008-12-01 22:41 . 2008-12-01 22:41 250 --a------ c:\windows\gmer.ini 2008-12-01 21:38 . 2001-08-17 14:56 66,048 --a------ c:\windows\system32\dllcache\s3legacy.dll 2008-12-01 18:25 . 2008-12-01 18:25 <DIR> d-------- c:\program files\Panda Security 2008-12-01 18:25 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys 2008-12-01 03:25 . 2008-12-01 03:25 <DIR> d-------- c:\program files\Lavasoft 2008-12-01 03:25 . 2008-12-01 03:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-12-01 02:53 . 2008-12-01 02:53 <DIR> d-------- C:\Autoruns 2008-12-01 02:49 . 2008-12-01 02:49 <DIR> d--h----- c:\windows\PIF 2008-12-01 02:23 . 2008-12-01 02:23 75 --a------ c:\windows\st_affiliate.ini 2008-12-01 01:55 . 2008-12-01 01:55 <DIR> d-------- C:\ProcessExplorerNt 2008-11-30 22:01 . 2008-12-01 01:57 <DIR> d-------- c:\documents and settings\HP_Administrator\.housecall6.6 2008-11-30 20:26 . 2008-12-01 22:02 <DIR> d-------- c:\program files\a-squared Free 2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy) 2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy) 2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2008-11-30 20:07 . 2008-11-30 20:07 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2008-11-30 20:05 . 2008-11-30 20:05 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-11-30 19:05 . 2008-11-30 19:05 <DIR> d-------- c:\program files\CCleaner 2008-11-27 09:20 . 2008-11-27 09:20 54,156 --ah----- c:\windows\QTFont.qfn 2008-11-27 09:20 . 2008-11-27 09:20 1,409 --a------ c:\windows\QTFont.for 2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\system32\scripting 2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\system32\en 2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\system32\bits 2008-11-13 15:56 . 2008-11-13 15:56 <DIR> d-------- c:\windows\l2schemas 2008-11-13 15:53 . 2008-11-13 15:53 <DIR> d-------- c:\windows\ServicePackFiles 2008-11-13 15:46 . 2001-08-17 12:11 96,640 --a------ c:\windows\system32\drivers\b57xp32.sys 2008-11-13 15:46 . 2001-08-17 12:11 96,640 --a------ c:\windows\system32\dllcache\b57xp32.sys 2008-11-11 13:31 . 2008-10-24 04:21 455,296 --a------ c:\windows\system32\dllcache\mrxsmb.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-03 03:34 --------- d-----w c:\program files\Symantec AntiVirus 2008-12-03 00:23 --------- d-----w c:\program files\Java 2008-12-02 23:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\OpenOffice.org2 2008-12-01 10:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-01 09:44 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-12-01 04:52 --------- d-----w c:\program files\PC-Doctor 5 for Windows 2008-12-01 03:04 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-01 02:56 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Lavasoft 2008-11-20 21:50 5,880 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat 2008-11-15 18:01 --------- d-----w c:\program files\LimeWire 2008-11-15 04:24 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-11-13 22:59 61,440 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll 2008-11-13 22:59 45,056 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe 2008-11-13 22:59 44,032 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe 2008-11-13 22:59 40,960 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll 2008-11-13 22:59 341,048 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll 2008-11-13 22:59 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll 2008-11-13 22:59 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll 2008-11-13 22:59 217,088 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll 2008-11-13 22:59 163,840 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll 2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\dllcache\win32k.sys 2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll 2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\dllcache\msxml6.dll 2008-09-08 10:41 333,824 ----a-w c:\windows\system32\dllcache\srv.sys 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\dllcache\msxml3.dll 2006-09-11 03:13 774,144 ----a-w c:\program files\RngInterstitial.dll . ((((((((((((((((((((((((((((( snapshot@2008-12-02_15.56.19.62 ))))))))))))))))))))))))))))))))))))))))) . - 2006-10-12 08:35:14 49,248 ----a-w c:\windows\system32\java.exe + 2008-12-03 00:23:53 144,792 ----a-w c:\windows\system32\java.exe - 2006-10-12 08:35:24 53,346 ----a-w c:\windows\system32\javaw.exe + 2008-12-03 00:23:53 144,792 ----a-w c:\windows\system32\javaw.exe - 2006-10-12 10:10:56 127,078 ----a-w c:\windows\system32\javaws.exe + 2008-12-03 00:23:53 148,888 ----a-w c:\windows\system32\javaws.exe - 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll + 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll + 2008-12-03 00:24:12 16,384 ----atw c:\windows\temp\Perflib_Perfdata_510.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-08-25 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 81920] "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-16 180269] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600] "nwiz"="nwiz.exe" [2006-01-24 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 176128] KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegedit"= 0 (0x0) [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start] --a------ 2005-07-28 14:28 50776 c:\program files\America Online 9.0\aol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection] --a------ 2004-10-18 17:42 79448 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] -ra------ 2004-10-20 06:40 34904 c:\program files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] --a------ 2005-10-04 12:42 48752 c:\program files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 17:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover] --a------ 2005-11-11 14:11 1064960 c:\program files\DISC\DISCover.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager] --a------ 2005-11-11 14:10 61440 c:\program files\DISC\DISCUpdateMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler] --a------ 2005-11-01 03:01 90112 c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] --a------ 2005-08-05 14:56 64512 c:\windows\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] --a------ 2004-11-03 14:03 125528 c:\program files\Common Files\AOL\1186788585\EE\AOLHostManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2005-05-12 00:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp] --a------ 2005-11-09 10:29 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08] --a------ 2005-06-01 16:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2008-04-13 17:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2006-01-24 11:15 7311360 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler] --a------ 2005-10-31 12:47 53248 c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-08-10 16:30 98304 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] --a------ 2005-07-22 16:14 237568 c:\windows\SMINST\Recguard.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] --a------ 2004-12-13 20:23 663552 c:\windows\CREATOR\Remind_XP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-06-16 15:55 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2006-02-16 22:24 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP] --a------ 2005-08-02 17:19 77312 c:\windows\arpwrmsg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2006-01-24 11:15 1519616 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] --a------ 2006-01-23 03:53 15969280 c:\windows\RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\DISC\\DISCover.exe"= "c:\\Program Files\\DISC\\DiscStreamHub.exe"= "c:\\Program Files\\DISC\\myFTP.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "c:\\Program Files\\America Online 9.0\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"= "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"= "c:\\Program Files\\Common Files\\AOL\\1186788585\\EE\\AOLServiceHost.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"= "c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"= "c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-01 28544] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376] S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2005-11-15 169200] Newly Created Service - JAVAQUICKSTARTERSERVICE . - - - - ORPHANS REMOVED - - - - URLSearchHooks-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file) Toolbar-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file) ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-03 06:39:02 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-12-03 6:40:13 ComboFix-quarantined-files.txt 2008-12-03 13:39:37 ComboFix2.txt 2008-12-03 00:11:10 ComboFix3.txt 2008-12-02 22:56:47 Pre-Run: 168,073,379,840 bytes free Post-Run: 168,085,417,984 bytes free 314 --- E O F --- 2008-12-03 10:00:58 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 712 AM, on 12/3/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\a-squared Free\a2service.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINDOWS\arservice.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - AutorunsDisabled - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O15 - Trusted Zone: http://*.trymedia.com (HKLM) O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://C:\Program Files\PH Train & Assess IT\plugin\cab\awswaxf.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/actives.../as2stubie.cab O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O24 - Desktop Component AutorunsDisabled: (no name) - (no file) -- End of file - 10428 bytes