Author Topic: Yet another Yoog victim (Read 39588 times)

Andy k · « **on:** December 06, 2008, 04:17:16 PM »

Let me start by saying: I am soooo glad I found this place!!!! been lurking for about 3 hours now, and learned boatloads

I'm attempting to fix my parents computer that recently fell under attack by this Yoog Search thingy. I'm not sure where the problem initiated from, but my father downloads more music that anyone could ever listen to, from limewire...just to have it. My mother is about 11% computer literate and loves to open E-mails. Little brother is 18 and this was the only comp available to him for the last 6ish years ( yeah.. you know what I mean).

So onto the description. First thing that was noticed is that the "Wallpaper" has changed to the ACTIVE DESKTOP RECOVERY form and does not wish to change. Right after the wallpaper disapeers on start-up we get an ERROR message that VIEWMGR.exe can no longer function ( i know that somethings use viewmgr.exe as a disguise) and an ERROR message that SUPER ANTI SPYWARE can no longer function.

I tried to run Spybot only to find out everything in the Spybot folder was still there execpt the actual program ( weird). Before I found this site, someone suggested we try ThreatFire. TF found a handful of things but none that fixed our problems here.

My biggest issue that I didnt see mentioned in the other threads was that I can only view cached websites. If I click an active link it either redirects to an advertisment or tells me that the page is unable to be viewed. I managed to install Highjack after a fiew attempts, but I was unable to get either of the combofix links to direct me. I also havent tried to install Malwarebytes yet, I dont want to get to far ahead of myself.

So here's my log, I'll be awaiting further instruction:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:13 PM, on 12/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\ppcbooster\ppcb_32.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\svchost.exe
C:\program files\mozilla firefox\firefox.exe
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Documents and Settings\HP_Administrator\Desktop\Downloads\HJTInstall.exe
C:\Documents and Settings\HP_Administrator\Desktop\Downloads\HJTInstall.exe
C:\Documents and Settings\HP_Administrator\Desktop\Downloads\HJTInstall.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winloggn.exe
O4 - HKLM\..\Run: [qlqiekxyksywczo] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\fpnxbexlxzfd.dll"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: ppcb_32.lnk = C:\Program Files\ppcbooster\ppcb_32.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O18 - Protocol: mediaman - {F00B23B6-E372-4227-BCD9-CDC32EA1521E} - C:\Program Files\MediaMan\CoMProt.dll
O20 - AppInit_DLLs: stwtft.dll
O22 - SharedTaskScheduler: KJhaiufhw3nrih7wefywjfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9612 bytes

guestolo · « **Reply #1 on:** December 06, 2008, 04:29:09 PM »

Let's try Malwarebyte's first and see what steps we can do from there
download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

With that log
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
It may be named dds.pif or dds.com, depending on the download, if one won't run, try another download location

When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Save both reports to your desktop.

1. DDS.txt
2. Attach.txt
[/list]

Post those logs too please

Andy k · « **Reply #2 on:** December 06, 2008, 07:00:01 PM »

Neither of your options let me download MBAM directly or link to another page, so I went to Download.com and got it ( i dont know why that worked and not the others). Now I am having the same problem I did with the Highjack, I double click the .exe and I get the " RUN or CANCEL " prompt, I click RUN and I get the pointer with an hourglass and then the hour glass disappears and it's like I never clicked it. There are no anti-anythings running or even installed right now.

guestolo · « **Reply #3 on:** December 07, 2008, 10:01:29 AM »

Move on to the next step please
Try running dds.scr or dds.com or dds.pif

Andy k · « **Reply #4 on:** December 07, 2008, 01:12:08 PM »

Now I am unable to even get the computer to start up. It's an HP media center comp and gets to the welcome screen and sits permanently. I forgot to mention that earlier. I was able to get passed that screen once every 3 times or so, now its stuck. Sometimes its sits a black screen before getting to the welcome screen. There is a cursor on both that is responsive.

guestolo · « **Reply #5 on:** December 07, 2008, 01:20:44 PM »

Are you able to get to safe mode?
When the computer is restarting, right after the single post beep
Start tapping the F8 key
Select Safe mode from the options

Andy k · « **Reply #6 on:** December 07, 2008, 01:35:49 PM »

I guess this was the 3rd attempt ( 3rd time is a charm). I got it to boot normally now, and it looks like my Dad tried to install and run Spybot after I left.
I'll try to run those DD's

Edit: nvermind i re-read. I cant open any of those links for DDS though from the infected comp. I'm going to put it on a CD from my working comp and try and run it that way

guestolo · « **Reply #7 on:** December 07, 2008, 01:43:55 PM »

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
It may be named dds.pif or dds.com, depending on the download, if one won't run, try another download location

When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Save both reports to your desktop.

1. DDS.txt
2. Attach.txt
[/list]

Please post those logs if you can get them to run

guestolo · « **Reply #8 on:** December 07, 2008, 01:54:05 PM »

Do you have ComboFix.exe on this computer?

Andy k · « **Reply #9 on:** December 07, 2008, 02:08:35 PM »

I put ComboFix on a CD but it doesnt seem to want to run from that either.

DDS.txt

DDS (Version 1.0) - NTFSx86
Run by HP_Administrator at 13:59:25.39 on Sun 12/07/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.259 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\ppcbooster\ppcb_32.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\HP\KBD\KBD.EXE
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\program files\mozilla firefox\firefox.exe
E:\ComboFix.exe
E:\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/MemberHome
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {1201671d-f4c1-433c-8953-f657eeb79e2f} - c:\windows\system32\raabmo.dll
BHO: {13638437-AC6B-EDC4-A908-1161AF0DDF86} - c:\windows\system32\fpnxbexlxzfd.dll
BHO: {2A1CD23B-824B-41A9-BFA5-60CF1CCB2C8A} - c:\windows\system32\ljJASKeE.dll
BHO: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\vtUnmLDv.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [xsjfn83jkemfofght] c:\docume~1\hp_adm~1\locals~1\temp\winloggn.exe
uRun: [VnrBlock21] "c:\program files\vnrblock\VnrBlock21.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [sysrest32.exe] c:\windows\system32\sysrest32.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [xsjfn83jkemfofght] c:\docume~1\hp_adm~1\locals~1\temp\winloggn.exe
mRun: [qlqiekxyksywczo] c:\windows\system32\regsvr32.exe /s "c:\windows\system32\fpnxbexlxzfd.dll"
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\ppcb_32.lnk - c:\program files\ppcbooster\ppcb_32.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\advcheck.dll
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\aports.dll
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\blindman.exe
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\borlndmm.dll
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\Default configuration.ini
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\delphimm.dll
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\messages.zres
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\OptOut.ini
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\SDHelper.dll
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\SpybotSD.exe
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\spybotsd.xml
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\TeaTimer.exe
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\Tools.dll
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\unins000.dat
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\unins000.exe
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\UnzDll.dll
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\Update.exe
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\ZipDll.dll
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\dummies\dummy.cd_clint.dll
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\dummies\dummy.dap.gif
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\dummies\dummy.data.xml
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\dummies\dummy.default.gif
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\spybot\spybot - search & destroy\dummies\dummy.related.htm
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: NoDispBackgroundPage = 1 (0x1)
uPolicies-system: NoDispScrSavPage = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: mediaman - {F00B23B6-E372-4227-BCD9-CDC32EA1521E} - c:\program files\mediaman\CoMProt.dll
Notify: igfxcui - igfxdev.dll
Notify: vtUnmLDv - vtUnmLDv.dll
AppInit_DLLs: stwtft.dll raabmo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\vtUnmLDv.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJASKeE

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2005-5-16 85248]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-4-8 24652]

=============== Created Last 30 ================

2008-12-06 17:00   107,008   a-------   c:\windows\system32\raabmo.dll
2008-12-06 17:00   107,008   a-------   c:\windows\system32\jmmettub.dll
2008-12-06 16:58   120   ---sh---   c:\windows\system32\alpnokoi.ini
2008-12-06 16:58   72,192   a-------   c:\windows\system32\iokonpla.dll
2008-12-06 15:32   <DIR>   --d-----   c:\program files\Trend Micro
2008-12-06 09:38   <DIR>   --d-----   c:\program files\ThreatFire
2008-12-06 09:38   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\PC Tools
2008-12-05 16:57   1,479,831   ---sh---   c:\windows\system32\nxkpirvb.ini
2008-12-05 16:57   107,520   a-------   c:\windows\system32\stwtft.dll
2008-12-05 16:57   107,520   a-------   c:\windows\system32\wnsymeqw.dll
2008-12-05 16:54   906,236   a--sh---   c:\windows\system32\EeKSAJjl.ini
2008-12-05 16:54   906,220   a--sh---   c:\windows\system32\EeKSAJjl.ini2
2008-12-05 16:54   237,568   a-------   c:\windows\system32\ljJASKeE.dll
2008-12-05 16:49   39,936   a-------   c:\windows\system32\nnnMEutU.dll
2008-12-05 16:49   <DIR>   --d-----   c:\program files\VnrBlock
2008-12-05 16:49   <DIR>   --d-----   c:\program files\iCheck
2008-12-05 16:49   16,384   a-------   c:\windows\gbg033414.exe
2008-12-05 16:49   16,384   a-------   c:\windows\wuan364443.exe
2008-12-05 16:49   16,384   a-------   c:\windows\hw5305.exe
2008-12-05 16:49   16,384   a-------   c:\windows\feoc827.exe
2008-12-05 16:49   16,384   a-------   c:\windows\ykgee3362.exe
2008-12-05 16:48   65,024   a-------   c:\windows\system32\opnnkHYo.dll
2008-12-05 16:48   54,255   a-------   c:\windows\c20232.exe
2008-12-05 16:48   39,936   a-------   c:\windows\system32\vtUnmLDv.dll
2008-12-05 16:48   16,384   a-------   c:\windows\gu58826.exe
2008-12-05 16:48   53,942   a-------   c:\windows\system32\cont_adsoftinc-remove.exe
2008-12-05 16:48   47,581   a-------   c:\windows\system32\pxdiarhejodnod.exe
2008-12-05 16:48   7,680   a-------   c:\windows\o255.exe
2008-12-05 16:48   <DIR>   --d-----   c:\program files\ppcbooster
2008-12-05 16:48   84,982   a-------   c:\windows\vtj708346.exe
2008-12-05 16:48   192,820   a-------   c:\windows\nohh06760.exe
2008-12-03 06:46   368,128   a-------   c:\windows\system32\fpnxbexlxzfd.dll
2008-12-02 11:13   672,256   a-------   c:\windows\system32\nso39A.dll
2008-11-12 03:57   455,296   --------   c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 03:57   1,106,944   --------   c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-10-26 10:50   93,511   a-------   c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-26 10:49   45,056   a-------   c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2008-10-26 10:49   44,032   a-------   c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2008-10-24 06:21   455,296   a-------   c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:13   1,809,944   a-------   c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13   202,776   a-------   c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12   323,608   a-------   c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12   561,688   a-------   c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09   92,696   a-------   c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09   51,224   a-------   c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08   34,328   a-------   c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06   268,648   a-------   c:\windows\system32\mucltui.dll
2008-10-16 14:06   208,744   a-------   c:\windows\system32\muweb.dll
2008-10-15 11:34   337,408   --------   c:\windows\system32\dllcache\netapi32.dll
2008-10-03 12:41   6,066,176   --------   c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43   1,286,152   a-------   c:\windows\system32\msxml4.dll
2008-09-15 07:12   1,846,400   a-------   c:\windows\system32\win32k.sys
2008-09-15 07:12   1,846,400   --------   c:\windows\system32\dllcache\win32k.sys
2008-09-09 20:14   1,307,648   --------   c:\windows\system32\msxml6.dll
2008-09-09 20:14   1,307,648   --------   c:\windows\system32\dllcache\msxml6.dll
2008-08-06 16:20   738   a-------   c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2008-02-22 15:50   630,784   a-------   c:\documents and settings\hp_administrator\GoToAssist_chat2way__317_en.exe
2008-01-15 15:36   557,056   a-------   c:\documents and settings\hp_administrator\GoToAssist_phone__317_en.exe
2008-01-11 10:25   20   ----h---   c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2007-06-20 18:30   141   a-------   c:\documents and settings\hp_administrator\2950.bat

============= FINISH: 14:03:21.48 ===============

ATTACH

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/8/2008 3:07:47 PM
System Uptime: 12/7/2008 1:31:02 PM (1 hours ago)

Motherboard: ASUSTek Computer INC. | | LIMESTONE
Processor: Intel® Pentium® D CPU 2.80GHz | Socket

775 | 2800/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 225 GiB total, 181.701 GiB free.
D: is FIXED (FAT32) - 8 GiB total, 1.404 GiB free.
E: is CDROM (UDF)
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
L: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP12: 12/5/2008 4:54:17 PM - System Checkpoint
RP13: 12/5/2008 4:54:18 PM - Last good restore point
RP14: 12/5/2008 4:54:19 PM - System Checkpoint
RP15: 12/5/2008 4:54:20 PM - Software Distribution Service 3.0
RP16: 12/5/2008 4:54:21 PM - Software Distribution Service 3.0
RP17: 12/5/2008 4:54:26 PM - System Checkpoint
RP18: 12/5/2008 4:54:27 PM - Software Distribution Service 3.0
RP19: 12/5/2008 4:54:29 PM - Printer Driver Send To Microsoft OneNote

Driver Installed
RP20: 12/5/2008 4:54:30 PM - System Checkpoint
RP21: 12/5/2008 4:54:31 PM - System Checkpoint
RP22: 12/5/2008 4:54:32 PM - System Checkpoint
RP23: 12/5/2008 4:54:34 PM - System Checkpoint
RP24: 12/5/2008 4:54:35 PM - System Checkpoint
RP25: 12/5/2008 4:54:36 PM - System Checkpoint
RP26: 12/5/2008 4:54:37 PM - System Checkpoint
RP27: 12/5/2008 4:54:39 PM - System Checkpoint
RP28: 12/5/2008 4:54:40 PM - System Checkpoint
RP29: 12/5/2008 4:54:41 PM - System Checkpoint
RP30: 12/5/2008 4:54:43 PM - System Checkpoint
RP31: 12/5/2008 4:54:44 PM - System Checkpoint
RP32: 12/5/2008 4:54:45 PM - Configured PC-Doctor for Windows
RP33: 12/5/2008 4:54:47 PM - System Checkpoint
RP34: 12/5/2008 4:54:48 PM - System Checkpoint
RP35: 12/5/2008 4:54:50 PM - System Checkpoint
RP36: 12/5/2008 4:54:52 PM - System Checkpoint
RP37: 12/5/2008 4:54:54 PM - System Checkpoint
RP38: 12/5/2008 4:54:55 PM - System Checkpoint
RP39: 12/5/2008 4:54:56 PM - System Checkpoint
RP40: 12/5/2008 4:54:56 PM - System Checkpoint
RP41: 12/5/2008 4:54:58 PM - System Checkpoint
RP42: 12/5/2008 4:54:59 PM - System Checkpoint
RP43: 12/5/2008 4:55:00 PM - Installed Java(tm) 6 Update 7
RP44: 12/5/2008 4:55:01 PM - Installed OpenOffice.org Installer 1.0
RP45: 12/5/2008 4:55:02 PM - Installed MediaMan
RP46: 12/5/2008 4:55:04 PM - System Checkpoint
RP47: 12/5/2008 4:55:05 PM - Installed Verizon Media Manager
RP48: 12/5/2008 4:55:06 PM - System Checkpoint
RP49: 12/5/2008 4:55:08 PM - Software Distribution Service 3.0
RP50: 12/5/2008 4:55:10 PM - System Checkpoint
RP51: 12/5/2008 4:55:12 PM - Installed Microsoft Office Live Meeting

2005
RP52: 12/5/2008 4:55:13 PM - System Checkpoint
RP53: 12/5/2008 4:55:15 PM - System Checkpoint
RP54: 12/5/2008 4:55:16 PM - System Checkpoint
RP55: 12/5/2008 4:55:18 PM - System Checkpoint
RP56: 12/5/2008 4:55:19 PM - Software Distribution Service 3.0
RP57: 12/5/2008 4:55:20 PM - Software Distribution Service 3.0
RP58: 12/5/2008 4:55:20 PM - System Checkpoint
RP59: 12/5/2008 4:55:22 PM - Removed Windows Media Player Firefox

Plugin
RP60: 12/5/2008 4:55:23 PM - Windows Media Center Update
RP61: 12/5/2008 4:55:23 PM - Installed Windows Media Player 10

KB903157.
RP62: 12/5/2008 4:55:24 PM - Installed Windows XP Media Center Edition

2005 Update Rollup 2.
RP63: 12/5/2008 4:55:28 PM - Installed Windows Media Player 11
RP64: 12/5/2008 4:55:28 PM - Installed Windows XP Media Center Edition

2005 KB925766.
RP65: 12/5/2008 4:55:30 PM - Installed Windows XP Wudf01000.
RP66: 12/5/2008 4:55:31 PM - Installed Windows XP MSCompPackV1.
RP67: 12/5/2008 4:55:32 PM - Installed SUPERAntiSpyware Free Edition
RP68: 12/5/2008 4:55:33 PM - Software Distribution Service 3.0
RP69: 12/5/2008 4:55:35 PM - Software Distribution Service 3.0
RP70: 12/5/2008 4:55:35 PM - Software Distribution Service 3.0
RP71: 12/5/2008 4:55:36 PM - System Checkpoint
RP72: 12/5/2008 4:55:37 PM - System Checkpoint
RP73: 12/5/2008 4:55:38 PM - System Checkpoint
RP74: 12/5/2008 4:55:40 PM - System Checkpoint
RP75: 12/5/2008 4:55:41 PM - System Checkpoint
RP76: 12/5/2008 4:55:42 PM - System Checkpoint
RP77: 12/5/2008 4:55:42 PM - System Checkpoint
RP78: 12/5/2008 4:55:43 PM - System Checkpoint
RP79: 12/5/2008 4:55:45 PM - System Checkpoint
RP80: 12/5/2008 4:55:47 PM - Removed MediaMan
RP81: 12/5/2008 4:55:49 PM - Installed MediaMan
RP82: 12/5/2008 4:55:51 PM - System Checkpoint
RP83: 12/5/2008 4:55:53 PM - System Checkpoint
RP84: 12/5/2008 4:55:55 PM - System Checkpoint
RP85: 12/5/2008 4:55:57 PM - System Checkpoint
RP86: 12/5/2008 4:55:58 PM - System Checkpoint
RP87: 12/5/2008 4:55:59 PM - Software Distribution Service 3.0
RP88: 12/5/2008 4:56:00 PM - System Checkpoint
RP89: 12/5/2008 4:56:02 PM - System Checkpoint
RP90: 12/5/2008 4:56:03 PM - System Checkpoint
RP91: 12/5/2008 4:56:04 PM - System Checkpoint
RP92: 12/5/2008 4:56:06 PM - System Checkpoint
RP93: 12/5/2008 4:56:07 PM - System Checkpoint
RP94: 12/5/2008 4:56:10 PM - System Checkpoint
RP95: 12/5/2008 4:56:11 PM - System Checkpoint
RP96: 12/5/2008 4:56:12 PM - System Checkpoint
RP97: 12/5/2008 4:56:13 PM - System Checkpoint
RP98: 12/5/2008 4:56:14 PM - Removed Adobe Reader 9.
RP99: 12/5/2008 4:56:16 PM - System Checkpoint
RP100: 12/5/2008 4:56:17 PM - System Checkpoint
RP101: 12/5/2008 4:56:18 PM - System Checkpoint
RP102: 12/5/2008 4:56:20 PM - System Checkpoint
RP103: 12/5/2008 4:56:22 PM - System Checkpoint
RP104: 12/5/2008 4:56:24 PM - System Checkpoint
RP105: 12/5/2008 4:56:26 PM - System Checkpoint

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Shockwave Player
Agere Systems PCI Soft Modem
AiO_Scan
AiOSoftware
Apple Mobile Device Support
Apple Software Update
Bonjour
BufferChm
CameraDrivers
Contextual Platform Adsoftinc
Copy
CP_AtenaShokunin1Config
cp_dwSharkTaleAlbums1
cp_dwSharkTaleCards1
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CP_PLSBusinessFlyers
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
Director
DocProc
DocumentViewer
Fax
FirstClassÂ® Client
Freeze Clip Art
Google Earth
Google Updater
GTK+ Runtime 2.12.8 rev a (remove only)
Help and Support Additions
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Boot Optimizer
HP Deskjet Printer Preload
HP Help and Support 4.0
HP Image Zone 4.8.6
HP Image Zone for Media Center PC
HP Image Zone Plus 4.8.6
HP Photosmart Cameras 4.5
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Software Update
HP Tunes
HPIZplus450
HpSdpAppCoreApp
HPSystemDiagnostics
InstantShare
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
IntelliMover Data Transfer Demo
Internet Speed Monitor
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0
Java(tm) 6 Update 5
Java(tm) 6 Update 7
KBD
LimeWire 4.16.6
LS_HSI
MediaMan
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Meeting 2005
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.52
Microsoft Works
Mozilla Firefox (3.0.4)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 4.0
muvee autoProducer unPlugged - HPD
MyHeritage Family Tree Builder
Netflix Movie Viewer
Norton Security Scan
ObjectDock
OpenOffice.org Installer 1.0
Otto
Overball from HP Media Center (remove only)
PanoStandAlone
PhotoGallery
Photosmart 320,370,7400,8100,8400 Series
Pidgin
Pizza Hut Shortcut
PPC Booster
PrintScreen
PS2
PSPrinters06
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QFolder
QuickProjects
QuickTime
Readme
RealPlayer
Remove Microsoft Money 2005 installer
Remove Quicken New User Edition installer
RON Tool Adsoftinc
Safari
Scan
ScannerCopy
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB955936)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB955470)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SkinsHP1
Slyder from HP Media Center (remove only)
Sonic Encoders
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
TBS WMP Plug-in
The Print Shop 22
Tradewinds from HP Media Center (remove only)
TrayApp
Unload
Update for Office 2007 (KB946691)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP
Verizon Media Manager
Viewpoint Media Player
WebFldrs XP
WebReg
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB890629
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
World of Warcraft

==== Event Viewer Messages ===================

12/2/2008 7:59:13 AM, error: atapi [9] - The device,

\Device\Ide\IdePort2, did not respond within the timeout period.
12/2/2008 7:28:53 AM, error: Service Control Manager [7011] - Timeout

(30000 milliseconds) waiting for a transaction response from the

stisvc service.
12/3/2008 2:06:38 AM, error: atapi [9] - The device,

\Device\Ide\IdePort0, did not respond within the timeout period.
12/5/2008 7:06:44 PM, error: Service Control Manager [7009] - Timeout

(30000 milliseconds) waiting for the Viewpoint Manager Service service

to connect.
12/5/2008 7:06:44 PM, error: Service Control Manager [7000] - The

Viewpoint Manager Service service failed to start due to the following

error: The service did not respond to the start or control request in

a timely fashion.
12/5/2008 7:08:16 PM, error: sr [1] - The System Restore filter

encountered the unexpected error '0xC0000001' while processing the

file '' on the volume 'HarddiskVolume1'. It has stopped monitoring

the volume.
12/5/2008 7:18:41 PM, error: DCOM [10005] - DCOM got error "%1058"

attempting to start the service wuauserv with arguments "" in order to

run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/5/2008 7:26:54 PM, error: Service Control Manager [7026] - The

following boot-start or system-start driver(s) failed to load:

SASKUTIL
12/5/2008 7:44:26 PM, error: Service Control Manager [7034] - The

HTTP SSL service terminated unexpectedly. It has done this 1 time(s).
12/5/2008 7:44:31 PM, error: Service Control Manager [7034] - The

Windows Image Acquisition (WIA) service terminated unexpectedly. It

has done this 1 time(s).
12/5/2008 7:44:40 PM, error: Service Control Manager [7034] - The

TCP/IP NetBIOS Helper service terminated unexpectedly. It has done

this 1 time(s).
12/5/2008 7:44:40 PM, error: Service Control Manager [7031] - The

Remote Registry service terminated unexpectedly. It has done this 1

time(s). The following corrective action will be taken in 1000

milliseconds: Restart the service.
12/5/2008 7:44:40 PM, error: Service Control Manager [7034] - The

WebClient service terminated unexpectedly. It has done this 1

time(s).
12/5/2008 7:45:01 PM, error: Service Control Manager [7034] - The

SSDP Discovery Service service terminated unexpectedly. It has done

this 1 time(s).
12/5/2008 7:45:06 PM, error: Service Control Manager [7031] - The

DCOM Server Process Launcher service terminated unexpectedly. It has

done this 1 time(s). The following corrective action will be taken in

60000 milliseconds: Reboot the machine.
12/5/2008 7:45:06 PM, error: Service Control Manager [7034] - The

Terminal Services service terminated unexpectedly. It has done this 1

time(s).
12/5/2008 7:45:20 PM, error: Service Control Manager [7031] - The

Remote Procedure Call (RPC) service terminated unexpectedly. It has

done this 1 time(s). The following corrective action will be taken in

60000 milliseconds: Reboot the machine.
12/6/2008 7:38:43 AM, error: HTTP [15005] - Unable to bind to the

underlying transport for 0.0.0.0:2869. The IP Listen-Only list may

contain a reference to an interface which may not exist on this

machine. The data field contains the error number.
12/6/2008 2:52:42 PM, error: sr [1] - The System Restore filter

encountered the unexpected error '0xC0000369' while processing the

file 'MSI3e580.tmp' on the volume 'HarddiskVolume1'. It has stopped

monitoring the volume.
12/6/2008 7:49:59 PM, error: Service Control Manager [7034] - The

Application Layer Gateway Service service terminated unexpectedly. It

has done this 1 time(s).

==== End Of File ===========================

guestolo · « **Reply #10 on:** December 07, 2008, 02:14:48 PM »

I actually wanted you to try the following
Transfer ComboFix.exe from cd to Desktop

Do you see the extension .exe?
Could you try right clicking on ComboFix.exe and Rename it to ComboFix.com
Seeing as .com extension is running
Then try running combofix again
Remember, don't run it from the CD, transfer to desktop

Andy k · « **Reply #11 on:** December 07, 2008, 02:25:35 PM »

ComboFix is running after the extension change.

guestolo · « **Reply #12 on:** December 07, 2008, 02:27:49 PM »

Let it run uninterrupted, may take up to 20 minutes
Once it reboots your computer
It will run again on startup
Ensure none of your Security software interrupts it

A log should open on startup, may take up to another 15 minutes
Post that log please

Andy k · « **Reply #13 on:** December 07, 2008, 02:58:08 PM »

ComboFix 08-12-06.06 - HP_Administrator 2008-12-07 14:29:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.678 [GMT -5:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ppcb_32.lnk
c:\program files\Common Files\ecurit~1
c:\program files\Common Files\racle~1
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\ppcbooster
c:\program files\ppcbooster\ppcb_32.exe
c:\program files\ppcbooster\ppcbu_32.exe
c:\program files\VnrBlock
c:\program files\VnrBlock\xtarga.gz
c:\program files\wintouch
c:\program files\wintouch\config.cfg.282258999709870e58d09396afe25067
c:\program files\wintouch\config.cfg.86b554f3c84b41eaffbef0d8fa895d43
c:\program files\wintouch\WTUninstaller.exe
c:\temp\tpBe12
c:\windows\fnts~1
c:\windows\IA
c:\windows\IE4 Error Log.txt
c:\windows\nohh06760.exe
c:\windows\system32\alpnokoi.ini
c:\windows\system32\drivers\TDSSrvdc.sys
c:\windows\system32\EeKSAJjl.ini
c:\windows\system32\EeKSAJjl.ini2
c:\windows\system32\fpnxbexlxzfd.dll
c:\windows\system32\iokonpla.dll
c:\windows\system32\jmmettub.dll
c:\windows\system32\ljJASKeE.dll
c:\windows\system32\nnnMEutU.dll
c:\windows\system32\nxkpirvb.ini
c:\windows\system32\opnnkHYo.dll
c:\windows\system32\raabmo.dll
c:\windows\system32\stwtft.dll
c:\windows\system32\TDSSktkl.dll
c:\windows\system32\TDSSlajf.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoxum.dll
c:\windows\system32\TDSSqkhc.dll
c:\windows\system32\TDSSqrdn.log
c:\windows\system32\TDSSshkx.log
c:\windows\system32\TDSSurxb.dll
c:\windows\system32\TDSSweat.dat
c:\windows\system32\TDSSxehr.dll
c:\windows\system32\vtUnmLDv.dll
c:\windows\system32\wnsymeqw.dll
c:\windows\Tasks\jhtflrtg.job
c:\windows\wr.txt
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_SYSREST.SYS

((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 14:20 . 2008-12-07 14:20   <DIR>   d--------   C:\comkbofix.com
2008-12-06 15:32 . 2008-12-06 15:32   <DIR>   d--------   c:\program files\Trend Micro
2008-12-06 09:38 . 2008-12-06 18:43   <DIR>   d--------   c:\program files\ThreatFire
2008-12-06 09:38 . 2008-12-06 18:41   <DIR>   d-a------   c:\documents and settings\All Users\Application Data\TEMP
2008-12-06 09:38 . 2008-12-06 09:38   <DIR>   d--------   c:\documents and settings\All Users\Application Data\PC Tools
2008-12-05 16:49 . 2008-12-05 16:49   16,384   --a------   c:\windows\ykgee3362.exe
2008-12-05 16:49 . 2008-12-05 16:49   16,384   --a------   c:\windows\wuan364443.exe
2008-12-05 16:49 . 2008-12-05 16:49   16,384   --a------   c:\windows\hw5305.exe
2008-12-05 16:49 . 2008-12-05 16:49   16,384   --a------   c:\windows\gbg033414.exe
2008-12-05 16:49 . 2008-12-05 16:49   16,384   --a------   c:\windows\feoc827.exe
2008-12-05 16:48 . 2008-12-05 16:49   84,982   --a------   c:\windows\vtj708346.exe
2008-12-05 16:48 . 2008-12-05 16:49   54,255   --a------   c:\windows\c20232.exe
2008-12-05 16:48 . 2008-12-05 16:49   53,942   --a------   c:\windows\system32\cont_adsoftinc-remove.exe
2008-12-05 16:48 . 2008-12-05 16:49   47,581   --a------   c:\windows\system32\pxdiarhejodnod.exe
2008-12-05 16:48 . 2008-12-05 16:49   16,384   --a------   c:\windows\gu58826.exe
2008-12-05 16:48 . 2008-12-05 16:48   7,680   --a------   c:\windows\o255.exe
2008-12-02 11:13 . 2008-12-02 11:13   672,256   --a------   c:\windows\system32\nso39A.dll
2008-11-12 03:57 . 2008-09-04 12:15   1,106,944   --a------   c:\windows\system32\dllcache\msxml3.dll
2008-11-12 03:57 . 2008-10-24 06:21   455,296   --a------   c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 19:47   ---------   d-----w   c:\documents and settings\HP_Administrator\Application Data\LimeWire
2008-12-07 01:12   ---------   d-----w   c:\documents and settings\HP_Administrator\Application Data\U3
2008-12-06 20:15   ---------   d-----w   c:\documents and settings\All Users\Application Data\Google Updater
2008-12-06 19:53   ---------   d-----w   c:\program files\SUPERAntiSpyware
2008-12-06 14:30   ---------   d-----w   c:\program files\Spybot - Search & Destroy
2008-12-06 14:30   ---------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 23:00   ---------   d-----w   c:\program files\Norton Security Scan
2008-12-02 15:33   ---------   d-----w   c:\program files\LimeWire
2008-12-01 23:31   ---------   d-----w   c:\documents and settings\HP_Administrator\Application Data\MediaMan
2008-11-27 03:24   ---------   d-----w   c:\program files\Common Files\Adobe
2008-11-17 16:33   ---------   d-----w   c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-06 23:11   ---------   d-----w   c:\program files\MediaMan
2008-10-25 18:10   ---------   d-----w   c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-10-25 18:10   ---------   d-----w   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-25 18:03   ---------   d-----w   c:\program files\Windows Media Connect 2
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 07:07   ---------   d-----w   c:\program files\Microsoft Silverlight
2008-10-13 23:02   ---------   d-----w   c:\documents and settings\HP_Administrator\Application Data\Verizon
2008-10-13 23:01   ---------   d-----w   c:\program files\Verizon
2008-10-12 21:54   ---------   d-----w   c:\documents and settings\All Users\Application Data\MediaMan
2008-10-12 18:43   ---------   d-----w   c:\program files\Sun
2008-10-12 18:43   ---------   d-----w   c:\program files\Java
2008-10-10 22:00   ---------   d-----w   c:\program files\Common Files\Symantec Shared
2008-08-06 21:20   738   ----a-w   c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2008-02-22 20:50   630,784   ----a-w   c:\documents and settings\HP_Administrator\GoToAssist_chat2way__317_en.exe
2008-01-15 20:36   557,056   ----a-w   c:\documents and settings\HP_Administrator\GoToAssist_phone__317_en.exe
2008-01-11 15:25   20   ---h--w   c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2007-06-20 23:30   141   ----a-w   c:\documents and settings\HP_Administrator\2950.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-16 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"RTHDCPL"="RTHDCPL.EXE" [2005-04-13 c:\windows\RTHDCPL.EXE]

c:\documents and settings\Lisa\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-01-19 3450608]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-02-08 147456]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-01-19 3450608]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\spybot\Spybot - Search & Destroy
advcheck.dll [2005-05-31 157344]
aports.dll [2005-05-31 28672]
blindman.exe [2005-05-31 47256]
borlndmm.dll [2005-05-31 22528]
Default configuration.ini [2005-05-31 2161]
delphimm.dll [2005-05-31 15872]
messages.zres [2005-05-31 25726]
OptOut.ini [2005-05-31 2683]
SDHelper.dll [2005-05-31 853672]
SpybotSD.exe [2005-05-31 4393096]
spybotsd.xml [2004-05-12 12507]
TeaTimer.exe [2005-05-31 1415824]
Tools.dll [2005-05-31 461464]
unins000.dat [2001-01-19 20499]
unins000.exe [2001-01-19 649378]
UnzDll.dll [2005-05-31 122368]
Update.exe [2005-05-31 417408]
ZipDll.dll [2005-05-31 139776]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\spybot\Spybot - Search & Destroy\Dummies
dummy.cd_clint.dll [2004-05-12 48640]
dummy.dap.gif [2005-05-31 252]
dummy.data.xml [2005-05-31 402]
dummy.default.gif [2005-05-31 252]
dummy.related.htm [2005-05-31 646]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\spybot\Spybot - Search & Destroy\Help
Deutsch.license.txt [2005-05-31 5289]
English.chm [2005-08-23 192712]
English.license.txt [2005-09-29 5198]
English.Resident.chm [2005-07-21 42564]
Francais.license.txt [2005-05-31 6066]
Italiano.license.txt [2005-05-31 5676]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\spybot\Spybot - Search & Destroy\Includes
Browserpages.sbs [2005-04-27 3134]
CLSIDs.sbs [2005-09-21 373842]
CLSIDs.tnfo [2004-10-11 219575]
Cookies.sbb [2004-06-16 1229]
Cookies.sbi [2006-03-03 751]
Cookies.sbs [2005-10-06 2825]
Dialer.sbi [2006-03-03 114574]
Dialer.sbs [2003-01-01 51]
Domains.sbs [2006-03-02 49727]
Hijackers.sbi [2006-03-03 168644]
Hosts.sbs [2004-05-12 27093]
Keyloggers.sbi [2006-03-03 10868]
Logs.uts [2003-01-01 992]
LSP.sbi [2004-05-12 422]
LSP.sbs [2005-05-31 4873]
Malware.sbi [2006-03-03 122305]
OperaPlugins.sbs [2005-04-26 1270]
ProcWatch.sbs [2004-07-07 69516]
PUPS.sbi [2006-03-03 18662]
RegWatch.sbs [2005-02-18 4490]
Revision.sbi [2006-03-03 398]
Revision.sbs [2005-04-29 167]
Searchpages.sbs [2005-04-27 214]
Security.sbi [2006-03-03 6932]
Services.sbs [2006-03-02 653812]
Spybots.sbi [2006-03-03 88330]
Startup.tnfo [2005-05-31 1821639]
Targets.nfo [2006-03-02 209763]
Tracks.uti [2005-02-17 33196]
Trojans.sbi [2006-03-03 70232]
URL-Blacklist.sbs [2005-11-07 14147]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\spybot\Spybot - Search & Destroy\Languages
Deutsch.sbl [2005-05-31 95877]
English.sbl [2005-12-01 78384]
Espanol.sbl [2005-05-31 91038]
Francais.sbl [2005-05-31 93352]
Italiano.sbl [2005-05-31 89769]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\spybot\Spybot - Search & Destroy\Skins
Colorblind.ini [2005-01-27 536]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\spybot\Spybot - Search & Destroy\Updates
clsid.zip [2005-09-23 374020]
desc.english.zip [2006-03-03 55971]
downloaded.ini [2006-03-05 4069]
help.english.zip [2006-02-17 188648]
helpres.english.zip [2005-07-25 34970]
includes.zip [2006-03-03 1437021]
lang.english.zip [2005-12-23 23453]
online.ini [2006-03-05 44058]
skins.main.zip [2005-01-28 393]
startup.zip [2004-10-14 287255]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-02 1283608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=stwtft.dll raabmo.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackBerry Desktop Redirector.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlackBerry Desktop Redirector.lnk
backup=c:\windows\pss\BlackBerry Desktop Redirector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Verizon\\Media Manager\\MediaManager.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-04-08 24652]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2005-05-16 85248]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41d10103-c3f3-11dd-815e-0013d405f979}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{801c2bf0-7157-11dd-8123-0013d405f979}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92d34e60-b7d7-11dd-814e-0013d405f979}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92d34e61-b7d7-11dd-814e-0013d405f979}]
\Shell\AutoRun\command - M:\Autoplay.exe -auto

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2fef14e-22ea-11dd-80e9-0013d405f979}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-03 c:\windows\Tasks\CAAntiSpywareScan_Daily as HP_Administrator at 11 46 AM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-28 16:10]

2008-12-02 c:\windows\Tasks\CAAntiSpywareScan_Daily as HP_Administrator at 2 35 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-28 16:10]

2008-12-04 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]

2008-01-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 18:52]

2008-01-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-21 20:08]

2008-12-03 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 03:08]

2008-12-07 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []

2008-12-06 c:\windows\Tasks\WebReg Photosmart C4380 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-11-05 05:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1201671d-f4c1-433c-8953-f657eeb79e2f} - c:\windows\system32\raabmo.dll
BHO-{13638437-AC6B-EDC4-A908-1161AF0DDF86} - c:\windows\system32\fpnxbexlxzfd.dll
BHO-{40AEE683-BFBB-4351-BE00-0B82E9428CD0} - c:\windows\system32\ljJASKeE.dll
HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKCU-Run-VnrBlock21 - c:\program files\VnrBlock\VnrBlock21.exe
HKLM-Run-sysrest32.exe - c:\windows\system32\sysrest32.exe
SharedTaskScheduler-{D5BF49A2-94F1-42BD-F434-3604812C807D} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netflix.com/MemberHome
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Handler: mediaman - {F00B23B6-E372-4227-BCD9-CDC32EA1521E} - c:\program files\MediaMan\CoMProt.dll

c:\windows\Downloaded Program Files\SearchEngineQuery.dll - O16 -: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400}
hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
FireFox -: Profile - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\xg71zalf.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.thetechguide.com/forum/index.php?showforum=4
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\mozilla firefox\plugins\npsnapfish.dll
FF -: plugin - c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF -: plugin - c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 14:46:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\ehome\ehRec.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-12-07 14:54:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 19:54:44

Pre-Run: 195,021,914,112 bytes free
Post-Run: 197,966,487,552 bytes free

358   --- E O F ---   2008-11-12 14:11:27

Highjack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:30 PM, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\RTHDCPL.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\program files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: spybot
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O18 - Protocol: mediaman - {F00B23B6-E372-4227-BCD9-CDC32EA1521E} - C:\Program Files\MediaMan\CoMProt.dll
O20 - AppInit_DLLs: stwtft.dll raabmo.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7613 bytes

guestolo · « **Reply #14 on:** December 07, 2008, 04:19:31 PM »

Sorry, I was replying back and received a phone call I had to take
Can you do the following please
We still have a bit more cleanup to do

Can we disable Spybot from running on startup
Open spybot>>Click on MODE>>Advanced mode>>Yes to the Prompt
Click on Settings>>Settings>>Under Automation Uncheck All under Program Start
Under System Start select No Automation
Close Spybot

Delete your copy of ComboFix
Then redownload a fresh copy from the link>>
Combofix.exe and save it ONLY to your desktop

Don't run it yet

Next:
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]File::
c:\windows\ykgee3362.exe
c:\windows\wuan364443.exe
c:\windows\hw5305.exe
c:\windows\gbg033414.exe
c:\windows\feoc827.exe
c:\windows\vtj708346.exe
c:\windows\c20232.exe
c:\windows\system32\cont_adsoftinc-remove.exe
c:\windows\system32\pxdiarhejodnod.exe
c:\windows\gu58826.exe
c:\windows\o255.exe
c:\windows\Tasks\Symantec NetDetect.job
c:\windows\Tasks\CAAntiSpywareScan_Daily as HP_Administrator at 11 46 AM.job
c:\windows\Tasks\CAAntiSpywareScan_Daily as HP_Administrator at 2 35 PM.job
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92d34e61-b7d7-11dd-814e-0013d405f979}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[/color]
Save this as txtfile on your laptops desktop, with the exact name of
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you with the same name C:\ComboFix.txt..
I'll need to see that log again later

But first
Access your Add and Remove programs
Close down all browser windows, uninstall all the following
Don't reboot till the last one is removed

J2SE Runtime Environment 5.0
Javaâ„¢ 6 Update 5
Javaâ„¢ 6 Update 7
Viewpoint Media Player

Then reboot your computer
Back in Windows

[color=\"blue\"]Updating Java:[/color]

Download the latest version of Java Runtime Environment (JRE) 6.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
Click the "Download" button to the right.
In the new Window that opens, in the dropdown box next to Platform: select Windows,>>Check the "agree" box and click Continue.
Click on the link to download Windows Offline Installation and save to your desktop.
Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.

Symantec Security scan is not a replacement for a Realtime Anti-Virus
Can you please do the following
Go here and download your Free version of Avira AntiVir
http://www.download.com/Avira-AntiVir-Pers...cdlpid=10322935
Save the installer to desktop

Install Avira AntiVir from desktop
Ensure that you have it check for Updates
The first time it updates may take awhile, but allow it time

NOTE: Avira will display a single big Ad on your computer
Don't be alarmed, just click OK at the bottom of the Ad to close it

A scan of your System should then start
If a scan does not start after updating, double click on the Avira icon by the clock (the red/white umbrella)
and select "Scan system now"

Quarantine or delete everything it finds
When the scan is finished
Reboot the computer

Back in Windows
Can you post all the following back please
1. Post a fresh hijackthis log
2. Please post the log from Avira
Open Avira again (Double click on the red Umbrella icon by the clock)
Click on REPORTS under Overview
Double click on the Scan report you just made
Then click on "Report File"
3. Post the log from ComboFix>>C:Combofix.txt

Andy k · « **Reply #15 on:** December 07, 2008, 05:11:20 PM »

[quote name=\'guestolo\' post=\'449168\' date=\'Dec 7 2008, 04:19 PM\']Next:
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]File::
c:\windows\ykgee3362.exe
c:\windows\wuan364443.exe
c:\windows\hw5305.exe
c:\windows\gbg033414.exe
c:\windows\feoc827.exe
c:\windows\vtj708346.exe
c:\windows\c20232.exe
c:\windows\system32\cont_adsoftinc-remove.exe
c:\windows\system32\pxdiarhejodnod.exe
c:\windows\gu58826.exe
c:\windows\o255.exe
c:\windows\Tasks\Symantec NetDetect.job
c:\windows\Tasks\CAAntiSpywareScan_Daily as HP_Administrator at 11 46 AM.job
c:\windows\Tasks\CAAntiSpywareScan_Daily as HP_Administrator at 2 35 PM.job
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92d34e61-b7d7-11dd-814e-0013d405f979}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[/color]
Save this as txtfile on your laptops desktop, with the exact name of
CFScript[/quote]

I just want to make sure I'm doing this right. The infected computer is my parents TOWER and I have a LAPTOP that I was replying to you when I couldnt get the infected computer to start-up.

Is all of this latest process being done on ONLY the infected comp or with assistance from BOTH?

guestolo · « **Reply #16 on:** December 07, 2008, 05:15:49 PM »

Yes, if you can get the infected computer online now, it's instructions just for that computer

Andy k · « **Reply #17 on:** December 07, 2008, 07:55:59 PM »

Everythin is runnin super fast now, But I still have the Yoog default search bar instead of Google

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:31 PM, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: spybot
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O18 - Protocol: mediaman - {F00B23B6-E372-4227-BCD9-CDC32EA1521E} - C:\Program Files\MediaMan\CoMProt.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8252 bytes

AV scan

Avira AntiVir Personal
Report file date: Sunday, December 07, 2008 17:51

Scanning for 1076607 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: YOUR-55E5F9E3D2

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 14:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.0.197 1170432 Bytes 12/7/2008 22:48:13
ANTIVIR2.VDF : 7.1.0.198 2048 Bytes 12/7/2008 22:48:13
ANTIVIR3.VDF : 7.1.0.199 2048 Bytes 12/7/2008 22:48:14
Engineversion : 8.2.0.42
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 16:05:56
AESCRIPT.DLL : 8.1.1.17 336251 Bytes 12/7/2008 22:48:20
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 21:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 19:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 15:41:39
AEOFFICE.DLL : 8.1.0.32 196987 Bytes 12/7/2008 22:48:19
AEHEUR.DLL : 8.1.0.74 1519990 Bytes 12/7/2008 22:48:19
AEHELP.DLL : 8.1.2.0 119159 Bytes 12/7/2008 22:48:17
AEGEN.DLL : 8.1.1.6 323955 Bytes 12/7/2008 22:48:16
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 16:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 12/7/2008 22:48:15
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 16:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 18:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, December 07, 2008 17:51

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'hphmon06.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'ALCMTR.EXE' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'KBD.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'ObjectDock.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'QTTask.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
50 processes with 50 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD5
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '66' files ).

Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\HP_Administrator\My Documents\RWD\clipartsamplefree.exe

Archive type: ZIP SFX (self extracting)

--> resource.0000.pkg
[1] Archive type: ZIP
--> RPCInstall_US.dll
[DETECTION] Is the TR/Dldr.Agent.hym Trojan
--> RPCInstall_INTL.dll
[DETECTION] Is the TR/Dldr.Agent.hym.1 Trojan
--> freezetoolbar_installer.exe
[DETECTION] Contains recognition pattern of the DR/Mostofate.BT.5 dropper
--> blinksetup.exe
[2] Archive type: RSRC
--> Object
[DETECTION] Contains recognition pattern of the DR/Agent.aqr.1 dropper
--> ShopperReports.exe
[DETECTION] Contains recognition pattern of the DR/Shopper.K.13 dropper
--> osfreez118.exe
[2] Archive type: RSRC
--> Object
[DETECTION] Contains recognition pattern of the DR/OneStep.A dropper
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\Program Files\ppcbooster\ppcb_32.exe.vir
[DETECTION] Is the TR/Dldr.Agent.aswp Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\c20232.exe.vir

Archive type: NSIS

--> ProgramFilesDir/p2pmax.exe
[DETECTION] Is the TR/Agent.10240.19 Trojan
[DETECTION] Is the TR/Drop.Agent.54255 Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\feoc827.exe.vir
[DETECTION] Is the TR/Dldr.VB.iqv Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\gbg033414.exe.vir
[DETECTION] Is the TR/Dldr.VB.iqv Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\gu58826.exe.vir
[DETECTION] Is the TR/Dldr.VB.iqv Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\hw5305.exe.vir
[DETECTION] Is the TR/Dldr.VB.iqv Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\o255.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\vtj708346.exe.vir

Archive type: NSIS

--> ProgramFilesDir/ppcb_32.exe
[DETECTION] Is the TR/Dldr.Agent.aswp Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\wuan364443.exe.vir
[DETECTION] Is the TR/Dldr.VB.iqv Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\ykgee3362.exe.vir
[DETECTION] Is the TR/Dldr.VB.iqv Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\opnnkHYo.dll.vir
[DETECTION] Is the TR/Agent.asus Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSktkl.dll.vir
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.JW back-door program
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSlajf.dll.vir
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.acs back-door program
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoxum.dll.vir
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.KD back-door program
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSurxb.dll.vir
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.adb back-door program
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSrvdc.sys.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.G.22 root kit
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP105\A0015878.sys
[DETECTION] Contains recognition pattern of the RKIT/TDss.G.22 root kit
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP105\A0015879.dll
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.JW back-door program
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP105\A0015880.dll
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.adb back-door program
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP105\A0015881.dll
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.acs back-door program
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP105\A0015882.dll
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.KD back-door program
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP105\A0015897.exe
[DETECTION] Is the TR/Dldr.Agent.aswp Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP105\A0015910.dll
[DETECTION] Is the TR/Agent.asus Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP106\A0016548.exe

Archive type: NSIS

--> ProgramFilesDir/p2pmax.exe
[DETECTION] Is the TR/Agent.10240.19 Trojan
[DETECTION] Is the TR/Drop.Agent.54255 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP106\A0016549.exe
[DETECTION] Is the TR/Dldr.VB.iqv Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP106\A0016550.exe
[DETECTION] Is the TR/Dldr.VB.iqv Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP106\A0016551.exe
[DETECTION] Is the TR/Dldr.VB.iqv Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP106\A0016552.exe
[DETECTION] Is the TR/Dldr.VB.iqv Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP106\A0016553.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP106\A0016556.exe

Archive type: NSIS

--> ProgramFilesDir/ppcb_32.exe
[DETECTION] Is the TR/Dldr.Agent.aswp Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP106\A0016557.exe
[DETECTION] Is the TR/Dldr.VB.iqv Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP106\A0016558.exe
[DETECTION] Is the TR/Dldr.VB.iqv Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP13\A0003020.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP15\A0003102.dll
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP67\A0012095.exe
[DETECTION] Is the TR/FakeAV.1.Gen.103 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP67\A0012096.exe

Archive type: NSIS

--> [UnknownDir]/stub_109_4_0_4_0.exe
[DETECTION] Is the TR/Dldr.Smartl.A.3 Trojan
[DETECTION] Contains recognition pattern of the DR/Dldr.TSUpdate.O dropper
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP67\A0012097.exe
[DETECTION] Contains recognition pattern of the DR/Drop.Agent.bfr dropper
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP67\A0012098.exe
[DETECTION] Contains recognition pattern of the DR/Softomate.U.67 dropper
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP67\A0012099.exe
[DETECTION] Is the TR/Dldr.FraudLoa.NC Trojan
[NOTE] The file was deleted!
Begin scan in 'D:\' <HP_RECOVERY>

End of the scan: Sunday, December 07, 2008 19:43
Used time: 1:52:16 Hour(s)

The scan has been done completely.

18470 Scanning directories
791431 Files were scanned
48 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
40 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
791381 Files not concerned
18008 Archives were scanned
7 Warnings
40 Notes

Combo Fix

ComboFix 08-12-06.06 - HP_Administrator 2008-12-07 17:17:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.412 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
c:\windows\c20232.exe
c:\windows\feoc827.exe
c:\windows\gbg033414.exe
c:\windows\gu58826.exe
c:\windows\hw5305.exe
c:\windows\o255.exe
c:\windows\system32\cont_adsoftinc-remove.exe
c:\windows\system32\pxdiarhejodnod.exe
c:\windows\Tasks\CAAntiSpywareScan_Daily as HP_Administrator at 11 46 AM.job
c:\windows\Tasks\CAAntiSpywareScan_Daily as HP_Administrator at 2 35 PM.job
c:\windows\Tasks\Symantec NetDetect.job
c:\windows\vtj708346.exe
c:\windows\wuan364443.exe
c:\windows\ykgee3362.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
c:\windows\c20232.exe
c:\windows\feoc827.exe
c:\windows\gbg033414.exe
c:\windows\gu58826.exe
c:\windows\hw5305.exe
c:\windows\o255.exe
c:\windows\system32\cont_adsoftinc-remove.exe
c:\windows\system32\pxdiarhejodnod.exe
c:\windows\Tasks\CAAntiSpywareScan_Daily as HP_Administrator at 11 46 AM.job
c:\windows\Tasks\CAAntiSpywareScan_Daily as HP_Administrator at 2 35 PM.job
c:\windows\Tasks\Symantec NetDetect.job
c:\windows\vtj708346.exe
c:\windows\wuan364443.exe
c:\windows\ykgee3362.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 14:21 . 2008-12-07 14:54   <DIR>   d--------   C:\ComboFix.com
2008-12-07 14:20 . 2008-12-07 14:20   <DIR>   d--------   C:\comkbofix.com
2008-12-06 15:32 . 2008-12-06 15:32   <DIR>   d--------   c:\program files\Trend Micro
2008-12-06 09:38 . 2008-12-06 18:43   <DIR>   d--------   c:\program files\ThreatFire
2008-12-06 09:38 . 2008-12-06 18:41   <DIR>   d-a------   c:\documents and settings\All Users\Application Data\TEMP
2008-12-06 09:38 . 2008-12-06 09:38   <DIR>   d--------   c:\documents and settings\All Users\Application Data\PC Tools
2008-12-02 11:13 . 2008-12-02 11:13   672,256   --a------   c:\windows\system32\nso39A.dll
2008-11-12 03:57 . 2008-09-04 12:15   1,106,944   --a------   c:\windows\system32\dllcache\msxml3.dll
2008-11-12 03:57 . 2008-10-24 06:21   455,296   --a------   c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 21:59   ---------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 21:58   ---------   d-----w   c:\documents and settings\HP_Administrator\Application Data\LimeWire
2008-12-07 21:15   ---------   d-----w   c:\documents and settings\All Users\Application Data\Google Updater
2008-12-07 01:12   ---------   d-----w   c:\documents and settings\HP_Administrator\Application Data\U3
2008-12-06 19:53   ---------   d-----w   c:\program files\SUPERAntiSpyware
2008-12-03 23:00   ---------   d-----w   c:\program files\Norton Security Scan
2008-12-02 15:33   ---------   d-----w   c:\program files\LimeWire
2008-12-01 23:31   ---------   d-----w   c:\documents and settings\HP_Administrator\Application Data\MediaMan
2008-11-27 03:24   ---------   d-----w   c:\program files\Common Files\Adobe
2008-11-17 16:33   ---------   d-----w   c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-06 23:11   ---------   d-----w   c:\program files\MediaMan
2008-10-26 15:49   45,056   ----a-w   c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2008-10-26 15:49   44,032   ----a-w   c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2008-10-25 18:10   ---------   d-----w   c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-10-25 18:10   ---------   d-----w   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-25 18:03   ---------   d-----w   c:\program files\Windows Media Connect 2
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 07:07   ---------   d-----w   c:\program files\Microsoft Silverlight
2008-10-16 19:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 19:13   202,776   ----a-w   c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 19:13   1,809,944   ----a-w   c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 19:12   561,688   ----a-w   c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 19:12   323,608   ----a-w   c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09   92,696   ----a-w   c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 19:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 19:09   51,224   ----a-w   c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 19:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-16 19:08   34,328   ----a-w   c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06   268,648   ----a-w   c:\windows\system32\mucltui.dll
2008-10-16 19:06   208,744   ----a-w   c:\windows\system32\muweb.dll
2008-10-15 16:34   337,408   ----a-w   c:\windows\system32\dllcache\netapi32.dll
2008-10-13 23:02   ---------   d-----w   c:\documents and settings\HP_Administrator\Application Data\Verizon
2008-10-13 23:01   ---------   d-----w   c:\program files\Verizon
2008-10-12 21:54   ---------   d-----w   c:\documents and settings\All Users\Application Data\MediaMan
2008-10-12 18:43   ---------   d-----w   c:\program files\Sun
2008-10-12 18:43   ---------   d-----w   c:\program files\Java
2008-10-10 22:00   ---------   d-----w   c:\program files\Common Files\Symantec Shared
2008-10-03 17:41   6,066,176   ----a-w   c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43   1,286,152   ----a-w   c:\windows\system32\msxml4.dll
2008-09-15 12:12   1,846,400   ----a-w   c:\windows\system32\win32k.sys
2008-09-15 12:12   1,846,400   ----a-w   c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14   1,307,648   ----a-w   c:\windows\system32\msxml6.dll
2008-09-10 01:14   1,307,648   ----a-w   c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41   333,824   ----a-w   c:\windows\system32\dllcache\srv.sys
2008-08-06 21:20   738   ----a-w   c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2008-02-22 20:50   630,784   ----a-w   c:\documents and settings\HP_Administrator\GoToAssist_chat2way__317_en.exe
2008-01-15 20:36   557,056   ----a-w   c:\documents and settings\HP_Administrator\GoToAssist_phone__317_en.exe
2008-01-11 15:25   20   ---h--w   c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2007-06-20 23:30   141   ----a-w   c:\documents and settings\HP_Administrator\2950.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-16 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"RTHDCPL"="RTHDCPL.EXE" [2005-04-13 c:\windows\RTHDCPL.EXE]

c:\documents and settings\Lisa\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-01-19 3450608]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-01-19 3450608]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\spybot\Spybot - Search & Destroy
advcheck.dll [2005-05-31 157344]
aports.dll [2005-05-31 28672]
blindman.exe [2005-05-31 47256]
borlndmm.dll [2005-05-31 22528]
Default configuration.ini [2005-05-31 2161]
delphimm.dll [2005-05-31 15872]
messages.zres [2005-05-31 25726]
OptOut.ini [2005-05-31 2683]
SDHelper.dll [2005-05-31 853672]
SpybotSD.exe [2005-05-31 4393096]
spybotsd.xml [2004-05-12 12507]
TeaTimer.exe [2005-05-31 1415824]
Tools.dll [2005-05-31 461464]
UnzDll.dll [2005-05-31 122368]
Update.exe [2005-05-31 417408]
ZipDll.dll [2005-05-31 139776]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\spybot\Spybot - Search & Destroy\Dummies
dummy.cd_clint.dll [2004-05-12 48640]
dummy.dap.gif [2005-05-31 252]
dummy.data.xml [2005-05-31 402]
dummy.default.gif [2005-05-31 252]
dummy.related.htm [2005-05-31 646]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\spybot\Spybot - Search & Destroy\Help
Deutsch.license.txt [2005-05-31 5289]
English.chm [2005-08-23 192712]
English.license.txt [2005-09-29 5198]
English.Resident.chm [2005-07-21 42564]
Francais.license.txt [2005-05-31 6066]
Italiano.license.txt [2005-05-31 5676]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\spybot\Spybot - Search & Destroy\Includes
Browserpages.sbs [2005-04-27 3134]
CLSIDs.sbs [2005-09-21 373842]
CLSIDs.tnfo [2004-10-11 219575]
Cookies.sbb [2004-06-16 1229]
Cookies.sbi [2006-03-03 751]
Cookies.sbs [2005-10-06 2825]
Dialer.sbi [2006-03-03 114574]
Dialer.sbs [2003-01-01 51]
Domains.sbs [2006-03-02 49727]
Hijackers.sbi [2006-03-03 168644]
Hosts.sbs [2004-05-12 27093]
Keyloggers.sbi [2006-03-03 10868]
Logs.uts [2003-01-01 992]
LSP.sbi [2004-05-12 422]
LSP.sbs [2005-05-31 4873]
Malware.sbi [2006-03-03 122305]
OperaPlugins.sbs [2005-04-26 1270]
ProcWatch.sbs [2004-07-07 69516]
PUPS.sbi [2006-03-03 18662]
RegWatch.sbs [2005-02-18 4490]
Revision.sbi [2006-03-03 398]
Revision.sbs [2005-04-29 167]
Searchpages.sbs [2005-04-27 214]
Security.sbi [2006-03-03 6932]
Services.sbs [2006-03-02 653812]
Spybots.sbi [2006-03-03 88330]
Startup.tnfo [2005-05-31 1821639]
Targets.nfo [2006-03-02 209763]
Tracks.uti [2005-02-17 33196]
Trojans.sbi [2006-03-03 70232]
URL-Blacklist.sbs [2005-11-07 14147]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\spybot\Spybot - Search & Destroy\Languages
Deutsch.sbl [2005-05-31 95877]
English.sbl [2005-12-01 78384]
Espanol.sbl [2005-05-31 91038]
Francais.sbl [2005-05-31 93352]
Italiano.sbl [2005-05-31 89769]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\spybot\Spybot - Search & Destroy\Skins
Colorblind.ini [2005-01-27 536]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\spybot\Spybot - Search & Destroy\Updates
clsid.zip [2005-09-23 374020]
desc.english.zip [2006-03-03 55971]
downloaded.ini [2006-03-05 4069]
help.english.zip [2006-02-17 188648]
helpres.english.zip [2005-07-25 34970]
includes.zip [2006-03-03 1437021]
lang.english.zip [2005-12-23 23453]
online.ini [2006-03-05 44058]
skins.main.zip [2005-01-28 393]
startup.zip [2004-10-14 287255]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-02 1283608]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackBerry Desktop Redirector.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlackBerry Desktop Redirector.lnk
backup=c:\windows\pss\BlackBerry Desktop Redirector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Verizon\\Media Manager\\MediaManager.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-04-08 24652]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2005-05-16 85248]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41d10103-c3f3-11dd-815e-0013d405f979}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{801c2bf0-7157-11dd-8123-0013d405f979}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92d34e60-b7d7-11dd-814e-0013d405f979}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2fef14e-22ea-11dd-80e9-0013d405f979}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-04 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]

2008-01-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 18:52]

2008-01-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-21 20:08]

2008-12-03 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 03:08]

2008-12-06 c:\windows\Tasks\WebReg Photosmart C4380 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-11-05 05:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netflix.com/MemberHome
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Handler: mediaman - {F00B23B6-E372-4227-BCD9-CDC32EA1521E} - c:\program files\MediaMan\CoMProt.dll

c:\windows\Downloaded Program Files\SearchEngineQuery.dll - O16 -: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400}
hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
FireFox -: Profile - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\xg71zalf.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.thetechguide.com/forum/index.php?showforum=4
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\mozilla firefox\plugins\npsnapfish.dll
FF -: plugin - c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF -: plugin - c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 17:22:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-07 17:27:41
ComboFix-quarantined-files.txt 2008-12-07 22:27:31
ComboFix2.txt 2008-12-07 19:54:48

Pre-Run: 202,217,492,480 bytes free
Post-Run: 202,202,443,776 bytes free

314   --- E O F ---   2008-11-12 14:11:27

guestolo · « **Reply #18 on:** December 07, 2008, 09:54:48 PM »

Quote

But I still have the Yoog default search bar instead of Google

Is that in both IE and firefox?

Can you do the following
Go to the following link
http://www.billsway.com/vbspage/
Scroll down the page
and download the "Registry Search Tool"
Unzip RegSrch.zip to the desktop
Double click on RegSrch.vbs

**If you get a warning from your Anti Virus please ignore it and allow this to run.**
When it starts, you will be prompted to enter a search phrase.
Enter this:

Yoog

Click OK, it will disappear and won't look as if it's doing anything. When it's done searching, a prompt will come up saying how many instances it found. Click OK, and a notepad will open up.
Can you save this text file to your desktop
Then come here and post it's whole contents

ALSO:
go to this link
http://www.virustotal.com/flash/index_en.html
Copy and paste the following bold line to the space next to 'Upload a File'
If using Firefox, you may have to paste to the Filename field of the File Upload box that opens
Or Browse to the file

c:\windows\system32\nso39A.dll
Then use the SEND FILE button
Let it finish scanning
Could you post back the results this scan back here please
Or better yet, just link to the results page

EDIT>>In addition, I see Spybot didn't get installed correctly
Can you send the following folder to your recycle bin please
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\spybot

Andy k · « **Reply #19 on:** December 08, 2008, 11:33:17 AM »

REGEDIT4
; RegSrch.vbs Â© Bill James

; Registry search results for string "Yoog" 12/8/2008 11:23:13 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gyoogle.it]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gyoogle.it\www]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogee.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogee.com\www]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogle.it]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogle.it\www]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gyoogle.it]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gyoogle.it\www]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogee.com]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogee.com\www]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogle.it]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogle.it\www]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gyoogle.it]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gyoogle.it\www]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogee.com]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogee.com\www]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogle.it]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogle.it\www]

[HKEY_USERS\S-1-5-21-2320644526-2321484764-2373605735-1008\Software\Microsoft\Internet Explorer\SearchScopes\{4AE28838-F260-452E-AC17-B117A4330749}]
"URL"="http://www9.yoog.com/search.php?q={searchTerms}"

[HKEY_USERS\S-1-5-21-2320644526-2321484764-2373605735-1008\Software\Microsoft\Internet Explorer\SearchScopes\{4AE28838-F260-452E-AC17-B117A4330749}]
"DisplayName"="Yoog Search"

[HKEY_USERS\S-1-5-21-2320644526-2321484764-2373605735-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gyoogle.it]

[HKEY_USERS\S-1-5-21-2320644526-2321484764-2373605735-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gyoogle.it\www]

[HKEY_USERS\S-1-5-21-2320644526-2321484764-2373605735-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogee.com]

[HKEY_USERS\S-1-5-21-2320644526-2321484764-2373605735-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogee.com\www]

[HKEY_USERS\S-1-5-21-2320644526-2321484764-2373605735-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogle.it]

[HKEY_USERS\S-1-5-21-2320644526-2321484764-2373605735-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogle.it\www]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gyoogle.it]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gyoogle.it\www]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogee.com]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogee.com\www]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogle.it]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yoogle.it\www]

Virus Total has me queued for the next 20 mins, I'll link to the results after thats finished

News:

Author Topic: Yet another Yoog victim (Read 39588 times)