I need some big help...PLEASE...

[VipaGTS]

I'm running windows XP...Just all of a sudden for whatever reasons, i starrted getting error messages like "imapi.exe Application Error", "AUpdate.exe Application Error", "Wuauclt.exe Application Error"...It causes Firefox to just stop working (I'm on IE Right now), and I don't know what to do...I tried using System Restore, it failed and now it won't let me select an days prior to today. Sometimes when i try to even load System Restore the restore program crashes before i can do anything...I was reading other forums, and someone mentioned using hijackthis so here it is...can anyone help?

Oh and Also, for a while now i've been getting random popups. can't seem to get rid of them. I've run spyware programs but none of them do anything. realy annoying. Any help on that would be appreciated as well. thanks...

Logfile of HijackThis v1.99.1
Scan saved at 8:28:02 PM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\BearShare\BearShare.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\csrss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\hijackthis_sfx.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {240643D8-2A19-4C41-9511-A09D98398FC7} - (no file)
O2 - BHO: MSVPS System - {2724E072-19D0-486d-A819-9D914191AE92} - C:\WINDOWS\ietools.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {7FF86816-04A2-4DED-B70C-31D9760FBE1F} - (no file)
O2 - BHO: (no name) - {8071E65A-3F56-4426-8372-8667CD213057} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CA2CFBDE-0F94-491B-9286-00C60C553954} - (no file)
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\wtibuutq.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AIM (R)] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [csrss] C:\WINDOWS\csrss.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://winantivirus.com/download/200...&lng=rs&cnt=us
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mllmk - C:\WINDOWS\
O20 - Winlogon Notify: opnomlm - C:\WINDOWS\
O20 - Winlogon Notify: pmnkhgg - C:\WINDOWS\
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: mssms - {D45E01C2-FF5A-49FE-B46D-5B3D479D89E0} - C:\WINDOWS\mssms.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

[VipaGTS]

Anyone?

[VipaGTS]

...Can anyone help?...PLEASE...

[Ried]

Hello VipaGTS and welcome to TSF,

This will take a couple rounds to properly clean, so please stay with me and post the requested logs.

Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix)

--------------------------------------------------------------------

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you which I will need in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.

--------------------------------------------------------------------

As noted in our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log, please download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review.
• DSS automatically runs HijackThis 1.99.1 for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

Please include the following in your next reply:

main.txt
an attached extra.txt

--------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
C:\SDFix\Report.txt
main.txt
extra.txt

[VipaGTS]

Thanks for the help, Here are the log files...

"HP_Owner" - 2007-06-07 9:50:53 Service Pack 2 NTFS
ComboFix 07-06-06 - Running from: ""


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\axtmbffp.dll
C:\WINDOWS\system32\eskeatxh.dll
C:\WINDOWS\system32\ojufnvia.dll
C:\WINDOWS\system32\pnxtxqyc.dll
C:\WINDOWS\system32\ulnwgmmr.dll
C:\WINDOWS\system32\wtibuutq.dll
C:\WINDOWS\system32\gjllm.bak1


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\HP_Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\B7GYKFAG\www.broadcaster.com
C:\DOCUME~1\HP_Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\B7GYKFAG\www.broadcaster.com\played_list.sol
C:\DOCUME~1\HP_Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\B7GYKFAG\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\HP_Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\HP_Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\HP_Owner\~tmp0374.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\17O7
C:\Temp\17O7\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\csrss.exe
C:\WINDOWS\smante~1
C:\WINDOWS\system32\5_exception.nls
C:\WINDOWS\system32\advvpi32.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\lsasss.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\smpi1
C:\WINDOWS\system32\smpi1\DealioKit1-stub-0.exe
C:\WINDOWS\system32\smpi1\win106.exe
C:\WINDOWS\system32\T8QaSQ
C:\WINDOWS\system32\T8QaSQ\T8QaSQ1095.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_NM
-------\LEGACY_RUNTIME
-------\nm
-------\runtime


((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))


2007-06-07 09:43 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-05 17:52 <DIR> d-------- C:\Program Files\AOD
2007-06-05 17:31 <DIR> d-------- C:\temp\x2b
2007-06-05 17:27 73,728 --a------ C:\WINDOWS\ALCFDRTM.EXE
2007-05-29 19:19 72,192 --a------ C:\WINDOWS\mssms.dll
2007-05-29 19:19 69,120 --a------ C:\WINDOWS\ietools.dll
2007-05-26 10:11 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Prevx
2007-05-26 10:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-05-25 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
2007-05-25 15:13 <DIR> d-------- C:\Program Files\myCleanerPC
2007-05-25 14:29 5,648,384 --a------ C:\DOCUME~1\HP_Owner\ntuser.dat
2007-05-16 10:26 77,312 --a------ C:\WINDOWS\ua2.dll
2007-05-11 20:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-11 19:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Webroot
2007-05-11 19:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2007-05-11 19:16 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-07 10:36 <DIR> d-------- C:\Program Files\BearShare


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 02:03:23 -------- d-----w C:\Program Files\AIM
2007-06-05 19:57:52 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Azureus
2007-06-01 21:15:50 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-15 18:46:11 1,476,846 --sh--w C:\WINDOWS\system32\knnmp.bak2
2007-05-12 02:11:34 -------- d-----w C:\Program Files\Viewpoint
2007-05-12 02:11:34 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Viewpoint
2007-05-07 17:29:48 -------- d-----w C:\Program Files\Norton AntiVirus
2007-05-07 05:11:25 -------- d-----w C:\Program Files\Winamp
2007-05-07 05:11:25 -------- d-----w C:\Program Files\2Wire
2007-05-07 05:10:11 37,019 ----a-w C:\WINDOWS\system32\ps2.exe
2007-05-07 05:10:11 37,019 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-05-03 0114 -------- d-----w C:\Program Files\Symantec
2007-05-03 01:04:05 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-05-02 00:37:53 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-01 21:49:36 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Lavasoft
2007-05-01 21:49:13 -------- d-----w C:\Program Files\Lavasoft
2007-05-01 21:34:04 -------- d-----w C:\Program Files\Install Provider
2007-05-01 18:42:45 1,368,824 --sh--w C:\WINDOWS\system32\knnmp.bak1
2007-04-11 22:04:20 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Propellerhead Software
2007-04-11 21:57:40 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2007-04-11 00:11:47 -------- d-----w C:\Program Files\Recycle
2007-04-05 02:05:15 46 ----a-w C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2007-03-29 01:41:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-29 01:41:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-03-15 19:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 19:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2005-05-07 19:30:54 56 --sh--r C:\WINDOWS\system32\F064F36CE4.sys
2005-05-07 19:30:54 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{2724E072-19D0-486d-A819-9D914191AE92}=C:\WINDOWS\ietools.dll [2007-05-24 03:03]
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}=C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll [2006-01-10 12:09]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2005-10-19 13:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2007-05-06 22:10]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 17:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2007-05-06 22:10]
"KBD"="C:\HP\KBD\KBD.EXE" [2007-05-06 22:10]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-06 22:10]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 14:01 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-13 16:17 C:\WINDOWS\ALCWZRD.EXE]
"Alcmtr"="ALCMTR.EXE" [2004-10-13 16:00 C:\WINDOWS\ALCMTR.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2007-05-06 22:10]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2007-05-06 22:10]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2007-05-06 22:10]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-06 22:10]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-05-06 22:10]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-04-24 17:28]
"PrevxOne"="C:\Program Files\Prevx1\PXConsole.exe" [2007-03-27 11:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 15:08]
"AIM (R)"="C:\Program Files\AIM\aim.exe" [2005-08-05 15:08]
"csrss"="C:\WINDOWS\csrss.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{D45E01C2-FF5A-49FE-B46D-5B3D479D89E0}"="C:\WINDOWS\mssms.dll" [2007-05-24 01:37]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmk]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnomlm]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkhgg]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnk]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark_X79-55]
C:\WINDOWS\system32\lsasss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]
"C:\Program Files\Prevx1\PXConsole.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-06-06 07:00:00 C:\WINDOWS\tasks\At1.job
2007-06-06 16:00:00 C:\WINDOWS\tasks\At10.job
2007-06-06 17:00:00 C:\WINDOWS\tasks\At11.job
2007-06-06 18:00:00 C:\WINDOWS\tasks\At12.job
2007-06-06 19:00:00 C:\WINDOWS\tasks\At13.job
2007-06-06 20:00:00 C:\WINDOWS\tasks\At14.job
2007-06-05 21:00:00 C:\WINDOWS\tasks\At15.job
2007-06-05 22:00:00 C:\WINDOWS\tasks\At16.job
2007-06-05 23:00:00 C:\WINDOWS\tasks\At17.job
2007-06-06 00:00:00 C:\WINDOWS\tasks\At18.job
2007-06-06 01:00:00 C:\WINDOWS\tasks\At19.job
2007-05-26 16:45:47 C:\WINDOWS\tasks\At2.job
2007-06-06 02:00:00 C:\WINDOWS\tasks\At20.job
2007-06-05 03:00:00 C:\WINDOWS\tasks\At21.job
2007-06-06 04:00:00 C:\WINDOWS\tasks\At22.job
2007-06-06 05:00:00 C:\WINDOWS\tasks\At23.job
2007-06-07 06:00:00 C:\WINDOWS\tasks\At24.job
2007-05-26 16:45:47 C:\WINDOWS\tasks\At3.job
2007-05-26 16:45:47 C:\WINDOWS\tasks\At4.job
2007-05-26 16:45:47 C:\WINDOWS\tasks\At5.job
2007-05-26 16:45:47 C:\WINDOWS\tasks\At6.job
2007-05-26 16:45:47 C:\WINDOWS\tasks\At7.job
2007-05-26 16:45:47 C:\WINDOWS\tasks\At8.job
2007-06-04 15:00:00 C:\WINDOWS\tasks\At9.job
2007-06-02 03:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - HP_Owner.job
2007-06-07 16:51:00 C:\WINDOWS\tasks\Symantec NetDetect.job
2007-06-04 15:34:00 C:\WINDOWS\tasks\WebReg psc 1600 series.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 09:56:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-07 9:59:15 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-07 09:59

--- E O F ---

--------------------------------------------------------------------------


SDFix: Version 1.87

Run by Administrator - Thu 06/07/2007 - 10:09:35.21

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\LS39NV~1.HTM - Deleted
C:\WINDOWS\ietools.dll - Deleted
C:\WINDOWS\mssms.dll - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\tcb.pmw - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\WINDOWS\system32\F064F36CE4.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Listing User Accounts:

User accounts for \\SSNATH637

Administrator ASPNET Guest
HelpAssistant HP_Owner SUPPORT_388945a0
SUPPORT_fddfa904


Finished

--------------------------------------------------------------------------

Deckard's System Scanner v20070603.47
Run by HP_Owner on 2007-06-07 at 10:19:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2007-06-07 17:19:52 UTC - RP32 - Deckard's System Scanner Restore Point
1: 2007-06-06 19:19:33 UTC - RP31 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as HP_Owner.exe) --------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:23:24 AM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Documents and Settings\HP_Owner\Desktop\dss.exe
C:\DOCUME~1\HP_Owner\Desktop\HP_Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {240643D8-2A19-4C41-9511-A09D98398FC7} - (no file)
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {7FF86816-04A2-4DED-B70C-31D9760FBE1F} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CA2CFBDE-0F94-491B-9286-00C60C553954} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AIM (R)] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [csrss] C:\WINDOWS\csrss.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://winantivirus.com/download/200...&lng=rs&cnt=us
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mllmk - C:\WINDOWS\
O20 - Winlogon Notify: opnomlm - C:\WINDOWS\
O20 - Winlogon Notify: pmnkhgg - C:\WINDOWS\
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 SSI - c:\windows\system32\drivers\ssi.sys <Not Verified; Webroot Software (www.webroot.com); SpySweeper>
R1 PXRDDriver (PREVX Rootkitscan driver) - c:\windows\system32\drivers\pxrd.sys
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 musm3gld - c:\windows\system32\drivers\musm3gld.sys
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys
S3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys (file missing)
S3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys (file missing)
S3 ISD200 (USB Storage Adapter V2) - c:\windows\system32\drivers\isd200.sys <Not Verified; In-System Design, Inc.; USB Storage Adapter>
S3 smserial - c:\windows\system32\drivers\smserial.sys (file missing)
S3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 PREVXAgent (Prevx Agent) - "c:\program files\prevx1\pxagent.exe" -f <Not Verified; Prevx; Prevx-1>
S3 MSSQL$SONY_MEDIAMGR - c:\program files\sony\shared plug-ins\media manager\mssql$sony_mediamgr\binn\sqlservr.exe -ssony_mediamgr <Not Verified; Microsoft Corporation; Microsoft SQL Server>
S3 SQLAgent$SONY_MEDIAMGR - c:\program files\sony\shared plug-ins\media manager\mssql$sony_mediamgr\binn\sqlagent.exe -i sony_mediamgr <Not Verified; Microsoft Corporation; Microsoft SQL Server>
S4 Ietmse12 -


-- Scheduled Tasks -------------------------------------------------------------

2007-06-07 10:21:10 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-06-07 10:00:00 350 --a------ C:\WINDOWS\Tasks\At11.job
2007-06-06 23:00:00 350 --a------ C:\WINDOWS\Tasks\At24.job
2007-06-06 13:00:00 350 --a------ C:\WINDOWS\Tasks\At14.job
2007-06-06 12:00:00 350 --a------ C:\WINDOWS\Tasks\At13.job
2007-06-06 11:00:00 350 --a------ C:\WINDOWS\Tasks\At12.job
2007-06-06 09:00:00 350 --a------ C:\WINDOWS\Tasks\At10.job
2007-06-06 00:00:00 350 --a------ C:\WINDOWS\Tasks\At1.job
2007-06-05 22:00:00 350 --a------ C:\WINDOWS\Tasks\At23.job
2007-06-05 21:00:00 350 --a------ C:\WINDOWS\Tasks\At22.job
2007-06-05 19:00:00 350 --a------ C:\WINDOWS\Tasks\At20.job
2007-06-05 18:00:00 350 --a------ C:\WINDOWS\Tasks\At19.job
2007-06-05 17:00:00 350 --a------ C:\WINDOWS\Tasks\At18.job
2007-06-05 16:00:00 350 --a------ C:\WINDOWS\Tasks\At17.job
2007-06-05 15:00:00 350 --a------ C:\WINDOWS\Tasks\At16.job
2007-06-05 14:00:00 350 --a------ C:\WINDOWS\Tasks\At15.job
2007-06-04 20:00:00 350 --a------ C:\WINDOWS\Tasks\At21.job
2007-06-04 08:34:00 298 --a------ C:\WINDOWS\Tasks\WebReg psc 1600 series.job
2007-06-04 08:00:00 350 --a------ C:\WINDOWS\Tasks\At9.job
2007-06-01 20:00:00 536 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - HP_Owner.job
2007-05-26 09:45:47 350 --a------ C:\WINDOWS\Tasks\At8.job
2007-05-26 09:45:47 350 --a------ C:\WINDOWS\Tasks\At7.job
2007-05-26 09:45:47 350 --a------ C:\WINDOWS\Tasks\At6.job
2007-05-26 09:45:47 350 --a------ C:\WINDOWS\Tasks\At5.job
2007-05-26 09:45:47 350 --a------ C:\WINDOWS\Tasks\At4.job
2007-05-26 09:45:47 350 --a------ C:\WINDOWS\Tasks\At3.job
2007-05-26 09:45:47 350 --a------ C:\WINDOWS\Tasks\At2.job


-- Files created between 2007-05-07 and 2007-06-07 -----------------------------

2007-06-05 17:52:22 0 d-------- C:\Program Files\AOD
2007-06-05 17:27:06 73728 --a------ C:\WINDOWS\ALCFDRTM.EXE <Not Verified; Realtek Semiconductor Corp.; Realtek ALCFDRTM>
2007-05-26 10:11:24 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Prevx
2007-05-26 10:10:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-05-25 15:14:17 0 d-------- C:\Documents and Settings\All Users\Application Data\myCleanerPC
2007-05-25 15:13:58 0 d-------- C:\Program Files\myCleanerPC
2007-05-25 14:29:16 5648384 --a------ C:\Documents and Settings\HP_Owner\ntuser.dat
2007-05-16 10:26:19 77312 --a------ C:\WINDOWS\ua2.dll
2007-05-11 20:20:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-05-11 19:46:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-05-11 19:28:10 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-05-11 19:27:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-05-11 19:16:15 0 d-------- C:\Program Files\Enigma Software Group
2007-05-07 10:36:49 0 d-------- C:\Program Files\BearShare


-- Find3M Report ---------------------------------------------------------------

2007-06-05 19:03:23 0 d-------- C:\Program Files\AIM
2007-06-05 12:57:52 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Azureus
2007-06-01 14:15:50 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-15 11:46:11 1476846 ---hs---- C:\WINDOWS\system32\knnmp.bak2
2007-05-11 19:11:34 0 d-------- C:\Program Files\Viewpoint
2007-05-11 19:11:34 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Viewpoint
2007-05-07 10:29:48 0 d-------- C:\Program Files\Norton AntiVirus
2007-05-06 22:11:25 0 d-------- C:\Program Files\Winamp
2007-05-06 22:11:25 0 d-------- C:\Program Files\2Wire
2007-05-06 22:10:11 37019 --a------ C:\WINDOWS\system32\ps2.exe
2007-05-06 22:10:11 37019 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-05-02 1814 0 d-------- C:\Program Files\Symantec
2007-05-01 17:37:53 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-01 14:49:36 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2007-05-01 14:49:13 0 d-------- C:\Program Files\Lavasoft
2007-05-01 14:34:04 0 d-------- C:\Program Files\Install Provider
2007-05-01 11:42:45 1368824 ---hs---- C:\WINDOWS\system32\knnmp.bak1
2007-04-11 15:04:20 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Propellerhead Software
2007-04-11 14:57:40 233472 --a------ C:\WINDOWS\system32\REX Shared Library.dll <Not Verified; Propellerhead Software AB; n/a>
2007-04-10 17:11:47 0 d-------- C:\Program Files\Recycle
2007-04-04 19:05:15 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB} C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
{BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"HPHUPD06"="c:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"Alcmtr"="ALCMTR.EXE"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"IPInSightMonitor 01"="\"C:\\Program Files\\SBC Yahoo!\\Connection Manager\\IP InSight\\IPMon32.exe\""
"2wSysTray"="C:\\Program Files\\2Wire\\2PortalMon.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"BearShare"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"AIM (R)"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"csrss"="C:\\WINDOWS\\csrss.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"
"{CA2CFBDE-0F94-491B-9286-00C60C553954}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnomlm
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkhgg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphmon06"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hphmon06.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark_X79-55]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lsasss"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\lsasss.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PXConsole"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="retadpu2000219"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
Shell\AutoRun\command D:\setup.exe


-- End of Deckard's System Scanner: finished at 2007-06-07 at 10:26:37 ---------

[Ried]

Hi,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Disable Prevx as it may hinder the fix below:

• Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose "Show Management Console".
• On the Management Console click the Protection Level drop-down menu. You will see three levels:
  
  • Maximum
  • Off
  • User Defined
  
  
• To disable all protection set the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.
• Click the X on the upper right hand corner to exit the Management console.

--------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\temp\x2b
C:\WINDOWS\mssms.dll
C:\WINDOWS\ietools.dll
C:\WINDOWS\system32\knnmp.bak2
C:\WINDOWS\system32\knnmp.bak1

Folder::
C:\Program Files\Enigma Software Group

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2724E072-19D0-486d-A819-9D914191AE92}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"csrss"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{D45E01C2-FF5A-49FE-B46D-5B3D479D89E0}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnomlm]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkhgg]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnk]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark_X79-55]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

Save this as ComboFix-Do.txt, in the same location as ComboFix.exe




Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

Follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Panda results
Update on system behavior

[VipaGTS]

Hey..

I tried to do the PandaScan thing, but internet explorer would crash and stop responding before the ActiveX Control could start downloading...Here is everything else. actually, since following your first step of instructions yesterday, everything on my computer has been fine. No more error messages or pop ups. thanks for that...but here are the other logs you asked for, anyway...

"HP_Owner" - 2007-06-08 8:53:18 Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\New Folder\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Enigma Software Group
C:\Program Files\Enigma Software Group\SpyHunter\support.log
C:\temp\x2b
C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.bak2


((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 )))))))))))))))))))))))))))))))


2007-06-07 10:19 <DIR> d-------- C:\Deckard
2007-06-07 09:43 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-05 17:52 <DIR> d-------- C:\Program Files\AOD
2007-06-05 17:27 73,728 --a------ C:\WINDOWS\ALCFDRTM.EXE
2007-05-26 10:11 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Prevx
2007-05-26 10:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-05-25 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
2007-05-25 15:13 <DIR> d-------- C:\Program Files\myCleanerPC
2007-05-25 14:29 5,648,384 --a------ C:\DOCUME~1\HP_Owner\ntuser.dat
2007-05-16 10:26 77,312 --a------ C:\WINDOWS\ua2.dll
2007-05-11 20:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-11 19:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Webroot
2007-05-11 19:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 04:36:04 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-06 02:03:23 -------- d-----w C:\Program Files\AIM
2007-06-05 19:57:52 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Azureus
2007-05-26 17:39:52 -------- d-----w C:\Program Files\BearShare
2007-05-12 02:11:34 -------- d-----w C:\Program Files\Viewpoint
2007-05-12 02:11:34 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Viewpoint
2007-05-07 17:29:48 -------- d-----w C:\Program Files\Norton AntiVirus
2007-05-07 05:11:25 -------- d-----w C:\Program Files\Winamp
2007-05-07 05:11:25 -------- d-----w C:\Program Files\2Wire
2007-05-07 05:10:11 37,019 ----a-w C:\WINDOWS\system32\ps2.exe
2007-05-07 05:10:11 37,019 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-05-03 0114 -------- d-----w C:\Program Files\Symantec
2007-05-03 01:04:05 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-05-02 00:37:53 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-01 21:49:36 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Lavasoft
2007-05-01 21:49:13 -------- d-----w C:\Program Files\Lavasoft
2007-05-01 21:34:04 -------- d-----w C:\Program Files\Install Provider
2007-04-11 22:04:20 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Propellerhead Software
2007-04-11 21:57:40 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2007-04-11 00:11:47 -------- d-----w C:\Program Files\Recycle
2007-04-05 02:05:15 46 ----a-w C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2007-03-29 01:41:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-29 01:41:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-03-15 19:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 19:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2005-05-07 19:30:54 56 --sh--r C:\WINDOWS\system32\F064F36CE4.sys
2005-05-07 19:30:54 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}=C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll [2006-01-10 12:09]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2005-10-19 13:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2007-05-06 22:10]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 17:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2007-05-06 22:10]
"KBD"="C:\HP\KBD\KBD.EXE" [2007-05-06 22:10]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-06 22:10]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 14:01 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-13 16:17 C:\WINDOWS\ALCWZRD.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2007-05-06 22:10]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2007-05-06 22:10]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2007-05-06 22:10]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-06 22:10]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-05-06 22:10]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-04-24 17:28]
"PrevxOne"="C:\Program Files\Prevx1\PXConsole.exe" [2007-03-27 11:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 15:08]
"AIM (R)"="C:\Program Files\AIM\aim.exe" [2005-08-05 15:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]
"C:\Program Files\Prevx1\PXConsole.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-06-06 07:00:00 C:\WINDOWS\tasks\At1.job
2007-06-06 16:00:00 C:\WINDOWS\tasks\At10.job
2007-06-07 17:00:00 C:\WINDOWS\tasks\At11.job
2007-06-07 18:00:00 C:\WINDOWS\tasks\At12.job
2007-06-07 19:00:00 C:\WINDOWS\tasks\At13.job
2007-06-07 20:00:00 C:\WINDOWS\tasks\At14.job
2007-06-07 21:00:00 C:\WINDOWS\tasks\At15.job
2007-06-07 22:00:00 C:\WINDOWS\tasks\At16.job
2007-06-07 23:00:00 C:\WINDOWS\tasks\At17.job
2007-06-08 00:00:00 C:\WINDOWS\tasks\At18.job
2007-06-08 01:00:00 C:\WINDOWS\tasks\At19.job
2007-05-26 16:45:47 C:\WINDOWS\tasks\At2.job
2007-06-08 02:00:00 C:\WINDOWS\tasks\At20.job
2007-06-08 03:00:00 C:\WINDOWS\tasks\At21.job
2007-06-08 04:00:00 C:\WINDOWS\tasks\At22.job
2007-06-08 05:00:00 C:\WINDOWS\tasks\At23.job
2007-06-08 06:00:00 C:\WINDOWS\tasks\At24.job
2007-05-26 16:45:47 C:\WINDOWS\tasks\At3.job
2007-05-26 16:45:47 C:\WINDOWS\tasks\At4.job
2007-05-26 16:45:47 C:\WINDOWS\tasks\At5.job
2007-05-26 16:45:47 C:\WINDOWS\tasks\At6.job
2007-05-26 16:45:47 C:\WINDOWS\tasks\At7.job
2007-05-26 16:45:47 C:\WINDOWS\tasks\At8.job
2007-06-04 15:00:00 C:\WINDOWS\tasks\At9.job
2007-06-02 03:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - HP_Owner.job
2007-06-08 15:56:00 C:\WINDOWS\tasks\Symantec NetDetect.job
2007-06-04 15:34:00 C:\WINDOWS\tasks\WebReg psc 1600 series.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 08:57:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-08 8:57:37
C:\ComboFix-quarantined-files.txt ... 2007-06-08 08:57
C:\ComboFix2.txt ... 2007-06-07 09:59

--- E O F ---
-----------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:21:25 AM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {240643D8-2A19-4C41-9511-A09D98398FC7} - (no file)
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7FF86816-04A2-4DED-B70C-31D9760FBE1F} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CA2CFBDE-0F94-491B-9286-00C60C553954} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AIM (R)] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://winantivirus.com/download/200...&lng=rs&cnt=us
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

[Ried]

Save this as ComboFix-Do.txt, in the same location as ComboFix.exe

Quote:

File::
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

Follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Try again to complete an online scan at Panda and post the results here along with the C:\ComboFix.txt

[VipaGTS]

I tried the Panda Scan again and it still crashes. Is there any other scan I could do?

Here is the next ComobFix thing you told me to post. I Apologize about the PandaScan. I have no idea why it keeps crashing when it starts to download the ActiveX Control...Thanks again for the Help.

"HP_Owner" - 2007-06-10 16:36:15 Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\New Folder\ComboFix-Do.txt


((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))


2007-06-10 13:30 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-06-10 13:30 12 --a------ C:\WINDOWS\system32\sl.bin
2007-06-10 13:29 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-06-10 11:05 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Opera
2007-06-10 11:04 <DIR> d-------- C:\Program Files\Opera
2007-06-09 11:44 5,648,384 --a------ C:\DOCUME~1\HP_Owner\ntuser.dat
2007-06-08 20:05 50,970 --a------ C:\DOCUME~1\HP_Owner\APPLIC~1\tmp787.tmp.exe
2007-06-08 20:05 2,560 --a------ C:\DOCUME~1\HP_Owner\APPLIC~1\tmp788.tmp.exe
2007-06-08 19:41 13,016 --a------ C:\WINDOWS\system32\ssttutq.dll
2007-06-08 17:35 13,016 --a------ C:\WINDOWS\system32\gebcdbx.dll
2007-06-08 15:29 13,016 --a------ C:\WINDOWS\system32\vtsqrop.dll
2007-06-08 13:23 13,016 --a------ C:\WINDOWS\system32\mllmmnn.dll
2007-06-07 10:19 <DIR> d-------- C:\Deckard
2007-06-07 09:43 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-05 17:52 <DIR> d-------- C:\Program Files\AOD
2007-06-05 17:27 73,728 --a------ C:\WINDOWS\ALCFDRTM.EXE
2007-05-26 10:11 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Prevx
2007-05-26 10:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-05-25 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
2007-05-25 15:13 <DIR> d-------- C:\Program Files\myCleanerPC
2007-05-16 10:26 77,312 --a------ C:\WINDOWS\ua2.dll
2007-05-11 20:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-11 19:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Webroot
2007-05-11 19:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-10 23:30:49 -------- d-----w C:\Program Files\Winamp
2007-06-10 21:16:09 -------- d-----w C:\Program Files\SymNetDrv
2007-06-10 21:16:09 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-10 21:16:09 -------- d-----w C:\Program Files\2Wire
2007-06-09 0054 -------- d-----w C:\Program Files\AIM
2007-06-05 19:57:52 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Azureus
2007-05-26 17:39:52 -------- d-----w C:\Program Files\BearShare
2007-05-12 02:11:34 -------- d-----w C:\Program Files\Viewpoint
2007-05-12 02:11:34 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Viewpoint
2007-05-07 17:29:48 -------- d-----w C:\Program Files\Norton AntiVirus
2007-05-07 05:10:11 37,019 ----a-w C:\WINDOWS\system32\ps2.exe
2007-05-07 05:10:11 37,019 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-05-03 0114 -------- d-----w C:\Program Files\Symantec
2007-05-03 01:04:05 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-05-02 00:37:53 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-01 21:49:36 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Lavasoft
2007-05-01 21:49:13 -------- d-----w C:\Program Files\Lavasoft
2007-05-01 21:34:04 -------- d-----w C:\Program Files\Install Provider
2007-04-11 22:04:20 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Propellerhead Software
2007-04-11 21:57:40 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2007-04-11 00:11:47 -------- d-----w C:\Program Files\Recycle
2007-04-05 02:05:15 46 ----a-w C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2007-03-29 01:41:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-29 01:41:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-03-15 19:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 19:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2005-05-07 19:30:54 56 --sh--r C:\WINDOWS\system32\F064F36CE4.sys
2005-05-07 19:30:54 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}=C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll [2006-01-10 12:09]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2005-10-19 13:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 17:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2007-05-06 22:10]
"KBD"="C:\HP\KBD\KBD.EXE" [2007-05-06 22:10]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-06 22:10]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 14:01 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-13 16:17 C:\WINDOWS\ALCWZRD.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2007-05-06 22:10]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2007-05-06 22:10]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2007-05-06 22:10]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-06 22:10]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-05-06 22:10]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-04-24 17:28]
"PrevxOne"="C:\Program Files\Prevx1\PXConsole.exe" [2007-03-27 11:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2005-06-02 01:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dpuGadv]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]
"C:\Program Files\Prevx1\PXConsole.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-06-10 20:28:04 C:\WINDOWS\tasks\At25.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At26.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At27.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At28.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At29.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At30.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At31.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At32.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At33.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At34.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At35.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At36.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At37.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At38.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At39.job
2007-06-10 22:00:00 C:\WINDOWS\tasks\At40.job
2007-06-10 23:00:00 C:\WINDOWS\tasks\At41.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At42.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At43.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At44.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At45.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At46.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At47.job
2007-06-10 20:28:04 C:\WINDOWS\tasks\At48.job
2007-06-09 03:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - HP_Owner.job
2007-06-10 23:36:00 C:\WINDOWS\tasks\Symantec NetDetect.job
2007-06-04 15:34:00 C:\WINDOWS\tasks\WebReg psc 1600 series.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-10 16:40:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-10 16:40:59
C:\ComboFix-quarantined-files.txt ... 2007-06-10 16:40
C:\ComboFix2.txt ... 2007-06-10 16:17
C:\ComboFix3.txt ... 2007-06-08 08:57

--- E O F ---

[Ried]

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\system32\gtv_sd.bin
C:\DOCUME~1\HP_Owner\APPLIC~1\tmp787.tmp.exe
C:\DOCUME~1\HP_Owner\APPLIC~1\tmp788.tmp.exe
C:\WINDOWS\system32\ssttutq.dll
C:\WINDOWS\system32\gebcdbx.dll
C:\WINDOWS\system32\vtsqrop.dll
C:\WINDOWS\system32\mllmmnn.dll
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dpuGadv]

Save this as ComboFix-Do.txt, in the same location as ComboFix.exe




Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

Follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Let's try this online scanner:

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply along with the C:\ComboFix.txt

[VipaGTS]

Alright. sorry I took so long with this one..Also, I think there is a problem with IE because this scan freezes and stops responding during the ActiveX Download too....Here is the ComboFix report, though.

"HP_Owner" - 2007-06-19 16:43:27 Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\VipaGTS\ComboFix\ComboFix-Do.txt


((((((((((((((((((((((((( Files Created from 2007-05-19 to 2007-06-19 )))))))))))))))))))))))))))))))


2007-06-17 19:07 69,120 --a------ C:\WINDOWS\ietools.dll
2007-06-12 10:45 72,192 --a------ C:\WINDOWS\mssms.dll
2007-06-10 11:05 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Opera
2007-06-10 11:04 <DIR> d-------- C:\Program Files\Opera
2007-06-09 11:44 5,767,168 --a------ C:\DOCUME~1\HP_Owner\ntuser.dat
2007-06-07 10:19 <DIR> d-------- C:\Deckard
2007-06-07 09:43 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-05 17:52 <DIR> d-------- C:\Program Files\AOD
2007-06-05 17:27 73,728 --a------ C:\WINDOWS\ALCFDRTM.EXE
2007-05-26 10:11 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Prevx
2007-05-26 10:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-05-25 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
2007-05-25 15:13 <DIR> d-------- C:\Program Files\myCleanerPC


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 03:17:47 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Azureus
2007-06-13 22:55:48 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-10 23:30:49 -------- d-----w C:\Program Files\Winamp
2007-06-10 21:16:09 -------- d-----w C:\Program Files\SymNetDrv
2007-06-10 21:16:09 -------- d-----w C:\Program Files\2Wire
2007-06-09 0054 -------- d-----w C:\Program Files\AIM
2007-05-26 17:39:52 -------- d-----w C:\Program Files\BearShare
2007-05-26 17:09:54 77,312 ----a-w C:\WINDOWS\ua2.dll
2007-05-12 02:11:34 -------- d-----w C:\Program Files\Viewpoint
2007-05-12 02:11:34 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Viewpoint
2007-05-07 17:29:48 -------- d-----w C:\Program Files\Norton AntiVirus
2007-05-07 05:10:11 37,019 ----a-w C:\WINDOWS\system32\ps2.exe
2007-05-07 05:10:11 37,019 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-05-03 0114 -------- d-----w C:\Program Files\Symantec
2007-05-03 01:04:05 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-05-02 00:37:53 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-01 21:49:36 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Lavasoft
2007-05-01 21:49:13 -------- d-----w C:\Program Files\Lavasoft
2007-05-01 21:34:04 -------- d-----w C:\Program Files\Install Provider
2007-04-11 21:57:40 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2007-04-05 02:05:15 46 ----a-w C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2007-03-29 01:41:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-29 01:41:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll
2005-05-07 19:30:54 56 --sh--r C:\WINDOWS\system32\F064F36CE4.sys
2005-05-07 19:30:54 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{2724E072-19D0-486d-A819-9D914191AE92}=C:\WINDOWS\ietools.dll [2007-05-24 03:03]
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}=C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll [2006-01-10 12:09]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2005-10-19 13:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 17:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" []
"KBD"="C:\HP\KBD\KBD.EXE" []
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-06 22:10]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 14:01 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-13 16:17 C:\WINDOWS\ALCWZRD.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2007-05-06 22:10]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2007-05-06 22:10]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2007-05-06 22:10]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-06 22:10]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-05-06 22:10]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-04-24 17:28]
"PrevxOne"="C:\Program Files\Prevx1\PXConsole.exe" [2007-03-27 11:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-16 17:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2005-06-02 01:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{06EC5125-422D-4D53-A2C7-B51F658B643D}"="C:\WINDOWS\mssms.dll" [2007-05-24 03:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]
"C:\Program Files\Prevx1\PXConsole.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-06-16 03:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - HP_Owner.job
2007-06-19 23:46:00 C:\WINDOWS\tasks\Symantec NetDetect.job
2007-06-18 15:34:00 C:\WINDOWS\tasks\WebReg psc 1600 series.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 16:45:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-19 16:46:52
C:\ComboFix-quarantined-files.txt ... 2007-06-19 16:46
C:\ComboFix2.txt ... 2007-06-11 14:27
C:\ComboFix3.txt ... 2007-06-10 16:40

--- E O F ---

[Ried]

Hi VipaGTS,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Disconnect from the internet.

------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\mssms.dll

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{D45E01C2-FF5A-49FE-B46D-5B3D479D89E0}"=-

Save this as ComboFix-Do.txt, in the same location as ComboFix.exe




Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

Follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

We need to re-run SDFix...

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
C:\SDFix\Report.txt
New HijackThis log

[VipaGTS]

"HP_Owner" - 2007-06-21 1803 Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\ComboFix\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\mssms.dll


((((((((((((((((((((((((( Files Created from 2007-05-22 to 2007-06-22 )))))))))))))))))))))))))))))))


2007-06-17 19:07 69,120 --a------ C:\WINDOWS\ietools.dll
2007-06-10 11:05 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Opera
2007-06-10 11:04 <DIR> d-------- C:\Program Files\Opera
2007-06-09 11:44 5,767,168 --a------ C:\DOCUME~1\HP_Owner\ntuser.dat
2007-06-07 10:19 <DIR> d-------- C:\Deckard
2007-06-07 09:43 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-05 17:52 <DIR> d-------- C:\Program Files\AOD
2007-06-05 17:27 73,728 --a------ C:\WINDOWS\ALCFDRTM.EXE
2007-05-26 10:11 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Prevx
2007-05-26 10:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-05-25 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
2007-05-25 15:13 <DIR> d-------- C:\Program Files\myCleanerPC


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-22 01:02:58 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Azureus
2007-06-13 22:55:48 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-10 23:30:49 -------- d-----w C:\Program Files\Winamp
2007-06-10 21:16:09 -------- d-----w C:\Program Files\SymNetDrv
2007-06-10 21:16:09 -------- d-----w C:\Program Files\2Wire
2007-06-09 0054 -------- d-----w C:\Program Files\AIM
2007-05-26 17:39:52 -------- d-----w C:\Program Files\BearShare
2007-05-26 17:09:54 77,312 ----a-w C:\WINDOWS\ua2.dll
2007-05-12 02:11:34 -------- d-----w C:\Program Files\Viewpoint
2007-05-12 02:11:34 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Viewpoint
2007-05-07 17:29:48 -------- d-----w C:\Program Files\Norton AntiVirus
2007-05-07 05:10:11 37,019 ----a-w C:\WINDOWS\system32\ps2.exe
2007-05-07 05:10:11 37,019 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-05-03 0114 -------- d-----w C:\Program Files\Symantec
2007-05-03 01:04:05 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-05-02 00:37:53 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-01 21:49:36 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Lavasoft
2007-05-01 21:49:13 -------- d-----w C:\Program Files\Lavasoft
2007-05-01 21:34:04 -------- d-----w C:\Program Files\Install Provider
2007-04-11 21:57:40 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2007-04-05 02:05:15 46 ----a-w C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2007-03-29 01:41:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-29 01:41:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll
2005-05-07 19:30:54 56 --sh--r C:\WINDOWS\system32\F064F36CE4.sys
2005-05-07 19:30:54 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{2724E072-19D0-486d-A819-9D914191AE92}=C:\WINDOWS\ietools.dll [2007-05-24 03:03]
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}=C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll [2006-01-10 12:09]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2005-10-19 13:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 17:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" []
"KBD"="C:\HP\KBD\KBD.EXE" []
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-06 22:10]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 14:01 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-13 16:17 C:\WINDOWS\ALCWZRD.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2007-05-06 22:10]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2007-05-06 22:10]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2007-05-06 22:10]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-06 22:10]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-05-06 22:10]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-04-24 17:28]
"PrevxOne"="C:\Program Files\Prevx1\PXConsole.exe" [2007-03-27 11:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-16 17:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2005-06-02 01:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{06EC5125-422D-4D53-A2C7-B51F658B643D}"="C:\WINDOWS\mssms.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]
"C:\Program Files\Prevx1\PXConsole.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-06-16 03:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - HP_Owner.job
2007-06-22 0100 C:\WINDOWS\tasks\Symantec NetDetect.job
2007-06-20 15:34:00 C:\WINDOWS\tasks\WebReg psc 1600 series.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-21 18:08:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-21 18:09:26
C:\ComboFix-quarantined-files.txt ... 2007-06-21 18:09
C:\ComboFix2.txt ... 2007-06-19 16:46
C:\ComboFix3.txt ... 2007-06-11 14:27

--- E O F ---


--------------------------------------------------------------------------


SDFix: Version 1.87

Run by Administrator - Thu 06/21/2007 - 18:15:07.92

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\ietools.dll - Deleted
C:\WINDOWS\search_res.txt - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\WINDOWS\system32\F064F36CE4.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Listing User Accounts:

User accounts for \\SSNATH637

Administrator ASPNET Guest
HelpAssistant HP_Owner SUPPORT_388945a0
SUPPORT_fddfa904


Finished

--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:27:01 PM, on 6/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\InterMute\SpySubtract\sslaunch.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\HP_Owner\Desktop\ComboFix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {240643D8-2A19-4C41-9511-A09D98398FC7} - (no file)
O2 - BHO: (no name) - {36398277-4d2e-43c1-af52-1d8f1742fb85} - (no file)
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7FF86816-04A2-4DED-B70C-31D9760FBE1F} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CA2CFBDE-0F94-491B-9286-00C60C553954} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://winantivirus.com/download/200...&lng=rs&cnt=us
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

[Ried]

Looking much better.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Disable Prevx as it may hinder the removals below:


Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

O2 - BHO: (no name) - {240643D8-2A19-4C41-9511-A09D98398FC7} - (no file)
O2 - BHO: (no name) - {36398277-4d2e-43c1-af52-1d8f1742fb85} - (no file)
O2 - BHO: (no name) - {7FF86816-04A2-4DED-B70C-31D9760FBE1F} - (no file)
O2 - BHO: (no name) - {CA2CFBDE-0F94-491B-9286-00C60C553954} - (no file)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://winantivirus.com/download/200...&lng=rs&cnt=us


Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Now please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

--------------------------------------------------------------------

Run a new scan with dss.exe

--------------------------------------------------------------------

Include the Kaspersky results and the main.txt in your next reply.

How is your system behaving now?

[VipaGTS]

Thanks again for all the help. My computer is running a lot better than it did when I first made this topic...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 22, 2007 11:52:08 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 22/06/2007
Kaspersky Anti-Virus database records: 351035
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 108128
Number of viruses found: 35
Number of infected objects: 102
Number of suspicious objects: 0
Duration of the scan process: 01:09:54

Infected Object Name / Virus Name / Last Action
C:\data Infected: Trojan-Downloader.Win32.IstBar.ja skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-06-22_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\HP_Owner\Application Data\InterMute\SpySubtract\tmp\3 Object is locked skipped
C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cert8.db Object is locked skipped
C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\history.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\key3.db Object is locked skipped
C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\parent.lock Object is locked skipped
C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\search.sqlite Object is locked skipped
C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\HP_Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\History\History.IE5\MSHist012007062220070623\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\JET257F.tmp Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Program Files\2Wire\2PortalMon.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Program Files\BearShare\db\library.2.db Object is locked skipped
C:\Program Files\BearShare\db\library.db Object is locked skipped
C:\Program Files\Common Files\Real\Update_OB\realsched.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Program Files\Common Files\Symantec Shared\ccApp.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
C:\Program Files\Mozilla Firefox\keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\026D7018.tmp Infected: Trojan-Downloader.Win32.Small.btj skipped
C:\Program Files\Norton AntiVirus\Quarantine\0C0E568B.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\0C0E568B.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\0C0E568B.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\0C0E568B.zip ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\0C0E568B.zip CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\0F9469C3.tmp Infected: Trojan.Java.ClassLoader.u skipped
C:\Program Files\Norton AntiVirus\Quarantine\193E585D.tmp Infected: Trojan-Downloader.Win32.Small.bmk skipped
C:\Program Files\Norton AntiVirus\Quarantine\1FB81D55.tmp Infected: Trojan.Java.ClassLoader.u skipped
C:\Program Files\Norton AntiVirus\Quarantine\25B9649E.tmp Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Program Files\Norton AntiVirus\Quarantine\25BB3EFD.tmp Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F142E06.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F142E06.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F142E06.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F142E06.zip ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F142E06.zip CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\31E2592F.tmp Infected: Trojan-Downloader.Win32.Small.btj skipped
C:\Program Files\Norton AntiVirus\Quarantine\33725C87.tmp Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Program Files\Norton AntiVirus\Quarantine\354E4C73.tmp Infected: Trojan.Java.ClassLoader.u skipped
C:\Program Files\Norton AntiVirus\Quarantine\369D6EEE.zip/NudeBox.class Infected: Trojan.Java.ClassLoader.u skipped
C:\Program Files\Norton AntiVirus\Quarantine\369D6EEE.zip/Worker.class Infected: Trojan.Java.ClassLoader.u skipped
C:\Program Files\Norton AntiVirus\Quarantine\369D6EEE.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.u skipped
C:\Program Files\Norton AntiVirus\Quarantine\369D6EEE.zip/javautil.zip Infected: Trojan-Downloader.Win32.Small.att skipped
C:\Program Files\Norton AntiVirus\Quarantine\369D6EEE.zip ZIP: infected - 4 skipped
C:\Program Files\Norton AntiVirus\Quarantine\369D6EEE.zip CryptFF: infected - 4 skipped
C:\Program Files\Norton AntiVirus\Quarantine\37DE791A.tmp Infected: Trojan.Java.ClassLoader.u skipped
C:\Program Files\Norton AntiVirus\Quarantine\3E0A4DC0.tmp Infected: Trojan-Downloader.Win32.Small.btj skipped
C:\Program Files\Norton AntiVirus\Quarantine\41020934.tmp Infected: Trojan-Downloader.Win32.Small.bmk skipped
C:\Program Files\Norton AntiVirus\Quarantine\43ED7778.exe Infected: Worm.Win32.VB.an skipped
C:\Program Files\Norton AntiVirus\Quarantine\46B21A66.tmp Infected: Trojan-Downloader.Java.OpenConnection.ae skipped
C:\Program Files\Norton AntiVirus\Quarantine\51BB7841.tmp Infected: Trojan.Java.ClassLoader.u skipped
C:\Program Files\Norton AntiVirus\Quarantine\51BE223E.tmp Infected: Trojan.Java.ClassLoader.u skipped
C:\Program Files\Norton AntiVirus\Quarantine\51D87221.exe Infected: Trojan-Downloader.Win32.IstBar.kp skipped
C:\Program Files\Norton AntiVirus\Quarantine\55C13354.tmp Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Program Files\Norton AntiVirus\Quarantine\589C189A Infected: Trojan-Clicker.JS.Linker.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\59BE4059.tmp Infected: Trojan-Downloader.Win32.Small.bmk skipped
C:\Program Files\Norton AntiVirus\Quarantine\59F03F56.tmp Infected: Trojan-Downloader.Java.OpenConnection.ae skipped
C:\Program Files\Norton AntiVirus\Quarantine\65807B54.tmp Infected: Trojan.Java.ClassLoader.u skipped
C:\Program Files\Norton AntiVirus\Quarantine\67495A6D.tmp Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Program Files\Norton AntiVirus\Quarantine\69143903.tmp Infected: Trojan.Java.ClassLoader.u skipped
C:\Program Files\Norton AntiVirus\Quarantine\6EB8527B.tmp Infected: Trojan.Java.ClassLoader.u skipped
C:\Program Files\Norton AntiVirus\Quarantine\72156FFB.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\72156FFB.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\72156FFB.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\72156FFB.zip ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\72156FFB.zip CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\7C256996.tmp Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\IPMon32.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Program Files\SymNetDrv\SNDMon.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Program Files\Winamp\winampa.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\QooBox\Quarantine\C\Documents and Settings\HP_Owner\APPLIC~1\tmp787.tmp.exe.vir Infected: Trojan.Win32.BHO.g skipped
C:\QooBox\Quarantine\C\Documents and Settings\HP_Owner\APPLIC~1\tmp788.tmp.exe.vir Infected: Trojan.Win32.Agent.anr skipped
C:\QooBox\Quarantine\C\WINDOWS\csrss.exe.vir Infected: Trojan.Win32.Agent.anm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\advvpi32.dll.vir Infected: Backdoor.Win32.Agent.ale skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\axtmbffp.dll.vir Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ip6fw.sys.vir Infected: Rootkit.Win32.Agent.dp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\eskeatxh.dll.vir Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lsasss.exe.vir Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ojufnvia.dll.vir Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pnxtxqyc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\smpi1\win106.exe.vir Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\T8QaSQ\T8QaSQ1095.exe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp35E.tmp.dll.vir Infected: Trojan.Win32.BHO.g skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ulnwgmmr.dll.vir Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wmvds32.dll.vir Infected: Trojan-Downloader.Win32.VB.asx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wtibuutq.dll.vir Infected: Trojan.Win32.BHO.o skipped
C:\SDFix\backups_old1\backups.zip/backups/mssms.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\SDFix\backups_old1\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP31\A0003634.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP31\A0003640.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP33\A0003915.rbf Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP37\A0004299.exe Infected: Trojan-Downloader.Win32.VB.axs skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP37\A0004344.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP37\A0004345.EXE Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP37\A0004346.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP37\A0004347.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP37\A0004348.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP37\A0004349.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP37\A0004350.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP37\A0004351.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP37\A0004352.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP37\A0004365.exe Infected: Trojan-Downloader.Win32.VB.avl skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP37\A0004379.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP37\A0004380.dll Infected: Trojan-Downloader.Win32.VB.asx skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP38\A0004393.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP38\A0004443.dll Infected: Trojan-Downloader.Win32.VB.apq skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP38\A0004446.exe Infected: not-virus:Hoax.Win32.Renos.fn skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP39\A0004947.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP41\A0005169.EXE Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP48\change.log Object is locked skipped
C:\WINDOWS\CREATOR\Remind_XP.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SMINST\RECGUARD.EXE Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A0AE07BD-961A-4625-811C-82175CD04534}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\aul7t9dr.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\hkcmd.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\ps2.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\WINDOWS\system32\SBO\SB1065.exe Infected: Trojan-Downloader.Win32.VB.fn skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
--------------------------------------------------------------------------

Deckard's System Scanner v20070603.47
Run by HP_Owner on 2007-06-22 at 11:52:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as HP_Owner.exe) --------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:52:55 AM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\Desktop\ComboFix\dss.exe
C:\DOCUME~1\HP_Owner\Desktop\ComboFix\HP_Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


-- Files created between 2007-05-22 and 2007-06-22 -----------------------------

2007-06-22 10:18:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-06-22 10:18:12 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-22 10:18:10 0 d-------- C:\WINDOWS\LastGood
2007-06-10 11:05:20 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Opera
2007-06-10 11:04:28 0 d-------- C:\Program Files\Opera
2007-06-09 11:44:10 5767168 --a------ C:\Documents and Settings\HP_Owner\ntuser.dat
2007-06-08 09:13:56 0 d-------- C:\Program Files\Common Files\Java
2007-06-05 17:52:22 0 d-------- C:\Program Files\AOD
2007-06-05 17:27:06 73728 --a------ C:\WINDOWS\ALCFDRTM.EXE <Not Verified; Realtek Semiconductor Corp.; Realtek ALCFDRTM>
2007-05-26 10:11:24 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Prevx
2007-05-26 10:10:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-05-25 15:14:17 0 d-------- C:\Documents and Settings\All Users\Application Data\myCleanerPC
2007-05-25 15:13:58 0 d-------- C:\Program Files\myCleanerPC


-- Find3M Report ---------------------------------------------------------------

2007-06-21 20:36:31 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Azureus
2007-06-13 15:55:48 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-06-10 16:30:49 0 d-------- C:\Program Files\Winamp
2007-06-10 14:16:09 0 d-------- C:\Program Files\SymNetDrv
2007-06-10 14:16:09 0 d-------- C:\Program Files\2Wire
2007-06-08 1754 0 d-------- C:\Program Files\AIM
2007-06-08 09:14:28 0 d-------- C:\Program Files\Java
2007-05-26 10:39:52 0 d-------- C:\Program Files\BearShare
2007-05-26 10:09:54 77312 --a------ C:\WINDOWS\ua2.dll
2007-05-11 19:11:34 0 d-------- C:\Program Files\Viewpoint
2007-05-11 19:11:34 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Viewpoint
2007-05-07 10:29:48 0 d-------- C:\Program Files\Norton AntiVirus
2007-05-06 22:10:11 37019 --a------ C:\WINDOWS\system32\ps2.exe
2007-05-06 22:10:11 37019 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-05-02 1814 0 d-------- C:\Program Files\Symantec
2007-05-01 17:37:53 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-01 14:49:36 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2007-05-01 14:49:13 0 d-------- C:\Program Files\Lavasoft
2007-05-01 14:34:04 0 d-------- C:\Program Files\Install Provider
2007-04-11 14:57:40 233472 --a------ C:\WINDOWS\system32\REX Shared Library.dll <Not Verified; Propellerhead Software AB; n/a>
2007-04-04 19:05:15 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB} C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"HPHUPD06"="c:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"IPInSightMonitor 01"="\"C:\\Program Files\\SBC Yahoo!\\Connection Manager\\IP InSight\\IPMon32.exe\""
"2wSysTray"="C:\\Program Files\\2Wire\\2PortalMon.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"BearShare"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"
"{CA2CFBDE-0F94-491B-9286-00C60C553954}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphmon06"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hphmon06.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PXConsole"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
Shell\AutoRun\command D:\setup.exe


-- End of Deckard's System Scanner: finished at 2007-06-22 at 11:54:18 ---------

[Ried]

Hiya,

Please ensure Hidden files and folders are viewable:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Kaspersky has thrown up a lot of false positives. The following are the only items that need to be deleted.

Using 'My Computer', navigate to and delete the following Files and Folders if they still exist.

C:\Program Files\Mozilla Firefox\ keygen.exe
C:\WINDOWS\system32\ aul7t9dr.ini
C:\ data
C:\WINDOWS\system32\ SBO

--------------------------------------------------------------------

Clear out Norton's Quarantine folder. If you're unsure on how to do it, you can use Symantec's guide.

---------------------------------------------------------

We're just about through here. I realize these online scans are time consuming, but due to the level of infection that was present on this system, I'd like to use another scanner this time.

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Post the Panda results please.




Using 'My Computer', navigate to and delete the following Files and Folders if they still exist.

[VipaGTS]

Alright here are the PandaScan Results:


Incident Status Location

Virus:Trj/KillAv.GB Disinfected Operating system
Potentially unwanted tool:application/myglobalsearch Not disinfected c:\program files\MyGlobalSearch
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.com.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.www.myaffiliateprogram.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.xiti.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.sextracker.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.advertising.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\zw3u2kqk.default\cookies.txt[.casalemedia.com/]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-2075dd4b-6d76b15b.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-2075dd4b-77cbe876.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-70bd7dd6-20c1dae8.zip[Dummy.class]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@2o7[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adrevolver[3].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@azjmp[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bluestreak[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@burstnet[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@clickbank[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@doubleclick[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@drivecleaner[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ehg-dig.hitbox[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@fastclick[2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@findwhat[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@go[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@i.screensavers[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@klik.klikadvertising[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@mediaplex[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@server.iad.liveperson[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@statcounter[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@stats.drivecleaner[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tribalfusion[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.drivecleaner[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.myaffiliateprogram[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@xiti[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@zedo[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\HP_Owner\Desktop\ComboFix\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Owner\Desktop\ComboFix\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Virus:Trj/KillAv.GB Disinfected C:\Program Files\2Wire\2PortalMon.exe
Virus:Malware Generic Disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Virus:Trj/KillAv.GB Disinfected C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Hacktool:HackTool/EvID Not disinfected C:\Program Files\Common Files\Synacast\SynaLive\EvID4226Patch.exe
Virus:Trj/KillAv.GB Disinfected C:\Program Files\Winamp\winampa.exe
Virus:Trj/Agent.FQU Disinfected C:\QooBox\Quarantine\C\Documents and Settings\HP_Owner\APPLIC~1\tmp787.tmp.exe.vir
Virus:Trj/Lowzones.TP Disinfected C:\QooBox\Quarantine\C\Documents and Settings\HP_Owner\APPLIC~1\tmp788.tmp.exe.vir
Virus:Bck/Bifrose.AUY Disinfected C:\QooBox\Quarantine\C\WINDOWS\csrss.exe.vir
Virus:Trj/Downloader.MDW Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\advvpi32.dll.vir
Adware:Adware/WinAntivirus2006 Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\axtmbffp.dll.vir
Hacktool:Rootkit/NTRootkit.AI Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ip6fw.sys.vir
Adware:Adware/WinAntivirus2006 Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\eskeatxh.dll.vir
Virus:Trj/KillAv.GB Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\lsasss.exe.vir
Adware:Adware/WinAntivirus2006 Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\ojufnvia.dll.vir
Adware:Adware/WebSearch Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\pnxtxqyc.dll.vir
Virus:Trj/Downloader.ODW Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\smpi1\win106.exe.vir
Virus:Trj/Agent.FQU Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\tmp35E.tmp.dll.vir
Adware:Adware/WinAntivirus2006 Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\ulnwgmmr.dll.vir
Virus:Trj/Downloader.ORQ Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\wmvds32.dll.vir
Virus:Trj/Agent.EAZ Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\wtibuutq.dll.vir
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Virus:Malware Generic Disinfected C:\SDFix\backups\backups.zip[backups/ietools.dll]
Virus:Malware Generic Disinfected C:\SDFix\backups_old1\backups.zip[backups/ietools.dll]
Virus:Trj/KillAv.GB Disinfected C:\WINDOWS\CREATOR\Remind_XP.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Virus:Trj/KillAv.GB Disinfected C:\WINDOWS\SMINST\RECGUARD.EXE
Potentially unwanted tool:Application/RealSpy Not disinfected C:\WINDOWS\system32\actskn45.ocx
Virus:Trj/KillAv.GB Disinfected C:\WINDOWS\system32\hkcmd.exe
Virus:Trj/KillAv.GB Disinfected C:\WINDOWS\system32\ps2.exe

[Ried]

Hi,

Clear Mozilla Firefox cookies:
Open the Mozilla Browser, (you do not need to be online to do this) Click Tools>Options>Privacy>Cookies>Clear

-----------------------------------

Clear Internet Explorer Cookies: (you do not need to be connected to the internet to perform this)
Launch Internet Explorer>Tools>Internet Options>Delete Cookies

-----------------------------------

Please download and run FindAWF

When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

[VipaGTS]

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/11/2003 12:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\2WIRE\BAK

09/15/2004 01:52 AM 393,216 2PortalMon.exe
1 File(s) 393,216 bytes

Directory of C:\PROGRA~1\AIM\BAK

06/02/2005 02:34 AM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

05/02/2007 06:05 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\PROGRA~1\WINAMP\BAK

12/20/2004 11:41 AM 33,792 winampa.exe
1 File(s) 33,792 bytes

Directory of C:\WINDOWS\CREATOR\BAK

12/13/2004 07:23 PM 663,552 Remind_XP.exe
1 File(s) 663,552 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 01:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

11/02/2004 08:59 AM 126,976 hkcmd.exe
10/25/2004 02:17 PM 90,112 ps2.exe
2 File(s) 217,088 bytes

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

10/14/2004 02:54 PM 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/09/2007 06:32 PM 58,984 ccApp.exe
1 File(s) 58,984 bytes

Directory of C:\PROGRA~1\HP\{AAC4F~1\BAK

06/07/2004 11:53 AM 49,152 hphupd06.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

02/16/2005 05:25 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

02/16/2005 05:03 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\SBCYAH~1\CONNEC~1\IPINSI~1\BAK

07/14/2003 12:30 PM 98,304 IPMon32.exe
1 File(s) 98,304 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
393216 Sep 15 2004 "C:\Program Files\2Wire\bak\2PortalMon.exe"
67160 Jun 2 2005 "C:\Program Files\AIM\aim.exe"
67160 Jun 2 2005 "C:\Program Files\AIM\bak\aim.exe"
100056 May 2 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
33792 Dec 20 2004 "C:\Program Files\Winamp\bak\winampa.exe"
663552 Dec 13 2004 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
126976 Nov 2 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\hkcmd.exe"
90112 Oct 25 2004 "C:\hp\drivers\keyboard\PS2.EXE"
90112 Oct 25 2004 "C:\WINDOWS\system32\bak\ps2.exe"
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
49152 Jun 7 2004 "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe"
180269 Feb 16 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
32881 Feb 16 2005 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
98304 Jul 14 2003 "C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\bak\IPMon32.exe"


end of report

[Ried]

Panda appears to have successfully disinfected those infected legit files, but more steps are needed to complete the fix for the AWF trojan.

Download: ResetProtocolDefaults.reg
http://www.mvps.org/winhelp2002/Rese...olDefaults.reg

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop.

-------------------------------------------------------

Close any open browsers.

-------------------------------------------------------

Right click on DelO15Domains and choose Install.

• It will run immediately (you won't be able to see anything happen). You may delete it afterwards.
• Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Now locate "ResetProtocolDefaults.reg"
Right-click and select: Merge (Ok the prompt)

-------------------------------------------------------------

Reboot your system.

-------------------------------------------------------

Run a new online scan at Panda and post the results here.