Sysvxd.exe / NTVDM CPU illegal instruction pop-up

[HitmanBoy]

Hello,
I'm currently getting the following pop-up message intermittently (2-3 times per session):

16 bit MS DOS Subsystem
C:\WINDOWS\Sysvxd.exe
The NTVDM CPU has encountered an illegal instruction.
CS:06cf IP:0231 OP:63 75 74 20 69 Choose 'Close' to terminate the application

I understand this could be spy/malware and would like help removing it.

I couldn't successfully run GMER, as explained here, but was advised to submit my question anyway.

The other relevant files are included with this post.

Thanks.


DDS:


DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Owner at 9:20:15.25 on 11/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.503.158 [GMT 1:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Creative\Software Update 3\SoftAuto.exe
C:\Program Files\Messenger\msmsgs.exe
"C:\WINDOWS\system32\drivers\svchost.exe"
C:\Program Files\Belkin\F5D7001v2000\Belkinwcui.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.magictaxi.co.uk/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://register.hp.com/servlet/WebReg.servlets.ProdReg1Servlet?appID=java_wreg_wreg_genpg&prodOS=011&gwCountry=GB&language=en&PURCH_DT_MONTH=07&PURCH_DT_DAY=04&PURCH_DT_YEAR=2005&PROD_SERIAL_ID=CZB51802Y4&application=305&modelID=PX634AA&LF=blue
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {65DCB62D-0C89-467B-BCC3-B04FB0773D1E} - No File
EB: {6A80972B-ACC9-4BB9-A1E0-69F2EAEA763D} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [SoftAuto.exe] "c:\program files\creative\software update 3\SoftAuto.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Home Theater SchSvr] "c:\program files\common files\intervideo\schsvr\SchSvr.exe"
mRun: [WINREMOTE] "c:\program files\intervideo\common\bin\WinRemote.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [AutoTBar] c:\program files\hp\digital imaging\bin\AUTOTBAR.EXE
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [WinampAgent] f:\winamp\winampa.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d7001v2000\Belkinwcui.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
LSP: c:\windows\system32\imon.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {0CFA086E-6336-4D95-B6AA-90F564E99631} - hxxp://www.shopandscan.com/TNSClicker.CAB
DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} - hxxp://www.midasplayer.com/midasa.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/LSSupCtl.cab
DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} - hxxp://www.couponreport.net/ftp/v3123/csauie1.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.co.uk/SnapfishUKActivia.cab
DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://www.king.com/ctl/kingcomie.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166123399718
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://cid-18a20eba602fcfb9.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} - hxxp://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games-uk.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15034/CTPID.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\u9wp2of4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.magictaxi.co.uk/
FF - prefs.js: keyword.URL - hxxp://kwtb.search.imgag.com/?c=GNKIW29193&sbs=1&sc=2&f=web&vernum=1.0&uid=&did=f8d4a70c-98e2-4081-901d-01bf93043ede&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmidas.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-5-11 15424]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2007-5-11 552064]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [2005-1-2 24544]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2007-4-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2007-4-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2007-4-24 108680]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2007-4-24 98696]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w200mgmt.sys [2009-1-3 88560]

=============== Created Last 30 ================

2009-04-08 00:51 52,529 a------- c:\windows\Sysvxd.exe
2009-04-07 23:10 41,472 a------- c:\windows\system32\drivers\svchost.exe

==================== Find3M ====================

2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-07-21 20:40 926 a------- c:\docume~1\hp_owner\applic~1\wklnhst.dat
2007-06-09 20:47 87,608 a------- c:\docume~1\hp_owner\applic~1\inst.exe
2007-06-09 20:47 47,360 a------- c:\docume~1\hp_owner\applic~1\pcouffin.sys
2007-06-06 00:41 7,819 a------- c:\docume~1\hp_owner\applic~1\mdb.bin
2004-12-01 18:34 716 a---h--- c:\docume~1\alluse~1\applic~1\pb7msys.dat
2006-05-31 18:39 22 a--sh--- c:\windows\sminst\HPCD.sys
2008-08-23 15:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 9:20:48.18 ===============

[Angelfire777]

Please rename GMER anyway and see if it will run properly after that.

If it still won't work,

Download RootRepeal.zip to your Desktop and extract the compressed file to it's own folder.

Open the folder and doubleclick on RootRepeal.exe to run it.

• Click on the Report tab, and then click on: Scan
• A window opens asking what to include in the scan.
• Check the following boxes then click OK:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

• You will then be asked which drive to scan.
• Check C: (or the drive your operating system is installed on, if not C)
• Click OK once again.
• The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report. Save it to your desktop so you may find it easily.

Please attach the report in your next reply.

[HitmanBoy]

Hello again....attached is the RootRepeal report. Thanks.

[HitmanBoy]

Just as an addendum:

Starting today, each time I boot up I'm getting a Data Execution Prevention pop-up that states,

"To help protect your computer, Windows has closed this program.
Name: Spooler SubSystem App
Publisher: Microsoft Corporation"


Thanks.

[Angelfire777]

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[HitmanBoy]

Hello...the ComboFix report follows:


ComboFix 09-04-27.02 - HP_Owner 27/04/2009 20:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.503.162 [GMT 1:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Owner\Application Data\inst.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\mcrh.tmp
c:\windows\Sysvxd.exe
c:\windows\Temp\scsF.tmp
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-26 09:30 . 2009-04-26 09:30 -------- d-----w C:\spoolerlogs
2009-04-26 03:10 . 2009-04-26 03:10 27648 ----a-w c:\windows\system32\lspfre.dll
2009-04-15 18:49 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 18:49 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 18:49 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 18:49 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 18:49 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 18:49 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 18:49 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 18:49 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 18:49 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 18:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 18:49 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 19:56 . 2007-05-11 17:58 -------- d-----w c:\program files\ESET
2009-04-10 08:13 . 2005-01-02 02:51 -------- d-----w c:\program files\Java
2009-03-09 04:19 . 2008-12-03 20:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 13:53 . 2009-03-04 13:41 -------- d-----w c:\program files\Camfrog
2009-03-04 13:36 . 2009-03-04 13:10 -------- d-----w c:\program files\Yahoo!
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-27 21:32 . 2009-02-27 21:32 -------- d-----w c:\program files\Common Files\Skype
2009-02-27 21:32 . 2009-02-27 21:32 -------- d-----r c:\program files\Skype
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 11:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 18:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2004-08-04 18:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 18:52 . 2009-02-06 18:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2006-05-31 17:39 . 2006-05-31 17:39 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-05-28 401408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Home Theater SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-10-20 106496]
"WINREMOTE"="c:\program files\InterVideo\Common\Bin\WinRemote.exe" [2005-10-20 262144]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-05-11 949376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-17 61952]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-02-21 90112]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-02-18 2754560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Utility.lnk - c:\program files\Belkin\F5D7001v2000\Belkinwcui.exe [2007-8-5 1572864]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000]
R3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
R3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s125mdfl.sys [2007-04-24 15112]
R3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s125mdm.sys [2007-04-24 108680]
R3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
R3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\w200mgmt.sys [2006-11-07 88560]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-05-11 15424]
S3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\DRIVERS\PhTVTune.sys [2004-10-24 24544]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a448b422-1390-11dc-ab75-009096f8bb76}]
\Shell\AutoRun\command - Adobe Photoshop Elements\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
HKLM-Run-AutoTBar - c:\program files\HP\Digital Imaging\bin\AUTOTBAR.EXE
HKLM-Run-WinampAgent - f:\winamp\winampa.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://register.hp.com/servlet/WebReg.servlets.ProdReg1Servlet?appID=java_wreg_wreg_genpg&prodOS=011&gwCountry=GB&language=en&PURCH_DT_MONTH=07&PURCH_DT_DAY=04&PURCH_DT_YEAR=2005&PROD_SERIAL_ID=CZB51802Y4&application=305&modelID=PX634AA&LF=blue
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
LSP: c:\windows\system32\imon.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0CFA086E-6336-4D95-B6AA-90F564E99631} - hxxp://www.shopandscan.com/TNSClicker.CAB
DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} - hxxp://www.midasplayer.com/midasa.cab
DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} - hxxp://www.couponreport.net/ftp/v3123/csauie1.cab
DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://www.king.com/ctl/kingcomie.cab
DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} - hxxp://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\u9wp2of4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/webhp?hl=en
FF - prefs.js: keyword.URL - hxxp://kwtb.search.imgag.com/?c=GNKIW29193&sbs=1&sc=2&f=web&vernum=1.0&uid=&did=f8d4a70c-98e2-4081-901d-01bf93043ede&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmidas.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 21:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(740)
c:\windows\system32\imon.dll
.
Completion time: 2009-04-27 21:05
ComboFix-quarantined-files.txt 2009-04-27 20:03

Pre-Run: 124,771,270,656 bytes free
Post-Run: 129,718,697,984 bytes free

166 --- E O F --- 2009-04-15 23:48



Thank you!

[Angelfire777]

Hi,

*I see you have Viewpoint installed...
Viewpoint related software are considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
• Viewpoint Manager
• Viewpoint Media Player

Also, please uninstall the following old java versions. They are security vulnerabilities and they take up a lot of unnecessary space.

Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03

*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-
Filelook::
c:\windows\system32\lspfre.dll
DDS::
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {65DCB62D-0C89-467B-BCC3-B04FB0773D1E} - No File
EB: {6A80972B-ACC9-4BB9-A1E0-69F2EAEA763D} - No File

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.



*Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

On your next reply, please include a

• kaspersky scan log
• combofix log

[HitmanBoy]

Hello again. I wasn't sure if you wanted these as attachments or just pasted in here, but here they are. Thanks!

[Angelfire777]

Hi,

*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type clean.bat in the File name and save it to your desktop.

Code:

@echo off 
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in ( 
"C:\WINDOWS\csauie1.ocx"
"C:\WINDOWS\system32\lspfre.dll"
"C:\Program Files\ESET\infected\2S0INHDA.NQF"
"C:\Program Files\ESET\infected\E51WHLAA.NQF"	
"C:\Program Files\ESET\infected\J3VLH2AA.NQF"
) do ( 
del /a/f/q %%g 
if exist %%g echo.%%g >>"%temp%\log.txt" 
)>nul 2>&1 

if exist "%temp%\log.txt" (start notepad "%temp%\log.txt" 
) else echo.Deleted Successfully! 
echo. 
pause 
del %0

Locate clean.bat on your Desktop and double-click on it. Tell me what it says.

let me know how's it running.

[HitmanBoy]

Hello again. Here's what the clean.bat log said:

"C:\WINDOWS\system32\lspfre.dll"

I'm no longer getting the annoying pop-up, however, my printer isn't being recognized because it says the RPC server is unavailable. I also keep hearing somewhat random beep-type sounds as I'm using the computer.

Thanks.

[Angelfire777]

*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

Collect::
C:\WINDOWS\system32\lspfre.dll

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.


When did the printer problem start happening? Can you give me the full error detail please?

[HitmanBoy]

Hello, I've successfully submitted the file.
Happily, I've just turned on my printer and it was recognized successfully after running that last combofix.
Prior to that, I was getting this message at each startup (I mentioned it in my post on 04-26 :-) ):

"To help protect your computer, Windows has closed this program.
Name: Spooler SubSystem App
Publisher: Microsoft Corporation"

...and then when I would turn on my printer I got the message from Windows about the RPC server...(sorry, I'm not getting it now, so I can't say exactly what it said, but it was in the Install Hardware wizard...guess that's a good thing that I'm no longer getting it!...?)

I haven't heard any 'beeping' since that last combofix either. I'm cautiously optimistic...

Thanks.

[Angelfire777]

Can you post the contents of C:\ComboFix.txt please

[HitmanBoy]

Here is the most recent:

ComboFix 09-04-27.02 - HP_Owner 30/04/2009 21:12.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.503.226 [GMT 1:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lspfre.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-29 20:07 . 2009-04-29 20:10 -------- d-----w C:\RECYCLER(2)
2009-04-26 09:30 . 2009-04-26 09:30 -------- d-----w C:\spoolerlogs
2009-04-15 18:49 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 18:49 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 18:49 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 18:49 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 18:49 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 18:49 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 18:49 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 18:49 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 18:49 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 18:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 18:49 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 18:51 . 2005-01-02 02:51 -------- d-----w c:\program files\Java
2009-04-27 19:56 . 2007-05-11 17:58 -------- d-----w c:\program files\ESET
2009-03-09 04:19 . 2008-12-03 20:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 13:53 . 2009-03-04 13:41 -------- d-----w c:\program files\Camfrog
2009-03-04 13:36 . 2009-03-04 13:10 -------- d-----w c:\program files\Yahoo!
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 11:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 18:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2004-08-04 18:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 18:52 . 2009-02-06 18:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2006-05-31 17:39 . 2006-05-31 17:39 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-27_20.02.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-30 20:15 . 2009-04-30 20:15 16384 c:\windows\Temp\Perflib_Perfdata_7c0.dat
+ 2004-11-09 20:25 . 2009-04-30 18:45 64908 c:\windows\system32\perfc009.dat
+ 2009-04-29 20:10 . 2009-04-29 20:11 320352 c:\windows\system32\Restore\rstrlog.dat
+ 2004-11-09 20:25 . 2009-04-30 18:45 408888 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-05-28 401408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Home Theater SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-10-20 106496]
"WINREMOTE"="c:\program files\InterVideo\Common\Bin\WinRemote.exe" [2005-10-20 262144]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-05-11 949376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-17 61952]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-02-21 90112]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-02-18 2754560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Utility.lnk - c:\program files\Belkin\F5D7001v2000\Belkinwcui.exe [2007-8-5 1572864]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000]
R3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
R3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s125mdfl.sys [2007-04-24 15112]
R3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s125mdm.sys [2007-04-24 108680]
R3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
R3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\w200mgmt.sys [2006-11-07 88560]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-05-11 15424]
S3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\DRIVERS\PhTVTune.sys [2004-10-24 24544]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a448b422-1390-11dc-ab75-009096f8bb76}]
\Shell\AutoRun\command - Adobe Photoshop Elements\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://register.hp.com/servlet/WebReg.servlets.ProdReg1Servlet?appID=java_wreg_wreg_genpg&prodOS=011&gwCountry=GB&language=en&PURCH_DT_MONTH=07&PURCH_DT_DAY=04&PURCH_DT_YEAR=2005&PROD_SERIAL_ID=CZB51802Y4&application=305&modelID=PX634AA&LF=blue
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
LSP: c:\windows\system32\imon.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0CFA086E-6336-4D95-B6AA-90F564E99631} - hxxp://www.shopandscan.com/TNSClicker.CAB
DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} - hxxp://www.midasplayer.com/midasa.cab
DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} - hxxp://www.couponreport.net/ftp/v3123/csauie1.cab
DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://www.king.com/ctl/kingcomie.cab
DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} - hxxp://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\u9wp2of4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/webhp?hl=en
FF - prefs.js: keyword.URL - hxxp://kwtb.search.imgag.com/?c=GNKIW29193&sbs=1&sc=2&f=web&vernum=1.0&uid=&did=f8d4a70c-98e2-4081-901d-01bf93043ede&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmidas.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 21:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(3320)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wltrysvc.exe
c:\windows\system32\bcmwltry.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\WTablet\TabUserW.exe
c:\windows\system32\Tablet.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
.
**************************************************************************
.
Completion time: 2009-04-30 21:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-30 20:20
ComboFix2.txt 2009-04-29 19:03
ComboFix3.txt 2009-04-27 20:05

Pre-Run: 129,724,346,368 bytes free
Post-Run: 129,793,318,912 bytes free

186 --- E O F --- 2009-04-29 23:44

[Angelfire777]

*Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.


Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Read TonyKlein's How Did I Get Infected In The First Place?.

Please check out miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.

[HitmanBoy]

I've completed the last two steps.
Thank you so much! Does this mean my PC is now 'clean'?

[Angelfire777]

Yes

[HitmanBoy]

I'm really glad the pop-up and printer problem are gone, but I'm still getting those annoying beeping sounds intermittently. I'm not sure how else to describe them, other than it's the kind of sound it makes when a pop-up appears. Not really a 'beep'. It really started doing it when I just turned the printer on, and now it's doing it every couple minutes. Seems to be 'beeping' six times in succession each time it does it. Any ideas if this is left over from the virus removal process? It never happened before.
Thanks.

[Angelfire777]

Can you boot to safe mode and see if it "beeps" there?

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

[HitmanBoy]

No, no beeping in safe mode.