Boot up problems:BHO's installing themselves and "bintheredunthat"

JaxMax · Jan 21, 2007

Dear people at TSF,
I have to begin by saying that I am very embarassed, my system was recently declared "clean" by the Defender of Haggis. I thought that I had followed his directions dutifully on keeping my computer free from further problems. I appearantly screwed something up because I am now experiencing basically the same problems I had in the first place.

Durring the time my sysem was clean the only things I really had time to do was to uninstall/reinstall Mozilla Firefox. Firefox would not open for me and still doesn't. When I open Task Manager it tells me Firefox is running but it is not on my sceen. Aside from that I deleted some e-mail.

I came home from work two days later to find a bunch of programs open, some of them in truncated windows with warnings from SpyBot that a number BHO's had been installed on my computer. It took for ever to closed the programs, most were "not responding". Any program I tried to open would simply open to a blank sceen and then hang there refusing to respond.

I finally had to physically cut the power to my computer because it would not shut down on its own. I rebooted in safe mode and ran all of my anti-virus/ad-ware/spy-ware until everyone came up empty handed(my attempts to up-date Ad-ware SE and XoftSpy SE "failed"). Also, I could not down load CW Shredder.

I have to note that I found a folder that had politely installed itself on my hard drive called "bintheredunthat" at C:\ bintheredunthat. I did not install it and I don't know how long it's been there, I impulsively deleted it. I hope that wasn't the wrong thing to do, it appeared to be empty. I researched bintheredunthat and found that it is the screen name of a one Andrew Lee of Oakville, Ontario, Canada. It's probably a co-incidence, but if Andrew is responsible for my problems I will drive to Oakville and first shake Mr. Lees hand to congatulate him on his fine spate of programming, and then, just to make sure we have no misunderstandings, kick him very hard in the knee cap.

Here's what's going on now.

I still cannot use Mozilla.

I get numerous messages upon boot up about Browser Helper Objects that want to install. I deny them only to find later that they install anyhow. These files look like the very ones I deleted with HJT in my first run with Tech Support (i.e. {OBDB22CO-4A4O-9A9D-71F314BB75DB} and rnnypbw.exe).

My computer tries to change my search page upon booting up.

I get a message while booting that says: SG Browser is trying to change browser search settings.

Programs run slowly or lapse into "not responding" and will not close.

Internet is slow also but only sometimes.

I closed off my internet traffic with ZoneAlarm and started getting messages about ZoneAlarm blocking "Internet Broadcasts" to my computer.

Last night I returned home from work to find a msseage on my screen saying a device driver was added to my computer and that it had recovered from a "STOP ERROR" and that I should alert Microsoft. Which I did.

I hope this information is useful. Please have a look at my Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 12:53:12 PM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.dogpile.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://renewalcenter.symantec.com/s...locale=iso:USA&vendid=002&vendtag=EX325AA-ABA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.aim.com
O15 - Trusted Zone: www.myspace.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156045091578
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4942/mcfscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

JaxMax · Jan 27, 2007

BHO-FireFox problems.

Bump.

Ried · Jan 27, 2007

Hello JaxMax,

The bintheredunthat folder was created by the BFU tool used in your last set of fixes. It was ok to delete that. :smile:

Before I go after the malware I see, I suspect a hidden rootkit and if it's aboard, that needs to be dealt with first. Please download and run the following tool--it will only take a few minutes to complete and will reveal the presence of suspected rootkit if it's there.

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

-------------------------------------

Close any open browsers.

-------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Post the ComboFix.txt in your next reply.

JaxMax · Jan 28, 2007

Running ComboFix

Dear Tech support Person,
First of all, thanks for your response and thanks in advance for your help. I should also appologise to Mr. Lee for my angry threat to kick him in the knee, I was only joking.

I have had some relief from some of my problems by down loading a program called PC Pitstop. I'm still having massive problems booting up, it is a laborious and tedious process consisting of warnings from Zone alram about BHO's adding themselves to my system and me having remove them. My main problem is that I seem to know just enough about what I'm doing to be dangerous. Half the files that Zone asks me about look like jibberish. Once booted though, my computer runs reasonably well. Although I still cannot use Mozilla.

I had trouble using ComboFix. It ran but at the end told me: Process could not access file because it is being use by another process. I re-booted in safe mode and found ComboFix and ran it. I noticed some strange icons that popped into view on my desk top briefly when I ran ComboFix the first time. They were "moveex", "Look2me" and "Restatit". These are located in C:\Compaq_Administrator\downloads but I did not download these programs, at least not knowingly.

Here is the ComboFix log. Thanks again, Jack.

"Administrator" - 07-01-28 12:41:59 Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\Compaq_Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-28 to 2007-01-28 ))))))))))))))))))))))))))))))))))

2007-01-26 18:38 <DIR> d-------- C:\Program Files\Mozilla Firefox
2007-01-23 21:40 <DIR> d-------- C:\Program Files\PCPitstop
2007-01-18 17:33 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-01-18 15:24 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-01-15 15:38 <DIR> d-------- C:\Program Files\SpywareGuard
2007-01-14 00:21 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\WinPatrol
2007-01-14 00:20 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-01-14 00:20 <DIR> d-------- C:\Program Files\BillP Studios
2007-01-14 00:07 90,112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe
2007-01-14 00:07 9,472 --a------ C:\WINDOWS\system32\drivers\SnopFree.sys
2007-01-14 00:07 45,056 --a------ C:\WINDOWS\SnoopFreeDll.dll
2007-01-14 00:07 221,184 --a------ C:\WINDOWS\SnoopFreeUI.exe
2007-01-14 00:05 <DIR> d-------- C:\ie-spyad
2007-01-13 23:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-01-11 16:56 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-08 14:13 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-08 12:00 2,880 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-08 11:30 <DIR> d-------- C:\BFU
2007-01-08 11:20 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-07 18:36 <DIR> d-------- C:\Program Files\Grisoft
2007-01-07 18:07 339,257 --a------ C:\Program Files\CleanUp.exe
2007-01-05 14:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\INAC
2007-01-04 22:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\MailFrontier
2007-01-04 22:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Lavasoft
2007-01-04 15:00 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-04 14:58 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\.housecall6.6
2007-01-04 14:47 <DIR> d-------- C:\HJT
2007-01-04 14:42 218,112 --a------ C:\HijackThis.exe
2007-01-04 14:25 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\IDM
2007-01-04 14:25 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\DMCache
2007-01-04 14:24 <DIR> d-------- C:\Program Files\Internet Download Manager
2007-01-03 15:35 <DIR> d-------- C:\Program Files\Guild Wars
2007-01-03 11:13 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\Uniblue
2007-01-03 11:12 5,553,096 --a------ C:\Program Files\speedupmypc3plib.exe
2006-12-31 13:38 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2006-12-31 13:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Google Updater

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-27 06:28 -------- d-------- C:\Program Files\xoftspyse
2007-01-26 21:42 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-26 18:23 -------- d-------- C:\Program Files\Common Files\aol
2007-01-14 11:52 -------- d-------- C:\Program Files\google
2007-01-08 14:57 -------- d-------- C:\Program Files\windows defender
2007-01-08 14:57 -------- d-------- C:\Program Files\symantec
2007-01-08 14:56 -------- d-------- C:\Program Files\quicktime
2007-01-08 14:51 -------- d-------- C:\Program Files\messenger
2007-01-08 14:50 -------- d-------- C:\Program Files\itunes
2007-01-08 14:42 -------- d-a------ C:\Program Files\Common Files\lightscribe
2007-01-08 12:13 -------- d---s---- C:\DOCUME~1\ADMINI~1\Application Data\microsoft
2007-01-05 14:32 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\mozilla
2007-01-02 14:58 478856 --a------ C:\Program Files\keyscrambler_personal-1.1.7-fx-windows.xpi
2007-01-02 14:35 -------- d-------- C:\Program Files\regcure
2007-01-02 12:25 -------- d-------- C:\Program Files\apple software update
2006-12-31 13:31 159743 --a------ C:\WINDOWS\google pack screensaver uninstaller.exe
2006-12-29 12:03 -------- d-------- C:\Program Files\vmn toolbox 4
2006-12-28 21:40 -------- d-------- C:\Program Files\bittorrent
2006-12-28 14:54 6820584 --a------ C:\Program Files\firefoxgoogletoolbarsetup.exe
2006-12-26 17:46 -------- d-------- C:\Program Files\windows media connect 2
2006-12-26 14:05 83401 --a------ C:\Program Files\knoppix_v5.0.1dvd-2006-06-01-en.torrent
2006-12-26 13:59 6180013 --a------ C:\Program Files\bittorrent-5.0.3.exe
2006-12-26 13:12 1021504 --a------ C:\WINDOWS\system32\vete.dll
2006-12-26 13:11 645904 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2006-12-26 13:11 115088 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2006-12-22 22:24 47104 --a------ C:\Program Files\atf-cleaner.exe
2006-12-21 19:28 381390 --a------ C:\Program Files\combofix.exe
2006-12-20 12:08 1494016 --a------ C:\Program Files\googlewebacceleratorsetup.msi
2006-12-11 12:04 2241451 --a------ C:\Program Files\webcollect_download.exe
2006-12-11 12:04 1983176 --a------ C:\Program Files\vmntoolbox.exe
2006-12-11 12:04 -------- d-------- C:\Program Files\vmntoolbar
2006-12-11 11:54 15505200 --a------ C:\Program Files\ie7-windowsxp-x86-enu.exe
2006-12-11 11:45 878384 --a------ C:\Program Files\wgaplugininstall.exe
2006-12-10 01:34 14888184 --a------ C:\Program Files\avinstall.exe
2006-12-07 09:21 5037072 --a------ C:\Program Files\spybotsd14.exe
2006-12-06 21:28 -------- d-------- C:\Program Files\lavasoft
2006-12-06 21:23 2855080 --a------ C:\Program Files\aawsepersonal.exe
2006-12-01 20:46 4677544 --a------ C:\Program Files\windows-kb890830-v1.22.exe
2006-12-01 18:42 54856 --a------ C:\Program Files\errornukerinstaller.exe
2006-11-28 21:39 13714856 --a------ C:\Program Files\zlssetup_65_737_000_en.exe
2006-11-12 17:58 5900416 --a------ C:\Program Files\firefox setup 2.0.exe
2006-11-08 20:16 5375056 --a------ C:\Program Files\spywarenukerxt.exe
2006-11-08 20:07 461312 --a------ C:\Program Files\w removal.doc
2006-11-08 19:59 461312 --a------ C:\Program Files\windowsremovaltoolwp.doc
2006-11-08 00:06 679424 --------- C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --a------ C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --a------ C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --a------ C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --a------ C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 18:08 4257704 --a------ C:\Program Files\windows-kb890830-v1.21.exe
2006-11-07 17:22 8598632 --a------ C:\Program Files\sdsetup.exe
2006-11-07 17:14 13012847 --a------ C:\Program Files\ssftrialsnrsetup5241.zip
2006-11-07 08:42 837184 --a------ C:\Program Files\googletoolbarinstaller.exe
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-01 21:55 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-10-19 07:18 989584 --a------ C:\Program Files\regcuresetup_46.exe
2006-10-18 15:40 1810824 --a------ C:\Program Files\xoftspyse429_205.exe
2006-10-17 20:14 2383640 --a------ C:\Program Files\xoftspy422_205.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"RTHDCPL"="RTHDCPL.EXE"
"AlwaysReady Power Message APP"="ARPWRMSG.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
@=""
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"nwiz"="nwiz.exe /install"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SnoopFreeUI"="SnoopFreeUI.exe"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"item"="HP Digital Imaging Monitor"
"command"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "
"location"="Common Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
"item"="NkbMonitor.exe"
"command"="C:\\Program Files\\Nikon\\PictureProject\\NkbMonitor.exe "
"location"="Common Startup"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Compaq_Administrator.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 07-01-28 12:44:24
C:\ComboFix2.txt ... 07-01-28 12:30
C:\ComboFix3.txt ... 07-01-28 12:02

Ried · Jan 28, 2007

Hi,

Can you please post the contents of Combofix2.txt and ComboFix3.txt/

They can be found at:

C:\ComboFix2.txt
C:\ComboFix3.txt

JaxMax · Jan 29, 2007

ComboFix2-3

I spent about an hour and half trying to post these logs. My computer had lapsed into slow motion-sorry. The Combp Fix logs were not evident. I had to use the search tool to find them. Here are the logs:

Compaq_Administrator" - 07-01-28 12:07:05 Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\Compaq_Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-28 to 2007-01-28 ))))))))))))))))))))))))))))))))))

2007-01-26 18:38 <DIR> d-------- C:\Program Files\Mozilla Firefox
2007-01-23 21:40 <DIR> d-------- C:\Program Files\PCPitstop
2007-01-18 17:33 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-01-18 15:24 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-01-15 15:38 <DIR> d-------- C:\Program Files\SpywareGuard
2007-01-14 00:21 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\WinPatrol
2007-01-14 00:20 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-01-14 00:20 <DIR> d-------- C:\Program Files\BillP Studios
2007-01-14 00:07 90,112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe
2007-01-14 00:07 9,472 --a------ C:\WINDOWS\system32\drivers\SnopFree.sys
2007-01-14 00:07 45,056 --a------ C:\WINDOWS\SnoopFreeDll.dll
2007-01-14 00:07 221,184 --a------ C:\WINDOWS\SnoopFreeUI.exe
2007-01-14 00:05 <DIR> d-------- C:\ie-spyad
2007-01-13 23:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-01-11 16:56 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-08 14:13 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-08 12:00 2,880 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-08 11:30 <DIR> d-------- C:\BFU
2007-01-08 11:20 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-07 18:36 <DIR> d-------- C:\Program Files\Grisoft
2007-01-07 18:07 339,257 --a------ C:\Program Files\CleanUp.exe
2007-01-05 14:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\INAC
2007-01-04 22:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\MailFrontier
2007-01-04 22:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Lavasoft
2007-01-04 15:00 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-04 14:58 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\.housecall6.6
2007-01-04 14:47 <DIR> d-------- C:\HJT
2007-01-04 14:42 218,112 --a------ C:\HijackThis.exe
2007-01-04 14:25 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\IDM
2007-01-04 14:25 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\DMCache
2007-01-04 14:24 <DIR> d-------- C:\Program Files\Internet Download Manager
2007-01-03 15:35 <DIR> d-------- C:\Program Files\Guild Wars
2007-01-03 11:13 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\Uniblue
2007-01-03 11:12 5,553,096 --a------ C:\Program Files\speedupmypc3plib.exe
2006-12-31 13:38 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2006-12-31 13:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Google Updater

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-28 12:02 618 --a------ C:\Combo.bat
2007-01-28 10:49 2010 --a------ C:\DOCUME~1\COMPAQ~1\Application Data\.googlewebacchosts
2007-01-27 06:28 -------- d-------- C:\Program Files\xoftspyse
2007-01-26 21:42 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-26 18:23 -------- d-------- C:\Program Files\Common Files\aol
2007-01-14 11:52 -------- d-------- C:\Program Files\google
2007-01-08 14:57 -------- d-------- C:\Program Files\windows defender
2007-01-08 14:57 -------- d-------- C:\Program Files\symantec
2007-01-08 14:56 -------- d-------- C:\Program Files\quicktime
2007-01-08 14:51 -------- d-------- C:\Program Files\messenger
2007-01-08 14:50 -------- d-------- C:\Program Files\itunes
2007-01-08 14:42 -------- d-a------ C:\Program Files\Common Files\lightscribe
2007-01-08 14:37 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\symantec
2007-01-05 19:56 166 --a------ C:\DOCUME~1\COMPAQ~1\Application Data\wklnhst.dat
2007-01-02 14:58 478856 --a------ C:\Program Files\keyscrambler_personal-1.1.7-fx-windows.xpi
2007-01-02 14:35 -------- d-------- C:\Program Files\regcure
2007-01-02 12:25 -------- d-------- C:\Program Files\apple software update
2006-12-31 15:11 -------- d---s---- C:\DOCUME~1\COMPAQ~1\Application Data\microsoft
2006-12-31 13:31 159743 --a------ C:\WINDOWS\google pack screensaver uninstaller.exe
2006-12-29 12:03 -------- d-------- C:\Program Files\vmn toolbox 4
2006-12-28 21:40 -------- d-------- C:\Program Files\bittorrent
2006-12-28 14:54 6820584 --a------ C:\Program Files\firefoxgoogletoolbarsetup.exe
2006-12-26 17:46 -------- d-------- C:\Program Files\windows media connect 2
2006-12-26 14:10 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\bittorrent
2006-12-26 14:05 83401 --a------ C:\Program Files\knoppix_v5.0.1dvd-2006-06-01-en.torrent
2006-12-26 13:59 6180013 --a------ C:\Program Files\bittorrent-5.0.3.exe
2006-12-26 13:12 1021504 --a------ C:\WINDOWS\system32\vete.dll
2006-12-26 13:11 645904 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2006-12-26 13:11 115088 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2006-12-22 22:24 47104 --a------ C:\Program Files\atf-cleaner.exe
2006-12-22 18:14 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\mailfrontier
2006-12-21 19:28 381390 --a------ C:\Program Files\combofix.exe
2006-12-20 12:08 1494016 --a------ C:\Program Files\googlewebacceleratorsetup.msi
2006-12-16 23:14 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\mozilla
2006-12-11 12:04 2241451 --a------ C:\Program Files\webcollect_download.exe
2006-12-11 12:04 1983176 --a------ C:\Program Files\vmntoolbox.exe
2006-12-11 12:04 -------- d-------- C:\Program Files\vmntoolbar
2006-12-11 11:54 15505200 --a------ C:\Program Files\ie7-windowsxp-x86-enu.exe
2006-12-11 11:45 878384 --a------ C:\Program Files\wgaplugininstall.exe
2006-12-10 01:34 14888184 --a------ C:\Program Files\avinstall.exe
2006-12-08 21:52 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\template
2006-12-07 09:21 5037072 --a------ C:\Program Files\spybotsd14.exe
2006-12-06 21:29 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\lavasoft
2006-12-06 21:28 -------- d-------- C:\Program Files\lavasoft
2006-12-06 21:23 2855080 --a------ C:\Program Files\aawsepersonal.exe
2006-12-01 20:46 4677544 --a------ C:\Program Files\windows-kb890830-v1.22.exe
2006-12-01 18:42 54856 --a------ C:\Program Files\errornukerinstaller.exe
2006-11-29 16:33 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\msninstaller
2006-11-29 16:15 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\apple computer
2006-11-29 11:25 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\image zone express
2006-11-28 21:39 13714856 --a------ C:\Program Files\zlssetup_65_737_000_en.exe
2006-11-12 17:58 5900416 --a------ C:\Program Files\firefox setup 2.0.exe
2006-11-08 20:16 5375056 --a------ C:\Program Files\spywarenukerxt.exe
2006-11-08 20:07 461312 --a------ C:\Program Files\w removal.doc
2006-11-08 19:59 461312 --a------ C:\Program Files\windowsremovaltoolwp.doc
2006-11-08 00:06 679424 --------- C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --a------ C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --a------ C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --a------ C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --a------ C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 18:08 4257704 --a------ C:\Program Files\windows-kb890830-v1.21.exe
2006-11-07 17:22 8598632 --a------ C:\Program Files\sdsetup.exe
2006-11-07 17:14 13012847 --a------ C:\Program Files\ssftrialsnrsetup5241.zip
2006-11-07 08:42 837184 --a------ C:\Program Files\googletoolbarinstaller.exe
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-01 21:55 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-10-19 07:18 989584 --a------ C:\Program Files\regcuresetup_46.exe
2006-10-18 15:40 1810824 --a------ C:\Program Files\xoftspyse429_205.exe
2006-10-17 20:14 2383640 --a------ C:\Program Files\xoftspy422_205.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"IDMan"="C:\\Program Files\\Internet Download Manager\\IDMan.exe /onboot"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"RTHDCPL"="RTHDCPL.EXE"
"AlwaysReady Power Message APP"="ARPWRMSG.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
@=""
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"nwiz"="nwiz.exe /install"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SnoopFreeUI"="SnoopFreeUI.exe"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"item"="HP Digital Imaging Monitor"
"command"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "
"location"="Common Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
"item"="NkbMonitor.exe"
"command"="C:\\Program Files\\Nikon\\PictureProject\\NkbMonitor.exe "
"location"="Common Startup"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Compaq_Administrator.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 07-01-28 12:30:42
C:\ComboFix2.txt ... 07-01-28 12:02
C:\ComboFix3.txt ... 07-01-01 14:16

Compaq_Administrator" - 07-01-28 11:48:58 Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\Compaq_Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-28 to 2007-01-28 ))))))))))))))))))))))))))))))))))

2007-01-26 18:38 <DIR> d-------- C:\Program Files\Mozilla Firefox
2007-01-23 21:40 <DIR> d-------- C:\Program Files\PCPitstop
2007-01-18 17:33 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-01-18 15:24 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-01-15 15:38 <DIR> d-------- C:\Program Files\SpywareGuard
2007-01-14 00:21 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\WinPatrol
2007-01-14 00:20 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-01-14 00:20 <DIR> d-------- C:\Program Files\BillP Studios
2007-01-14 00:07 90,112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe
2007-01-14 00:07 9,472 --a------ C:\WINDOWS\system32\drivers\SnopFree.sys
2007-01-14 00:07 45,056 --a------ C:\WINDOWS\SnoopFreeDll.dll
2007-01-14 00:07 221,184 --a------ C:\WINDOWS\SnoopFreeUI.exe
2007-01-14 00:05 <DIR> d-------- C:\ie-spyad
2007-01-13 23:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-01-11 16:56 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-08 14:13 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-08 12:00 2,880 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-08 11:30 <DIR> d-------- C:\BFU
2007-01-08 11:20 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-07 18:36 <DIR> d-------- C:\Program Files\Grisoft
2007-01-07 18:07 339,257 --a------ C:\Program Files\CleanUp.exe
2007-01-05 14:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\INAC
2007-01-04 22:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\MailFrontier
2007-01-04 22:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Lavasoft
2007-01-04 15:00 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-04 14:58 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\.housecall6.6
2007-01-04 14:47 <DIR> d-------- C:\HJT
2007-01-04 14:42 218,112 --a------ C:\HijackThis.exe
2007-01-04 14:25 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\IDM
2007-01-04 14:25 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\DMCache
2007-01-04 14:24 <DIR> d-------- C:\Program Files\Internet Download Manager
2007-01-03 15:35 <DIR> d-------- C:\Program Files\Guild Wars
2007-01-03 11:13 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\Application Data\Uniblue
2007-01-03 11:12 5,553,096 --a------ C:\Program Files\speedupmypc3plib.exe
2006-12-31 13:38 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2006-12-31 13:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Google Updater

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-28 10:49 2010 --a------ C:\DOCUME~1\COMPAQ~1\Application Data\.googlewebacchosts
2007-01-27 06:28 -------- d-------- C:\Program Files\xoftspyse
2007-01-26 21:42 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-26 18:23 -------- d-------- C:\Program Files\Common Files\aol
2007-01-14 11:52 -------- d-------- C:\Program Files\google
2007-01-08 14:57 -------- d-------- C:\Program Files\windows defender
2007-01-08 14:57 -------- d-------- C:\Program Files\symantec
2007-01-08 14:56 -------- d-------- C:\Program Files\quicktime
2007-01-08 14:51 -------- d-------- C:\Program Files\messenger
2007-01-08 14:50 -------- d-------- C:\Program Files\itunes
2007-01-08 14:42 -------- d-a------ C:\Program Files\Common Files\lightscribe
2007-01-08 14:37 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\symantec
2007-01-05 19:56 166 --a------ C:\DOCUME~1\COMPAQ~1\Application Data\wklnhst.dat
2007-01-02 14:58 478856 --a------ C:\Program Files\keyscrambler_personal-1.1.7-fx-windows.xpi
2007-01-02 14:35 -------- d-------- C:\Program Files\regcure
2007-01-02 12:25 -------- d-------- C:\Program Files\apple software update
2007-01-01 14:16 360 --a------ C:\Combo.bat
2006-12-31 15:11 -------- d---s---- C:\DOCUME~1\COMPAQ~1\Application Data\microsoft
2006-12-31 13:31 159743 --a------ C:\WINDOWS\google pack screensaver uninstaller.exe
2006-12-29 12:03 -------- d-------- C:\Program Files\vmn toolbox 4
2006-12-28 21:40 -------- d-------- C:\Program Files\bittorrent
2006-12-28 14:54 6820584 --a------ C:\Program Files\firefoxgoogletoolbarsetup.exe
2006-12-26 17:46 -------- d-------- C:\Program Files\windows media connect 2
2006-12-26 14:10 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\bittorrent
2006-12-26 14:05 83401 --a------ C:\Program Files\knoppix_v5.0.1dvd-2006-06-01-en.torrent
2006-12-26 13:59 6180013 --a------ C:\Program Files\bittorrent-5.0.3.exe
2006-12-26 13:12 1021504 --a------ C:\WINDOWS\system32\vete.dll
2006-12-26 13:11 645904 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2006-12-26 13:11 115088 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2006-12-22 22:24 47104 --a------ C:\Program Files\atf-cleaner.exe
2006-12-22 18:14 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\mailfrontier
2006-12-21 19:28 381390 --a------ C:\Program Files\combofix.exe
2006-12-20 12:08 1494016 --a------ C:\Program Files\googlewebacceleratorsetup.msi
2006-12-16 23:14 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\mozilla
2006-12-11 12:04 2241451 --a------ C:\Program Files\webcollect_download.exe
2006-12-11 12:04 1983176 --a------ C:\Program Files\vmntoolbox.exe
2006-12-11 12:04 -------- d-------- C:\Program Files\vmntoolbar
2006-12-11 11:54 15505200 --a------ C:\Program Files\ie7-windowsxp-x86-enu.exe
2006-12-11 11:45 878384 --a------ C:\Program Files\wgaplugininstall.exe
2006-12-10 01:34 14888184 --a------ C:\Program Files\avinstall.exe
2006-12-08 21:52 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\template
2006-12-07 09:21 5037072 --a------ C:\Program Files\spybotsd14.exe
2006-12-06 21:29 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\lavasoft
2006-12-06 21:28 -------- d-------- C:\Program Files\lavasoft
2006-12-06 21:23 2855080 --a------ C:\Program Files\aawsepersonal.exe
2006-12-01 20:46 4677544 --a------ C:\Program Files\windows-kb890830-v1.22.exe
2006-12-01 18:42 54856 --a------ C:\Program Files\errornukerinstaller.exe
2006-11-29 16:33 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\msninstaller
2006-11-29 16:15 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\apple computer
2006-11-29 11:25 -------- d-------- C:\DOCUME~1\COMPAQ~1\Application Data\image zone express
2006-11-28 21:39 13714856 --a------ C:\Program Files\zlssetup_65_737_000_en.exe
2006-11-12 17:58 5900416 --a------ C:\Program Files\firefox setup 2.0.exe
2006-11-08 20:16 5375056 --a------ C:\Program Files\spywarenukerxt.exe
2006-11-08 20:07 461312 --a------ C:\Program Files\w removal.doc
2006-11-08 19:59 461312 --a------ C:\Program Files\windowsremovaltoolwp.doc
2006-11-08 00:06 679424 --------- C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --a------ C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --a------ C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --a------ C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --a------ C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 18:08 4257704 --a------ C:\Program Files\windows-kb890830-v1.21.exe
2006-11-07 17:22 8598632 --a------ C:\Program Files\sdsetup.exe
2006-11-07 17:14 13012847 --a------ C:\Program Files\ssftrialsnrsetup5241.zip
2006-11-07 08:42 837184 --a------ C:\Program Files\googletoolbarinstaller.exe
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-01 21:55 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-10-19 07:18 989584 --a------ C:\Program Files\regcuresetup_46.exe
2006-10-18 15:40 1810824 --a------ C:\Program Files\xoftspyse429_205.exe
2006-10-17 20:14 2383640 --a------ C:\Program Files\xoftspy422_205.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"IDMan"="C:\\Program Files\\Internet Download Manager\\IDMan.exe /onboot"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"RTHDCPL"="RTHDCPL.EXE"
"AlwaysReady Power Message APP"="ARPWRMSG.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
@=""
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"nwiz"="nwiz.exe /install"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SnoopFreeUI"="SnoopFreeUI.exe"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"item"="HP Digital Imaging Monitor"
"command"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "
"location"="Common Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
"item"="NkbMonitor.exe"
"command"="C:\\Program Files\\Nikon\\PictureProject\\NkbMonitor.exe "
"location"="Common Startup"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Compaq_Administrator.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 07-01-28 12:02:00
C:\ComboFix2.txt ... 07-01-01 14:16
C:\ComboFix3.txt ... 06-12-29 18:54

Ried · Jan 29, 2007

Hiya JaxMax,

I'm still not seeing anything. Let's see if these tools reveal anything:

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Download gmer and unzip it to your desktop.

------------------------------------

Please download SREng.

**You may receive a message "The bandwidth limit for this site has been exceeded", please keep trying--eventually you'll get through.

1. Extract it to Desktop & double click SREng.exe to run it

2. Select 'Smart Scan' & tick "Verify Digital Signatures"

3. Click on the [Scan] button

4. When finished, click on the [Save Reports] button & save the log to Desktop

5. Attach the log in your next reply. Dont post it.

You may have to rename SREngLOG.log to SREngLOG.txt to upload it.

----------------------------------------------------

Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked.

Press scan & when it has finished press copy & paste the log back here

JaxMax · Jan 29, 2007

SREng/gmer logs

Hello Ried,
Thank you very much for timely replies. I'm having trouble attaching my SREngLOG, nothing happens when I click on the "Manage Attachments" button. Here is the gmer log you've asked for:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-29 14:57:20
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT 85B62008 ZwAlertResumeThread
SSDT 8573E630 ZwAlertThread
SSDT 85381908 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwCreateKey
SSDT 85724628 ZwCreateMutant
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT 85C317B8 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT 857567E8 ZwFreeVirtualMemory
SSDT 85C4F930 ZwImpersonateAnonymousToken
SSDT 85C56410 ZwImpersonateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT 85737628 ZwOpenEvent
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT 8575D640 ZwOpenProcessToken
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT 85C286A8 ZwOpenThreadToken
SSDT 855C8628 ZwQueryValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT 84486278 ZwResumeThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT 85393808 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT 857526A8 ZwSetInformationProcess
SSDT 857647D8 ZwSetInformationThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey
SSDT 85743628 ZwSuspendProcess
SSDT 85767790 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT 85739630 ZwTerminateThread
SSDT 85C4DBB0 ZwUnmapViewOfSection
SSDT 85730630 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 235C 80501060 8 Bytes [ 08, 20, B6, 85, 30, E6, 73, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 23E4 805010E8 8 Bytes [ 60, 3C, BD, F3, E0, 9E, BD, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 23ED 805010F1 3 Bytes [ A1, BD, F3 ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2424 80501128 8 Bytes [ 50, 09, BD, F3, B0, 46, D3, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2514 80501218 8 Bytes [ A0, 99, BD, F3, 40, D6, 75, ... ]
.text ...
.text ntkrnlpa.exe!ZwYieldExecution + 2834 80501060 8 Bytes [ 08, 20, B6, 85, 30, E6, 73, ... ]
.text ntkrnlpa.exe!ZwYieldExecution + 28BC 805010E8 8 Bytes [ 60, 3C, BD, F3, E0, 9E, BD, ... ]
.text ntkrnlpa.exe!ZwYieldExecution + 28C5 805010F1 3 Bytes [ A1, BD, F3 ]
.text ntkrnlpa.exe!ZwYieldExecution + 28FC 80501128 8 Bytes [ 50, 09, BD, F3, B0, 46, D3, ... ]
.text ntkrnlpa.exe!ZwYieldExecution + 29EC 80501218 8 Bytes [ A0, 99, BD, F3, 40, D6, 75, ... ]
.text ...

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F3BE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F3BE52A0] vsdatant.sys

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Compaq_Administrator\Favorites\Google.url:favicon
ADS C:\Documents and Settings\Compaq_Administrator\Favorites\http--majorgeeks.com-downloads29.html.url:favicon
ADS C:\Documents and Settings\Compaq_Administrator\Favorites\Tech Support Forum.url:favicon
ADS C:\Documents and Settings\Compaq_Administrator\Favorites\Yahoo!.url:favicon

---- EOF - GMER 1.0.12 ----

JaxMax · Jan 29, 2007

SREngLOG

Hello again Ried,
I managed to figure out the attachment thing. The SREngLOG is right down there in the Attach Files box. I hope that works and contains some information for you. OK Thanks, Jack

Ried · Jan 30, 2007

Hi Jack,

Yes, the log attached just fine. I'm not finding anything in any of these logs. :sayno:

First, let's address the issue of running 2 Anti Virus programs--Norton Internet Security and CAIsafe by Zonelabs. While it may seem to be added protection for you, more than 1 Anti Virus and Firewal can cause conflicts and confusion between the programs as well as system instability. Please choose and run only 1 and uninstall the other via the Add/Remove Programs in the Control Panel.

-----------------------------------------

Next, please ensure AVG Anti-Spyware has the latest definitions:

Double-click the icon on Desktop to launch AVG

On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

----------------------------------------------------------

Please reboot into Safe Mode to run the scan with AVG A-S:

Now run the scan:

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

--------------------------------------------------------------------

Reboot into Normal Mode.

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on

located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on

then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

AVG Anti-Spyware results
Panda results
New HijackThis log

JaxMax · Jan 30, 2007

Uninstalled Norton/Ran scans

Ried,
Hello once again. I decide to get rid of Norton since it was expired and I've read good things about Zone Alarm. I was getting nervous because you hadn't found anything and the scans were turning up nothing. The Panda scan saved me at least from considering the state of my own sanity by finding two objects of concern. Mozilla still is unresponsive, it starts to open then prompts me restore an old session or start a new one. Either choice leads to nothing allthough my task manager tells me FoxFire is running.

Also, I'm still getting alot of warnings from Zone and SpyBot about BHOs upon boot up. So, there you go. Your help is appreciated. Jack.

Here are the logs:

Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads\Programs\nircmd.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

A V G A n t i - S p y w a r e - S c a n R e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

+ C r e a t e d a t : 2 : 0 3 : 2 9 P M 1 / 3 0 / 2 0 0 7

+ S c a n r e s u l t :

N o t h i n g f o u n d .

: : R e p o r t e n d

Logfile of HijackThis v1.99.1
Scan saved at 4:05:43 PM, on 1/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.dogpile.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://renewalcenter.symantec.com/s...locale=iso:USA&vendid=002&vendtag=EX325AA-ABA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.aim.com
O15 - Trusted Zone: www.myspace.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156045091578
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4942/mcfscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Ried · Jan 31, 2007

The entry for HP, C:\hp\bin\KillIt.exe, is legit but I'd like to see more opinions about nircmd.exe.

Upload this file C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads\Programs\nircmd.exe to http://virusscan.jotti.org and report back what it found.

At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here.

----------------------------------------------------

Let's clear Spybot's TeaTimer:

Using Internet Explorer, download ResetTeaTimer.bat.

If you are using Firefox, right click the above link and choose ‘Save As’. Save it to your desktop.

Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

-------------------------------

I'd like you to run a scan with Spybot and post that log here.

JaxMax · Feb 1, 2007

nircmd.exe and SpyBot

OK,
I ran the scans like you asked, SpyBot found just two registry keys from uninstalling Norton. I think everything is running pretty well on this thing right now with the exception of FireFox not opening. Any thoughts? Here are the results:

Service load: 0% 100%

File: nircmd.exe_
Status: OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 52903f11f704e68fc8a20745a7e63664
Packers detected: UPX

Scanner results
Scan taken on 31 Jan 2007 21:51:31 (GMT)
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothin

- Report generated: 2007-01-31 17:56 ---

Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-12-07 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-02 advcheck.dll (1.2.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-12 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-01-12 Includes\DialerC.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2007-01-12 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-01-12 Includes\KeyloggersC.sbi (*)
2007-01-12 Includes\Malware.sbi (*)
2007-01-12 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2007-01-12 Includes\PUPSC.sbi (*)
2007-01-12 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-01-12 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2007-01-12 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-12-08 Includes\Trojans.sbi (*)
2007-01-12 Includes\TrojansC.sbi (*)

Ried · Feb 1, 2007

Have you tried uninstalling, then re-installing Firefox?

JaxMax · Feb 1, 2007

FireFox

Ried,
I have tried un/reinstalling FireFox, several times. I think I'll try again, I do prefer it to IE.

I was thinking about the boot-up issues. I know that two of the things that Zone Alarm warns me about were items that I got rid of with HJT on my first run (also by seaching with Start/Search to make sure they were gone). One is a BHO and the other is a rnnypbw.exe that I spoke of at the beginning of this thread. Obviously I'm confused as to why they want to re-insert themselves on my computer, but further, since I always deny them access, would they end up undetected by HJT and other scans? And where exactly do they reside on my hard drive once denied or before booting?

If I rebooted and allowed these things to be loaded would they then be "visable" to HJT, or would they simply wreak havoc before they could be detected and fixed (I don't see any of these things when booting into Safe Mode)?

I don't want to waste your time, you've been very patient so far. I'm just wondering about these squirrely problems. Thanks, Jack.

Ried · Feb 1, 2007

That's what I've been trying to figure out Jack. :sigh: If you're denying access, then that explains why I'm not seeing it in the HJT log, but as you mentioned--something is there that is calling these out and I would have expected to see the spawning file or entry in one of these many logs and scans. It is possible that Windows Defender interfered with the registry changes when your system was cleaned last time and it could be responsible for this.

Here's the plan....

Let's start by creating a restore point right now. Do not clear your old restore points, just create another one now and name it something you'll remember.

Click Start>All Programs>Accessories>System Tools and select System Restore from the drop-down menu.

Select 'Create a Restore Point' and follow the on screen prompts.

--------------------------------------------------------------

Before we take the unconventional route of allowing it into your system, I'd like you to uninstall Windows Defender first, reboot, and see if you still get those Alerts from ZoneAlarm.

If you still do, then we'll go with your plan of allowing them access. Once you've allowed access, run a scan with combofix.exe first, then the HijackThis scan, and post both logs here. Hopefully we'll see something.

I'll be online for the next few hours. :sayyes:

JaxMax · Feb 2, 2007

Defender: Gone/Problems: Gone

Ried,
Well, well, well, you hit the nail on the head with that one!:grin: I uninstalled Windows Defender and re-booted. I saw no pop-ups from Zone Alarm. Also, I removed FireFox and reinstalled it and it too is working now! Ye-Ha! Everything looks to normal right now. Thanks Much.

Lets see if I have this right...It looks from my point that even though I had disabled Nortons anti-virus(or perhaps I forgot), it was interfering with Zone Alarm, which resulted in slow movement and hanging programs. Windows Defender had unintentionally blocked some of the fixes from my first session. Wow, what a mess. Anyhow, I'm going to run through a few things to make sure all is well. Let me know if we are done. Brilliant! OK, Jack.

Ried · Feb 3, 2007

:woot: I'd say we're done, but I'll leave this thread open for a few more days while you check things out. Let me know how the system is performing over the next couple of days.

JaxMax · Feb 5, 2007

Things are good.

Ried,
Everything seems to zipping right along now, thanks for your help. It seems I was a bit premature in my celebration about FireFox though. I am able to open it one time after booting up(albiet it runs rather slowly)and then, from what I've been able to deduce, my profile becomes "locked". I've found some information on the TSF area about Mozilla. Hopefully I can get this sorted out. Anyhow, thanks again and stay warm. Jack.

Ried · Feb 6, 2007

That's what I would suggest, Jack--let the folks in the Mozilla/Firefox Browsers help you out with that issue.

stay warm.

:laugh: You're nice and 'toasty' down in Columbus....

Here in NorthEast Ohio we're at -20F with the wind-chill. :grin:

Take care. :wave:

Boot up problems:BHO's installing themselves and "bintheredunthat"

Registered

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

Registered

Attachments

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus